function PageTitleFiltering::testTitleXSS

Test if the title of the site is XSS proof.

File

modules/system/system.test, line 1650

Class

PageTitleFiltering

Code

function testTitleXSS() {
    // Set some title with JavaScript and HTML chars to escape.
    $title = '</title><script type="text/javascript">alert("Title XSS!");</script> & < > " \' ';
    $title_filtered = check_plain($title);
    $slogan = '<script type="text/javascript">alert("Slogan XSS!");</script>';
    $slogan_filtered = filter_xss_admin($slogan);
    // Activate needed appearance settings.
    $edit = array(
        'toggle_name' => TRUE,
        'toggle_slogan' => TRUE,
        'toggle_main_menu' => TRUE,
        'toggle_secondary_menu' => TRUE,
    );
    $this->drupalPost('admin/appearance/settings', $edit, t('Save configuration'));
    // Set title and slogan.
    $edit = array(
        'site_name' => $title,
        'site_slogan' => $slogan,
    );
    $this->drupalPost('admin/config/system/site-information', $edit, t('Save configuration'));
    // Load frontpage.
    $this->drupalGet('');
    // Test the title.
    $this->assertNoRaw($title, 'Check for the unfiltered version of the title.');
    // Adding </title> so we do not test the escaped version from drupal_set_title().
    $this->assertRaw($title_filtered . '</title>', 'Check for the filtered version of the title.');
    // Test the slogan.
    $this->assertNoRaw($slogan, 'Check for the unfiltered version of the slogan.');
    $this->assertRaw($slogan_filtered, 'Check for the filtered version of the slogan.');
}