function DisplayPathTest::doPathXssFilterTest

Same name and namespace in other branches
  1. 8.9.x core/modules/views_ui/tests/src/Functional/DisplayPathTest.php \Drupal\Tests\views_ui\Functional\DisplayPathTest::doPathXssFilterTest()
  2. 10 core/modules/views_ui/tests/src/Functional/DisplayPathTest.php \Drupal\Tests\views_ui\Functional\DisplayPathTest::doPathXssFilterTest()
  3. 11.x core/modules/views_ui/tests/src/Functional/DisplayPathTest.php \Drupal\Tests\views_ui\Functional\DisplayPathTest::doPathXssFilterTest()

Tests that View paths are properly filtered for XSS.

1 call to DisplayPathTest::doPathXssFilterTest()
DisplayPathTest::testPathUI in core/modules/views_ui/tests/src/Functional/DisplayPathTest.php
Runs the tests.

File

core/modules/views_ui/tests/src/Functional/DisplayPathTest.php, line 76

Class

DisplayPathTest
Tests the UI of generic display path plugin.

Namespace

Drupal\Tests\views_ui\Functional

Code

public function doPathXssFilterTest() {
    $this->drupalGet('admin/structure/views/view/test_view');
    $this->submitForm([], 'Add Page');
    $this->drupalGet('admin/structure/views/nojs/display/test_view/page_2/path');
    $this->submitForm([
        'path' => '<object>malformed_path</object>',
    ], 'Apply');
    $this->submitForm([], 'Add Page');
    $this->drupalGet('admin/structure/views/nojs/display/test_view/page_3/path');
    $this->submitForm([
        'path' => '<script>alert("hello");</script>',
    ], 'Apply');
    $this->submitForm([], 'Add Page');
    $this->drupalGet('admin/structure/views/nojs/display/test_view/page_4/path');
    $this->submitForm([
        'path' => '<script>alert("hello I have placeholders %");</script>',
    ], 'Apply');
    $this->drupalGet('admin/structure/views/view/test_view');
    $this->submitForm([], 'Save');
    $this->drupalGet('admin/structure/views');
    // The anchor text should be escaped.
    $this->assertSession()
        ->assertEscaped('/<object>malformed_path</object>');
    $this->assertSession()
        ->assertEscaped('/<script>alert("hello");</script>');
    $this->assertSession()
        ->assertEscaped('/<script>alert("hello I have placeholders %");</script>');
    // Links should be url-encoded.
    $this->assertSession()
        ->responseContains('/%3Cobject%3Emalformed_path%3C/object%3E');
    $this->assertSession()
        ->responseContains('/%3Cscript%3Ealert%28%22hello%22%29%3B%3C/script%3E');
}

Buggy or inaccurate documentation? Please file an issue. Need support? Need help programming? Connect with the Drupal community.