function NodeTitleXSSTest::testNodeTitleXSS

Same name and namespace in other branches
  1. 8.9.x core/modules/node/tests/src/Functional/NodeTitleXSSTest.php \Drupal\Tests\node\Functional\NodeTitleXSSTest::testNodeTitleXSS()
  2. 10 core/modules/node/tests/src/Functional/NodeTitleXSSTest.php \Drupal\Tests\node\Functional\NodeTitleXSSTest::testNodeTitleXSS()
  3. 11.x core/modules/node/tests/src/Functional/NodeTitleXSSTest.php \Drupal\Tests\node\Functional\NodeTitleXSSTest::testNodeTitleXSS()

Tests XSS functionality with a node entity.

File

core/modules/node/tests/src/Functional/NodeTitleXSSTest.php, line 22

Class

NodeTitleXSSTest
Tests that dangerous tags in the node title are escaped.

Namespace

Drupal\Tests\node\Functional

Code

public function testNodeTitleXSS() {
    // Prepare a user to do the stuff.
    $web_user = $this->drupalCreateUser([
        'create page content',
        'edit any page content',
    ]);
    $this->drupalLogin($web_user);
    $xss = '<script>alert("xss")</script>';
    $title = $xss . $this->randomMachineName();
    $edit = [];
    $edit['title[0][value]'] = $title;
    $this->drupalGet('node/add/page');
    $this->submitForm($edit, 'Preview');
    // Verify that harmful tags are escaped when previewing a node.
    $this->assertSession()
        ->responseNotContains($xss);
    $settings = [
        'title' => $title,
    ];
    $node = $this->drupalCreateNode($settings);
    $this->drupalGet('node/' . $node->id());
    // Titles should be escaped.
    $this->assertSession()
        ->responseContains('<title>' . Html::escape($title) . ' | Drupal</title>');
    $this->assertSession()
        ->responseNotContains($xss);
    $this->drupalGet('node/' . $node->id() . '/edit');
    $this->assertSession()
        ->responseNotContains($xss);
}

Buggy or inaccurate documentation? Please file an issue. Need support? Need help programming? Connect with the Drupal community.