You are here

Home » API reference » Drupal 9 » DisplayPathTest.php » DisplayPathTest

public function DisplayPathTest::doPathXssFilterTest in Drupal 9

Same name and namespace in other branches
  1. 8 core/modules/views_ui/tests/src/Functional/DisplayPathTest.php \Drupal\Tests\views_ui\Functional\DisplayPathTest::doPathXssFilterTest()
  2. 10 core/modules/views_ui/tests/src/Functional/DisplayPathTest.php \Drupal\Tests\views_ui\Functional\DisplayPathTest::doPathXssFilterTest()

Tests that View paths are properly filtered for XSS.

1 call to DisplayPathTest::doPathXssFilterTest()
DisplayPathTest::testPathUI in core/modules/views_ui/tests/src/Functional/DisplayPathTest.php
Runs the tests.

File

core/modules/views_ui/tests/src/Functional/DisplayPathTest.php, line 73

Class

DisplayPathTest
Tests the UI of generic display path plugin.

Namespace

Drupal\Tests\views_ui\Functional

Code

public function doPathXssFilterTest() {
  $this
    ->drupalGet('admin/structure/views/view/test_view');
  $this
    ->submitForm([], 'Add Page');
  $this
    ->drupalGet('admin/structure/views/nojs/display/test_view/page_2/path');
  $this
    ->submitForm([
    'path' => '<object>malformed_path</object>',
  ], 'Apply');
  $this
    ->submitForm([], 'Add Page');
  $this
    ->drupalGet('admin/structure/views/nojs/display/test_view/page_3/path');
  $this
    ->submitForm([
    'path' => '<script>alert("hello");</script>',
  ], 'Apply');
  $this
    ->submitForm([], 'Add Page');
  $this
    ->drupalGet('admin/structure/views/nojs/display/test_view/page_4/path');
  $this
    ->submitForm([
    'path' => '<script>alert("hello I have placeholders %");</script>',
  ], 'Apply');
  $this
    ->drupalGet('admin/structure/views/view/test_view');
  $this
    ->submitForm([], 'Save');
  $this
    ->drupalGet('admin/structure/views');

  // The anchor text should be escaped.
  $this
    ->assertSession()
    ->assertEscaped('/<object>malformed_path</object>');
  $this
    ->assertSession()
    ->assertEscaped('/<script>alert("hello");</script>');
  $this
    ->assertSession()
    ->assertEscaped('/<script>alert("hello I have placeholders %");</script>');

  // Links should be url-encoded.
  $this
    ->assertSession()
    ->responseContains('/%3Cobject%3Emalformed_path%3C/object%3E');
  $this
    ->assertSession()
    ->responseContains('/%3Cscript%3Ealert%28%22hello%22%29%3B%3C/script%3E');
}