You are here

public function SearchCommentTest::testSearchResultsComment in Drupal 9

Same name and namespace in other branches
  1. 8 core/modules/search/tests/src/Functional/SearchCommentTest.php \Drupal\Tests\search\Functional\SearchCommentTest::testSearchResultsComment()
  2. 10 core/modules/search/tests/src/Functional/SearchCommentTest.php \Drupal\Tests\search\Functional\SearchCommentTest::testSearchResultsComment()

Verify that comments are rendered using proper format in search results.

File

core/modules/search/tests/src/Functional/SearchCommentTest.php, line 96

Class

SearchCommentTest
Tests integration searching comments.

Namespace

Drupal\Tests\search\Functional

Code

public function testSearchResultsComment() {
  $node_storage = $this->container
    ->get('entity_type.manager')
    ->getStorage('node');

  // Create basic_html format that escapes all HTML.
  $basic_html_format = FilterFormat::create([
    'format' => 'basic_html',
    'name' => 'Basic HTML',
    'weight' => 1,
    'filters' => [
      'filter_html_escape' => [
        'status' => 1,
      ],
    ],
    'roles' => [
      RoleInterface::AUTHENTICATED_ID,
    ],
  ]);
  $basic_html_format
    ->save();
  $comment_body = 'Test comment body';

  // Make preview optional.
  $field = FieldConfig::loadByName('node', 'article', 'comment');
  $field
    ->setSetting('preview', DRUPAL_OPTIONAL);
  $field
    ->save();

  // Allow anonymous users to search content.
  $edit = [
    RoleInterface::ANONYMOUS_ID . '[search content]' => 1,
    RoleInterface::ANONYMOUS_ID . '[access comments]' => 1,
    RoleInterface::ANONYMOUS_ID . '[post comments]' => 1,
  ];
  $this
    ->drupalGet('admin/people/permissions');
  $this
    ->submitForm($edit, 'Save permissions');

  // Create a node.
  $node = $this
    ->drupalCreateNode([
    'type' => 'article',
  ]);

  // Post a comment using 'Full HTML' text format.
  $edit_comment = [];
  $edit_comment['subject[0][value]'] = 'Test comment subject';
  $edit_comment['comment_body[0][value]'] = '<h1>' . $comment_body . '</h1>';
  $full_html_format_id = 'full_html';
  $edit_comment['comment_body[0][format]'] = $full_html_format_id;
  $this
    ->drupalGet('comment/reply/node/' . $node
    ->id() . '/comment');
  $this
    ->submitForm($edit_comment, 'Save');

  // Post a comment with an evil script tag in the comment subject and a
  // script tag nearby a keyword in the comment body. Use the 'FULL HTML' text
  // format so the script tag stored.
  $edit_comment2 = [];
  $edit_comment2['subject[0][value]'] = "<script>alert('subjectkeyword');</script>";
  $edit_comment2['comment_body[0][value]'] = "nearbykeyword<script>alert('somethinggeneric');</script>";
  $edit_comment2['comment_body[0][format]'] = $full_html_format_id;
  $this
    ->drupalGet('comment/reply/node/' . $node
    ->id() . '/comment');
  $this
    ->submitForm($edit_comment2, 'Save');

  // Post a comment with a keyword inside an evil script tag in the comment
  // body. Use the 'FULL HTML' text format so the script tag is stored.
  $edit_comment3 = [];
  $edit_comment3['subject[0][value]'] = 'asubject';
  $edit_comment3['comment_body[0][value]'] = "<script>alert('insidekeyword');</script>";
  $edit_comment3['comment_body[0][format]'] = $full_html_format_id;
  $this
    ->drupalGet('comment/reply/node/' . $node
    ->id() . '/comment');
  $this
    ->submitForm($edit_comment3, 'Save');

  // Invoke search index update.
  $this
    ->drupalLogout();
  $this
    ->cronRun();

  // Search for the comment subject.
  $edit = [
    'keys' => "'" . $edit_comment['subject[0][value]'] . "'",
  ];
  $this
    ->drupalGet('search/node');
  $this
    ->submitForm($edit, 'Search');
  $node_storage
    ->resetCache([
    $node
      ->id(),
  ]);
  $node2 = $node_storage
    ->load($node
    ->id());
  $this
    ->assertSession()
    ->pageTextContains($node2
    ->label());
  $this
    ->assertSession()
    ->pageTextContains($edit_comment['subject[0][value]']);

  // Search for the comment body.
  $edit = [
    'keys' => "'" . $comment_body . "'",
  ];
  $this
    ->submitForm($edit, 'Search');
  $this
    ->assertSession()
    ->pageTextContains($node2
    ->label());

  // Verify that comment is rendered using proper format.
  $this
    ->assertSession()
    ->pageTextContains($comment_body);

  // Verify that HTML in comment body is not hidden.
  $this
    ->assertSession()
    ->pageTextNotContains('n/a');
  $this
    ->assertSession()
    ->assertNoEscaped($edit_comment['comment_body[0][value]']);

  // Search for the evil script comment subject.
  $edit = [
    'keys' => 'subjectkeyword',
  ];
  $this
    ->drupalGet('search/node');
  $this
    ->submitForm($edit, 'Search');

  // Verify the evil comment subject is escaped in search results.
  $this
    ->assertSession()
    ->responseContains('&lt;script&gt;alert(&#039;<strong>subjectkeyword</strong>&#039;);');
  $this
    ->assertSession()
    ->responseNotContains('<script>');

  // Search for the keyword near the evil script tag in the comment body.
  $edit = [
    'keys' => 'nearbykeyword',
  ];
  $this
    ->drupalGet('search/node');
  $this
    ->submitForm($edit, 'Search');

  // Verify that nearby script tag in the evil comment body is stripped from
  // search results.
  $this
    ->assertSession()
    ->responseContains('<strong>nearbykeyword</strong>');
  $this
    ->assertSession()
    ->responseNotContains('<script>');

  // Search for contents inside the evil script tag in the comment body.
  $edit = [
    'keys' => 'insidekeyword',
  ];
  $this
    ->drupalGet('search/node');
  $this
    ->submitForm($edit, 'Search');

  // @todo Verify the actual search results.
  //   https://www.drupal.org/node/2551135
  // Verify there is no script tag in search results.
  $this
    ->assertSession()
    ->responseNotContains('<script>');

  // Hide comments.
  $this
    ->drupalLogin($this->adminUser);
  $node
    ->set('comment', CommentItemInterface::HIDDEN);
  $node
    ->save();

  // Invoke search index update.
  $this
    ->drupalLogout();
  $this
    ->cronRun();

  // Search for $title.
  $this
    ->drupalGet('search/node');
  $this
    ->submitForm($edit, 'Search');
  $this
    ->assertSession()
    ->pageTextContains('Your search yielded no results.');
}