You are here

class XssTest in Drupal 10

Same name in this branch
  1. 10 core/tests/Drupal/Tests/Component/Utility/XssTest.php \Drupal\Tests\Component\Utility\XssTest
  2. 10 core/modules/views_ui/tests/src/Functional/XssTest.php \Drupal\Tests\views_ui\Functional\XssTest
Same name and namespace in other branches
  1. 8 core/modules/views_ui/tests/src/Functional/XssTest.php \Drupal\Tests\views_ui\Functional\XssTest
  2. 9 core/modules/views_ui/tests/src/Functional/XssTest.php \Drupal\Tests\views_ui\Functional\XssTest

Tests the Xss vulnerability.

@group views_ui

Hierarchy

Expanded class hierarchy of XssTest

File

core/modules/views_ui/tests/src/Functional/XssTest.php, line 10

Namespace

Drupal\Tests\views_ui\Functional
View source
class XssTest extends UITestBase {

  /**
   * Modules to enable.
   *
   * @var array
   */
  protected static $modules = [
    'node',
    'user',
    'views_ui',
    'views_ui_test',
  ];

  /**
   * {@inheritdoc}
   */
  protected $defaultTheme = 'stark';
  public function testViewsUi() {
    $this
      ->drupalGet('admin/structure/views/view/sa_contrib_2013_035');

    // Verify that the field admin label is properly escaped.
    $this
      ->assertSession()
      ->assertEscaped('<marquee>test</marquee>');
    $this
      ->drupalGet('admin/structure/views/nojs/handler/sa_contrib_2013_035/page_1/header/area');

    // Verify that the token label is properly escaped.
    $this
      ->assertSession()
      ->assertEscaped('{{ title }} == <marquee>test</marquee>');
    $this
      ->assertSession()
      ->assertEscaped('{{ title_1 }} == <script>alert("XSS")</script>');
  }

  /**
   * Checks the admin UI for double escaping.
   */
  public function testNoDoubleEscaping() {
    $this
      ->drupalGet('admin/structure/views');
    $this
      ->assertSession()
      ->assertNoEscaped('&lt;');
    $this
      ->drupalGet('admin/structure/views/view/sa_contrib_2013_035');
    $this
      ->assertSession()
      ->assertNoEscaped('&lt;');
    $this
      ->drupalGet('admin/structure/views/nojs/handler/sa_contrib_2013_035/page_1/header/area');
    $this
      ->assertSession()
      ->assertNoEscaped('&lt;');
  }

}

Members