function MenuLinkSecurityTest::testMenuLink

Same name in other branches
  1. 8.9.x core/modules/system/tests/src/Functional/Menu/MenuLinkSecurityTest.php \Drupal\Tests\system\Functional\Menu\MenuLinkSecurityTest::testMenuLink()
  2. 10 core/modules/system/tests/src/Functional/Menu/MenuLinkSecurityTest.php \Drupal\Tests\system\Functional\Menu\MenuLinkSecurityTest::testMenuLink()
  3. 11.x core/modules/system/tests/src/Functional/Menu/MenuLinkSecurityTest.php \Drupal\Tests\system\Functional\Menu\MenuLinkSecurityTest::testMenuLink()

Ensures that a menu link does not cause an XSS issue.

File

core/modules/system/tests/src/Functional/Menu/MenuLinkSecurityTest.php, line 28

Class

MenuLinkSecurityTest
Ensures that menu links don't cause XSS issues.

Namespace

Drupal\Tests\system\Functional\Menu

Code

public function testMenuLink() {
    $menu_link_content = MenuLinkContent::create([
        'title' => '<script>alert("Wild animals")</script>',
        'menu_name' => 'tools',
        'link' => [
            'uri' => 'route:<front>',
        ],
    ]);
    $menu_link_content->save();
    $this->drupalPlaceBlock('system_menu_block:tools');
    $this->drupalGet('<front>');
    $this->assertSession()
        ->responseNotContains('<script>alert("Wild animals")</script>');
    $this->assertSession()
        ->responseNotContains('<script>alert("Even more wild animals")</script>');
    $this->assertSession()
        ->assertEscaped('<script>alert("Wild animals")</script>');
    $this->assertSession()
        ->assertEscaped('<script>alert("Even more wild animals")</script>');
}

Buggy or inaccurate documentation? Please file an issue. Need support? Need help programming? Connect with the Drupal community.