class AssetXssTest
Same name and namespace in other branches
- 11.x core/tests/Drupal/FunctionalTests/Asset/AssetXssTest.php \Drupal\FunctionalTests\Asset\AssetXssTest
Tests sanitization of error messages emitted by AssetControllerBase.
Attributes
#[Group('asset')]
#[RunTestsInSeparateProcesses]
#[CoversMethod(AssetControllerBase::class, 'deliver')]
Hierarchy
- class \Drupal\Tests\BrowserTestBase uses \Drupal\Tests\DrupalTestCaseTrait, \Drupal\Core\Test\FunctionalTestSetupTrait, \Drupal\Tests\UiHelperTrait, \Drupal\Core\Test\TestSetupTrait, \Drupal\Tests\block\Traits\BlockCreationTrait, \Drupal\Tests\RandomGeneratorTrait, \Drupal\Tests\node\Traits\NodeCreationTrait, \Drupal\Tests\node\Traits\ContentTypeCreationTrait, \Drupal\Tests\ConfigTestTrait, \Drupal\Tests\user\Traits\UserCreationTrait, \Drupal\Tests\XdebugRequestTrait, \Drupal\Tests\ExtensionListTestTrait extends \PHPUnit\Framework\TestCase
- class \Drupal\FunctionalTests\Asset\AssetXssTest extends \Drupal\Tests\BrowserTestBase
Expanded class hierarchy of AssetXssTest
File
-
core/
tests/ Drupal/ FunctionalTests/ Asset/ AssetXssTest.php, line 18
Namespace
Drupal\FunctionalTests\AssetView source
class AssetXssTest extends BrowserTestBase {
/**
* {@inheritdoc}
*/
protected $profile = 'minimal';
/**
* {@inheritdoc}
*/
protected $defaultTheme = 'stark';
/**
* A dataProvider for JS and CSS asset tests.
*
* @return array
* - Array of inputs for the test URL
*/
public static function providerAssetUrl() {
$query = [
'language' => 'en',
'delta' => 1,
'theme' => 'drupal',
'include' => '<img src=x onerror=alert("xss")>',
];
return [
[
'path' => '/js/js_foo.js',
'query' => $query,
],
[
'path' => '/css/css_foo.css',
'query' => $query,
],
];
}
/**
* Test sanitization of the error message for an invalid asset.
*
* @throws \Behat\Mink\Exception\ExpectationException
*/
public function testAssetUrl($path, $query) : void {
$path = PublicStream::basePath() . $path;
$this->drupalGet($path, [
'query' => $query,
]);
$this->assertSession()
->statusCodeEquals(400);
$this->assertSession()
->responseContains('library name must include at least one slash');
$this->assertSession()
->elementNotExists('xpath', '//img[contains(@onerror, "alert")]');
// Swap the XSS payload into the exclude parameter.
$query['exclude'] = $query['include'];
$query['include'] = 'foo/bar';
$this->drupalGet($path, [
'query' => $query,
]);
$this->assertSession()
->statusCodeEquals(400);
$this->assertSession()
->responseContains('library name must include at least one slash');
$this->assertSession()
->elementNotExists('xpath', '//img[contains(@onerror, "alert")]');
}
}Buggy or inaccurate documentation? Please file an issue. Need support? Need help programming? Connect with the Drupal community.