public function DateFormatTest::testDateFormatXss in Drupal 9
Same name and namespace in other branches
- 8 core/modules/system/tests/src/FunctionalJavascript/System/DateFormatTest.php \Drupal\Tests\system\FunctionalJavascript\System\DateFormatTest::testDateFormatXss()
Tests XSS via date format configuration.
File
- core/
modules/ system/ tests/ src/ FunctionalJavascript/ System/ DateFormatTest.php, line 41
Class
- DateFormatTest
- Tests that date formats UI with JavaScript enabled.
Namespace
Drupal\Tests\system\FunctionalJavascript\SystemCode
public function testDateFormatXss() {
$page = $this
->getSession()
->getPage();
$assert = $this
->assertSession();
$date_format = DateFormat::create([
'id' => 'xss_short',
'label' => 'XSS format',
'pattern' => '\\<\\s\\c\\r\\i\\p\\t\\>\\a\\l\\e\\r\\t\\(\\"\\X\\S\\S\\")\\;\\<\\/\\s\\c\\r\\i\\p\\t\\>',
]);
$date_format
->save();
$this
->drupalGet('admin/config/regional/date-time');
$assert
->assertEscaped('<script>alert("XSS");</script>', 'The date format was properly escaped');
$this
->drupalGet('admin/config/regional/date-time/formats/manage/xss_short');
$assert
->assertEscaped('<script>alert("XSS");</script>', 'The date format was properly escaped');
// Add a new date format with HTML in it.
$this
->drupalGet('admin/config/regional/date-time/formats/add');
$date_format = '& \\<\\e\\m\\>Y\\<\\/\\e\\m\\>';
$page
->fillField('date_format_pattern', $date_format);
$assert
->waitForText('Displayed as');
$assert
->assertEscaped('<em>' . date("Y") . '</em>');
$page
->fillField('label', 'date_html_pattern');
// Wait for the machine name ID to be completed.
$assert
->waitForLink('Edit');
$page
->pressButton('Add format');
$assert
->pageTextContains('Custom date format added.');
$assert
->assertEscaped('<em>' . date("Y") . '</em>');
}