You are here

Home » API reference » Drupal 9 » EditorSecurityTest.php » EditorSecurityTest

protected function EditorSecurityTest::setUp in Drupal 9

Same name and namespace in other branches
  1. 8 core/modules/editor/tests/src/Functional/EditorSecurityTest.php \Drupal\Tests\editor\Functional\EditorSecurityTest::setUp()

Overrides BrowserTestBase::setUp

File

core/modules/editor/tests/src/Functional/EditorSecurityTest.php, line 79

Class

EditorSecurityTest
Tests XSS protection for content creators when using text editors.

Namespace

Drupal\Tests\editor\Functional

Code

protected function setUp() : void {
  parent::setUp();

  // Create 5 text formats, to cover all potential use cases:
  // 1. restricted_without_editor (untrusted: anonymous)
  // 2. restricted_with_editor (normal: authenticated)
  // 3. restricted_plus_dangerous_tag_with_editor (privileged: trusted)
  // 4. unrestricted_without_editor (privileged: admin)
  // 5. unrestricted_with_editor (privileged: admin)
  // With text formats 2, 3 and 5, we also associate a text editor that does
  // not guarantee XSS safety. "restricted" means the text format has XSS
  // filters on output, "unrestricted" means the opposite.
  $format = FilterFormat::create([
    'format' => 'restricted_without_editor',
    'name' => 'Restricted HTML, without text editor',
    'weight' => 0,
    'filters' => [
      // A filter of the FilterInterface::TYPE_HTML_RESTRICTOR type.
      'filter_html' => [
        'status' => 1,
        'settings' => [
          'allowed_html' => '<h2> <h3> <h4> <h5> <h6> <p> <br> <strong> <a>',
        ],
      ],
    ],
  ]);
  $format
    ->save();
  $format = FilterFormat::create([
    'format' => 'restricted_with_editor',
    'name' => 'Restricted HTML, with text editor',
    'weight' => 1,
    'filters' => [
      // A filter of the FilterInterface::TYPE_HTML_RESTRICTOR type.
      'filter_html' => [
        'status' => 1,
        'settings' => [
          'allowed_html' => '<h2> <h3> <h4> <h5> <h6> <p> <br> <strong> <a>',
        ],
      ],
    ],
  ]);
  $format
    ->save();
  $editor = Editor::create([
    'format' => 'restricted_with_editor',
    'editor' => 'unicorn',
  ]);
  $editor
    ->save();
  $format = FilterFormat::create([
    'format' => 'restricted_plus_dangerous_tag_with_editor',
    'name' => 'Restricted HTML, dangerous tag allowed, with text editor',
    'weight' => 1,
    'filters' => [
      // A filter of the FilterInterface::TYPE_HTML_RESTRICTOR type.
      'filter_html' => [
        'status' => 1,
        'settings' => [
          'allowed_html' => '<h2> <h3> <h4> <h5> <h6> <p> <br> <strong> <a> <embed>',
        ],
      ],
    ],
  ]);
  $format
    ->save();
  $editor = Editor::create([
    'format' => 'restricted_plus_dangerous_tag_with_editor',
    'editor' => 'unicorn',
  ]);
  $editor
    ->save();
  $format = FilterFormat::create([
    'format' => 'unrestricted_without_editor',
    'name' => 'Unrestricted HTML, without text editor',
    'weight' => 0,
    'filters' => [],
  ]);
  $format
    ->save();
  $format = FilterFormat::create([
    'format' => 'unrestricted_with_editor',
    'name' => 'Unrestricted HTML, with text editor',
    'weight' => 1,
    'filters' => [],
  ]);
  $format
    ->save();
  $editor = Editor::create([
    'format' => 'unrestricted_with_editor',
    'editor' => 'unicorn',
  ]);
  $editor
    ->save();

  // Create node type.
  $this
    ->drupalCreateContentType([
    'type' => 'article',
    'name' => 'Article',
  ]);

  // Create 4 users, each with access to different text formats/editors:
  // - "untrusted": restricted_without_editor
  // - "normal": restricted_with_editor,
  // - "trusted": restricted_plus_dangerous_tag_with_editor
  // - "privileged": restricted_without_editor, restricted_with_editor,
  //   restricted_plus_dangerous_tag_with_editor,
  //   unrestricted_without_editor and unrestricted_with_editor
  $this->untrustedUser = $this
    ->drupalCreateUser([
    'create article content',
    'edit any article content',
    'use text format restricted_without_editor',
  ]);
  $this->normalUser = $this
    ->drupalCreateUser([
    'create article content',
    'edit any article content',
    'use text format restricted_with_editor',
  ]);
  $this->trustedUser = $this
    ->drupalCreateUser([
    'create article content',
    'edit any article content',
    'use text format restricted_plus_dangerous_tag_with_editor',
  ]);
  $this->privilegedUser = $this
    ->drupalCreateUser([
    'create article content',
    'edit any article content',
    'use text format restricted_without_editor',
    'use text format restricted_with_editor',
    'use text format restricted_plus_dangerous_tag_with_editor',
    'use text format unrestricted_without_editor',
    'use text format unrestricted_with_editor',
  ]);

  // Create an "article" node for each possible text format, with the same
  // sample content, to do our tests on.
  $samples = [
    [
      'author' => $this->untrustedUser
        ->id(),
      'format' => 'restricted_without_editor',
    ],
    [
      'author' => $this->normalUser
        ->id(),
      'format' => 'restricted_with_editor',
    ],
    [
      'author' => $this->trustedUser
        ->id(),
      'format' => 'restricted_plus_dangerous_tag_with_editor',
    ],
    [
      'author' => $this->privilegedUser
        ->id(),
      'format' => 'unrestricted_without_editor',
    ],
    [
      'author' => $this->privilegedUser
        ->id(),
      'format' => 'unrestricted_with_editor',
    ],
  ];
  foreach ($samples as $sample) {
    $this
      ->drupalCreateNode([
      'type' => 'article',
      'body' => [
        [
          'value' => self::$sampleContent,
          'format' => $sample['format'],
        ],
      ],
      'uid' => $sample['author'],
    ]);
  }
}