function DisplayPathTest::doPathXssFilterTest

Tests that View paths are properly filtered for XSS.

File

core/modules/views_ui/tests/src/Functional/DisplayPathTest.php, line 79

Class

DisplayPathTest

Tests the UI of generic display path plugin.

Namespace

Code

public function doPathXssFilterTest() {
    $this->drupalGet('admin/structure/views/view/test_view');
    $this->drupalPostForm(NULL, [], 'Add Page');
    $this->drupalPostForm('admin/structure/views/nojs/display/test_view/page_2/path', [
        'path' => '<object>malformed_path</object>',
    ], t('Apply'));
    $this->drupalPostForm(NULL, [], 'Add Page');
    $this->drupalPostForm('admin/structure/views/nojs/display/test_view/page_3/path', [
        'path' => '<script>alert("hello");</script>',
    ], t('Apply'));
    $this->drupalPostForm(NULL, [], 'Add Page');
    $this->drupalPostForm('admin/structure/views/nojs/display/test_view/page_4/path', [
        'path' => '<script>alert("hello I have placeholders %");</script>',
    ], t('Apply'));
    $this->drupalPostForm('admin/structure/views/view/test_view', [], t('Save'));
    $this->drupalGet('admin/structure/views');
    // The anchor text should be escaped.
    $this->assertEscaped('/<object>malformed_path</object>');
    $this->assertEscaped('/<script>alert("hello");</script>');
    $this->assertEscaped('/<script>alert("hello I have placeholders %");</script>');
    // Links should be url-encoded.
    $this->assertRaw('/%3Cobject%3Emalformed_path%3C/object%3E');
    $this->assertRaw('/%3Cscript%3Ealert%28%22hello%22%29%3B%3C/script%3E');
}