public function DisplayTest::testDisplayTitleInButtonsXss in Drupal 9
Same name and namespace in other branches
- 8 core/modules/views_ui/tests/src/Functional/DisplayTest.php \Drupal\Tests\views_ui\Functional\DisplayTest::testDisplayTitleInButtonsXss()
Ensures that no XSS is possible for buttons.
File
- core/
modules/ views_ui/ tests/ src/ Functional/ DisplayTest.php, line 217
Class
- DisplayTest
- Tests the display UI.
Namespace
Drupal\Tests\views_ui\FunctionalCode
public function testDisplayTitleInButtonsXss() {
$xss_markup = '"><script>alert(123)</script>';
$view = $this
->randomView();
$view = View::load($view['id']);
\Drupal::configFactory()
->getEditable('views.settings')
->set('ui.show.default_display', TRUE)
->save();
foreach ([
$xss_markup,
'"><script>alert(123)</script>',
] as $input) {
$display =& $view
->getDisplay('page_1');
$display['display_title'] = $input;
$view
->save();
$this
->drupalGet("admin/structure/views/view/{$view->id()}");
$escaped = views_ui_truncate($input, 25);
$this
->assertSession()
->assertEscaped($escaped);
$this
->assertSession()
->responseNotContains($xss_markup);
$this
->drupalGet("admin/structure/views/view/{$view->id()}/edit/page_1");
$this
->assertSession()
->assertEscaped("View {$escaped}");
$this
->assertSession()
->responseNotContains("View {$xss_markup}");
$this
->assertSession()
->assertEscaped("Duplicate {$escaped}");
$this
->assertSession()
->responseNotContains("Duplicate {$xss_markup}");
$this
->assertSession()
->assertEscaped("Delete {$escaped}");
$this
->assertSession()
->responseNotContains("Delete {$xss_markup}");
}
}