You are here

public function DisplayTest::testDisplayTitleInButtonsXss in Drupal 9

Same name and namespace in other branches
  1. 8 core/modules/views_ui/tests/src/Functional/DisplayTest.php \Drupal\Tests\views_ui\Functional\DisplayTest::testDisplayTitleInButtonsXss()

Ensures that no XSS is possible for buttons.

File

core/modules/views_ui/tests/src/Functional/DisplayTest.php, line 217

Class

DisplayTest
Tests the display UI.

Namespace

Drupal\Tests\views_ui\Functional

Code

public function testDisplayTitleInButtonsXss() {
  $xss_markup = '"><script>alert(123)</script>';
  $view = $this
    ->randomView();
  $view = View::load($view['id']);
  \Drupal::configFactory()
    ->getEditable('views.settings')
    ->set('ui.show.default_display', TRUE)
    ->save();
  foreach ([
    $xss_markup,
    '&quot;><script>alert(123)</script>',
  ] as $input) {
    $display =& $view
      ->getDisplay('page_1');
    $display['display_title'] = $input;
    $view
      ->save();
    $this
      ->drupalGet("admin/structure/views/view/{$view->id()}");
    $escaped = views_ui_truncate($input, 25);
    $this
      ->assertSession()
      ->assertEscaped($escaped);
    $this
      ->assertSession()
      ->responseNotContains($xss_markup);
    $this
      ->drupalGet("admin/structure/views/view/{$view->id()}/edit/page_1");
    $this
      ->assertSession()
      ->assertEscaped("View {$escaped}");
    $this
      ->assertSession()
      ->responseNotContains("View {$xss_markup}");
    $this
      ->assertSession()
      ->assertEscaped("Duplicate {$escaped}");
    $this
      ->assertSession()
      ->responseNotContains("Duplicate {$xss_markup}");
    $this
      ->assertSession()
      ->assertEscaped("Delete {$escaped}");
    $this
      ->assertSession()
      ->responseNotContains("Delete {$xss_markup}");
  }
}