public function NodeTitleXSSTest::testNodeTitleXSS in Drupal 10
Same name and namespace in other branches
- 8 core/modules/node/tests/src/Functional/NodeTitleXSSTest.php \Drupal\Tests\node\Functional\NodeTitleXSSTest::testNodeTitleXSS()
- 9 core/modules/node/tests/src/Functional/NodeTitleXSSTest.php \Drupal\Tests\node\Functional\NodeTitleXSSTest::testNodeTitleXSS()
Tests XSS functionality with a node entity.
File
- core/
modules/ node/ tests/ src/ Functional/ NodeTitleXSSTest.php, line 23
Class
- NodeTitleXSSTest
- Create a node with dangerous tags in its title and test that they are escaped.
Namespace
Drupal\Tests\node\FunctionalCode
public function testNodeTitleXSS() {
// Prepare a user to do the stuff.
$web_user = $this
->drupalCreateUser([
'create page content',
'edit any page content',
]);
$this
->drupalLogin($web_user);
$xss = '<script>alert("xss")</script>';
$title = $xss . $this
->randomMachineName();
$edit = [];
$edit['title[0][value]'] = $title;
$this
->drupalGet('node/add/page');
$this
->submitForm($edit, 'Preview');
// Verify that harmful tags are escaped when previewing a node.
$this
->assertSession()
->responseNotContains($xss);
$settings = [
'title' => $title,
];
$node = $this
->drupalCreateNode($settings);
$this
->drupalGet('node/' . $node
->id());
// Titles should be escaped.
$this
->assertSession()
->responseContains('<title>' . Html::escape($title) . ' | Drupal</title>');
$this
->assertSession()
->responseNotContains($xss);
$this
->drupalGet('node/' . $node
->id() . '/edit');
$this
->assertSession()
->responseNotContains($xss);
}