function SearchCommentTest::testSearchResultsComment
Same name in other branches
- 8.9.x core/modules/search/tests/src/Functional/SearchCommentTest.php \Drupal\Tests\search\Functional\SearchCommentTest::testSearchResultsComment()
- 10 core/modules/search/tests/src/Functional/SearchCommentTest.php \Drupal\Tests\search\Functional\SearchCommentTest::testSearchResultsComment()
- 11.x core/modules/search/tests/src/Functional/SearchCommentTest.php \Drupal\Tests\search\Functional\SearchCommentTest::testSearchResultsComment()
Verify that comments are rendered using proper format in search results.
File
-
core/
modules/ search/ tests/ src/ Functional/ SearchCommentTest.php, line 99
Class
- SearchCommentTest
- Tests integration searching comments.
Namespace
Drupal\Tests\search\FunctionalCode
public function testSearchResultsComment() {
$node_storage = $this->container
->get('entity_type.manager')
->getStorage('node');
// Create basic_html format that escapes all HTML.
$basic_html_format = FilterFormat::create([
'format' => 'basic_html',
'name' => 'Basic HTML',
'weight' => 1,
'filters' => [
'filter_html_escape' => [
'status' => 1,
],
],
'roles' => [
RoleInterface::AUTHENTICATED_ID,
],
]);
$basic_html_format->save();
$comment_body = 'Test comment body';
// Make preview optional.
$field = FieldConfig::loadByName('node', 'article', 'comment');
$field->setSetting('preview', DRUPAL_OPTIONAL);
$field->save();
// Allow anonymous users to search content.
$edit = [
RoleInterface::ANONYMOUS_ID . '[search content]' => 1,
RoleInterface::ANONYMOUS_ID . '[access comments]' => 1,
RoleInterface::ANONYMOUS_ID . '[post comments]' => 1,
];
$this->drupalGet('admin/people/permissions');
$this->submitForm($edit, 'Save permissions');
// Create a node.
$node = $this->drupalCreateNode([
'type' => 'article',
]);
// Post a comment using 'Full HTML' text format.
$edit_comment = [];
$edit_comment['subject[0][value]'] = 'Test comment subject';
$edit_comment['comment_body[0][value]'] = '<h1>' . $comment_body . '</h1>';
$full_html_format_id = 'full_html';
$edit_comment['comment_body[0][format]'] = $full_html_format_id;
$this->drupalGet('comment/reply/node/' . $node->id() . '/comment');
$this->submitForm($edit_comment, 'Save');
// Post a comment with an evil script tag in the comment subject and a
// script tag nearby a keyword in the comment body. Use the 'FULL HTML' text
// format so the script tag stored.
$edit_comment2 = [];
$edit_comment2['subject[0][value]'] = "<script>alert('subjectkeyword');</script>";
$edit_comment2['comment_body[0][value]'] = "nearbykeyword<script>alert('somethinggeneric');</script>";
$edit_comment2['comment_body[0][format]'] = $full_html_format_id;
$this->drupalGet('comment/reply/node/' . $node->id() . '/comment');
$this->submitForm($edit_comment2, 'Save');
// Post a comment with a keyword inside an evil script tag in the comment
// body. Use the 'FULL HTML' text format so the script tag is stored.
$edit_comment3 = [];
$edit_comment3['subject[0][value]'] = 'a subject';
$edit_comment3['comment_body[0][value]'] = "<script>alert('insidekeyword');</script>";
$edit_comment3['comment_body[0][format]'] = $full_html_format_id;
$this->drupalGet('comment/reply/node/' . $node->id() . '/comment');
$this->submitForm($edit_comment3, 'Save');
// Invoke search index update.
$this->drupalLogout();
$this->cronRun();
// Search for the comment subject.
$edit = [
'keys' => "'" . $edit_comment['subject[0][value]'] . "'",
];
$this->drupalGet('search/node');
$this->submitForm($edit, 'Search');
$node_storage->resetCache([
$node->id(),
]);
$node2 = $node_storage->load($node->id());
$this->assertSession()
->pageTextContains($node2->label());
$this->assertSession()
->pageTextContains($edit_comment['subject[0][value]']);
// Search for the comment body.
$edit = [
'keys' => "'" . $comment_body . "'",
];
$this->submitForm($edit, 'Search');
$this->assertSession()
->pageTextContains($node2->label());
// Verify that comment is rendered using proper format.
$this->assertSession()
->pageTextContains($comment_body);
// Verify that HTML in comment body is not hidden.
$this->assertSession()
->pageTextNotContains('n/a');
$this->assertSession()
->assertNoEscaped($edit_comment['comment_body[0][value]']);
// Search for the evil script comment subject.
$edit = [
'keys' => 'subjectkeyword',
];
$this->drupalGet('search/node');
$this->submitForm($edit, 'Search');
// Verify the evil comment subject is escaped in search results.
$this->assertSession()
->responseContains('<script>alert('<strong>subjectkeyword</strong>');');
$this->assertSession()
->responseNotContains('<script>');
// Search for the keyword near the evil script tag in the comment body.
$edit = [
'keys' => 'nearbykeyword',
];
$this->drupalGet('search/node');
$this->submitForm($edit, 'Search');
// Verify that nearby script tag in the evil comment body is stripped from
// search results.
$this->assertSession()
->responseContains('<strong>nearbykeyword</strong>');
$this->assertSession()
->responseNotContains('<script>');
// Search for contents inside the evil script tag in the comment body.
$edit = [
'keys' => 'insidekeyword',
];
$this->drupalGet('search/node');
$this->submitForm($edit, 'Search');
// @todo Verify the actual search results.
// https://www.drupal.org/node/2551135
// Verify there is no script tag in search results.
$this->assertSession()
->responseNotContains('<script>');
// Hide comments.
$this->drupalLogin($this->adminUser);
$node->set('comment', CommentItemInterface::HIDDEN);
$node->save();
// Invoke search index update.
$this->drupalLogout();
$this->cronRun();
// Search for $title.
$this->drupalGet('search/node');
$this->submitForm($edit, 'Search');
$this->assertSession()
->pageTextContains('Your search yielded no results.');
}
Buggy or inaccurate documentation? Please file an issue. Need support? Need help programming? Connect with the Drupal community.