You are here

public function DateFormatTest::testDateFormatXss in Drupal 9

Same name and namespace in other branches
  1. 8 core/modules/system/tests/src/FunctionalJavascript/System/DateFormatTest.php \Drupal\Tests\system\FunctionalJavascript\System\DateFormatTest::testDateFormatXss()

Tests XSS via date format configuration.

File

core/modules/system/tests/src/FunctionalJavascript/System/DateFormatTest.php, line 41

Class

DateFormatTest
Tests that date formats UI with JavaScript enabled.

Namespace

Drupal\Tests\system\FunctionalJavascript\System

Code

public function testDateFormatXss() {
  $page = $this
    ->getSession()
    ->getPage();
  $assert = $this
    ->assertSession();
  $date_format = DateFormat::create([
    'id' => 'xss_short',
    'label' => 'XSS format',
    'pattern' => '\\<\\s\\c\\r\\i\\p\\t\\>\\a\\l\\e\\r\\t\\(\\"\\X\\S\\S\\")\\;\\<\\/\\s\\c\\r\\i\\p\\t\\>',
  ]);
  $date_format
    ->save();
  $this
    ->drupalGet('admin/config/regional/date-time');
  $assert
    ->assertEscaped('<script>alert("XSS");</script>', 'The date format was properly escaped');
  $this
    ->drupalGet('admin/config/regional/date-time/formats/manage/xss_short');
  $assert
    ->assertEscaped('<script>alert("XSS");</script>', 'The date format was properly escaped');

  // Add a new date format with HTML in it.
  $this
    ->drupalGet('admin/config/regional/date-time/formats/add');
  $date_format = '& \\<\\e\\m\\>Y\\<\\/\\e\\m\\>';
  $page
    ->fillField('date_format_pattern', $date_format);
  $assert
    ->waitForText('Displayed as');
  $assert
    ->assertEscaped('<em>' . date("Y") . '</em>');
  $page
    ->fillField('label', 'date_html_pattern');

  // Wait for the machine name ID to be completed.
  $assert
    ->waitForLink('Edit');
  $page
    ->pressButton('Add format');
  $assert
    ->pageTextContains('Custom date format added.');
  $assert
    ->assertEscaped('<em>' . date("Y") . '</em>');
}