You are here

public function EntityReferenceXSSTest::testEntityReferenceXSS in Drupal 10

Same name and namespace in other branches
  1. 8 core/modules/field/tests/src/Functional/EntityReference/EntityReferenceXSSTest.php \Drupal\Tests\field\Functional\EntityReference\EntityReferenceXSSTest::testEntityReferenceXSS()
  2. 9 core/modules/field/tests/src/Functional/EntityReference/EntityReferenceXSSTest.php \Drupal\Tests\field\Functional\EntityReference\EntityReferenceXSSTest::testEntityReferenceXSS()

Tests markup is escaped in the entity reference select and label formatter.

File

core/modules/field/tests/src/Functional/EntityReference/EntityReferenceXSSTest.php, line 34

Class

EntityReferenceXSSTest
Tests possible XSS security issues in entity references.

Namespace

Drupal\Tests\field\Functional\EntityReference

Code

public function testEntityReferenceXSS() {
  $this
    ->drupalCreateContentType([
    'type' => 'article',
  ]);

  // Create a node with markup in the title.
  $node_type_one = $this
    ->drupalCreateContentType();
  $node = [
    'type' => $node_type_one
      ->id(),
    'title' => '<em>I am kitten</em>',
  ];
  $referenced_node = $this
    ->drupalCreateNode($node);
  $node_type_two = $this
    ->drupalCreateContentType([
    'name' => '<em>bundle with markup</em>',
  ]);
  $this
    ->drupalCreateNode([
    'type' => $node_type_two
      ->id(),
    'title' => 'My bundle has markup',
  ]);
  $this
    ->createEntityReferenceField('node', 'article', 'entity_reference_test', 'Entity Reference test', 'node', 'default', [
    'target_bundles' => [
      $node_type_one
        ->id(),
      $node_type_two
        ->id(),
    ],
  ]);
  EntityFormDisplay::load('node.article.default')
    ->setComponent('entity_reference_test', [
    'type' => 'options_select',
  ])
    ->save();
  EntityViewDisplay::load('node.article.default')
    ->setComponent('entity_reference_test', [
    'type' => 'entity_reference_label',
  ])
    ->save();

  // Create a node and reference the node with markup in the title.
  $this
    ->drupalLogin($this->rootUser);
  $this
    ->drupalGet('node/add/article');
  $this
    ->assertSession()
    ->assertEscaped($referenced_node
    ->getTitle());
  $this
    ->assertSession()
    ->assertEscaped($node_type_two
    ->label());
  $edit = [
    'title[0][value]' => $this
      ->randomString(),
    'entity_reference_test' => $referenced_node
      ->id(),
  ];
  $this
    ->submitForm($edit, 'Save');
  $this
    ->assertSession()
    ->assertEscaped($referenced_node
    ->getTitle());

  // Test the options_buttons type.
  EntityFormDisplay::load('node.article.default')
    ->setComponent('entity_reference_test', [
    'type' => 'options_buttons',
  ])
    ->save();
  $this
    ->drupalGet('node/add/article');
  $this
    ->assertSession()
    ->assertEscaped($referenced_node
    ->getTitle());

  // options_buttons does not support optgroups.
  $this
    ->assertSession()
    ->pageTextNotContains('bundle with markup');
}