function NodeTitleXSSTestCase::testNodeTitleXSS

Tests XSS functionality with a node entity.

File

modules/node/node.test, line 810

Class

NodeTitleXSSTestCase
Tests XSS functionality with a node entity.

Code

function testNodeTitleXSS() {
  // Prepare a user to do the stuff.
  $web_user = $this->drupalCreateUser(array(
    'create page content',
    'edit any page content',
  ));
  $this->drupalLogin($web_user);
  $xss = '<script>alert("xss")</script>';
  $title = $xss . $this->randomName();
  $edit = array(
    "title" => $title,
  );
  $this->drupalPost('node/add/page', $edit, t('Preview'));
  $this->assertNoRaw($xss, 'Harmful tags are escaped when previewing a node.');
  $settings = array(
    'title' => $title,
  );
  $node = $this->drupalCreateNode($settings);
  $this->drupalGet('node/' . $node->nid);
  // assertTitle() decodes HTML-entities inside the <title> element.
  $this->assertTitle($edit["title"] . ' | Drupal', 'Title is diplayed when viewing a node.');
  $this->assertNoRaw($xss, 'Harmful tags are escaped when viewing a node.');
  $this->drupalGet('node/' . $node->nid . '/edit');
  $this->assertNoRaw($xss, 'Harmful tags are escaped when editing a node.');
}

Buggy or inaccurate documentation? Please file an issue. Need support? Need help programming? Connect with the Drupal community.