function DisplayTest::testDisplayTitleInButtonsXss
Ensures that no XSS is possible for buttons.
File
- 
              core/modules/ views_ui/ tests/ src/ Functional/ DisplayTest.php, line 217 
Class
- DisplayTest
- Tests the display UI.
Namespace
Drupal\Tests\views_ui\FunctionalCode
public function testDisplayTitleInButtonsXss() {
  $xss_markup = '"><script>alert(123)</script>';
  $view = $this->randomView();
  $view = View::load($view['id']);
  \Drupal::configFactory()->getEditable('views.settings')
    ->set('ui.show.default_display', TRUE)
    ->save();
  foreach ([
    $xss_markup,
    '"><script>alert(123)</script>',
  ] as $input) {
    $display =& $view->getDisplay('page_1');
    $display['display_title'] = $input;
    $view->save();
    $this->drupalGet("admin/structure/views/view/{$view->id()}");
    $escaped = views_ui_truncate($input, 25);
    $this->assertSession()
      ->assertEscaped($escaped);
    $this->assertSession()
      ->responseNotContains($xss_markup);
    $this->drupalGet("admin/structure/views/view/{$view->id()}/edit/page_1");
    $this->assertSession()
      ->assertEscaped("View {$escaped}");
    $this->assertSession()
      ->responseNotContains("View {$xss_markup}");
    $this->assertSession()
      ->assertEscaped("Duplicate {$escaped}");
    $this->assertSession()
      ->responseNotContains("Duplicate {$xss_markup}");
    $this->assertSession()
      ->assertEscaped("Delete {$escaped}");
    $this->assertSession()
      ->responseNotContains("Delete {$xss_markup}");
  }
}Buggy or inaccurate documentation? Please file an issue. Need support? Need help programming? Connect with the Drupal community.
