public function FormActionXssTest::testFormActionXss in Drupal 10
Same name and namespace in other branches
- 8 core/tests/Drupal/KernelTests/Core/Form/FormActionXssTest.php \Drupal\KernelTests\Core\Form\FormActionXssTest::testFormActionXss()
- 9 core/tests/Drupal/KernelTests/Core/Form/FormActionXssTest.php \Drupal\KernelTests\Core\Form\FormActionXssTest::testFormActionXss()
Tests form action attribute for XSS.
File
- core/
tests/ Drupal/ KernelTests/ Core/ Form/ FormActionXssTest.php, line 72
Class
- FormActionXssTest
- Ensures that a form's action attribute can't be exploited with XSS.
Namespace
Drupal\KernelTests\Core\FormCode
public function testFormActionXss() {
// Create a new request with a uri which attempts XSS.
$request_stack = \Drupal::service('request_stack');
/** @var \Symfony\Component\HttpFoundation\RequestStack $original_request */
$original_request = $request_stack
->pop();
// Just request some more so there is no request left.
$request_stack
->pop();
$request_stack
->pop();
$request = Request::create($original_request
->getSchemeAndHttpHost() . '/test/"injected=\'attribute\'close="');
$request_stack
->push($request);
$form = \Drupal::formBuilder()
->getForm($this);
$markup = \Drupal::service('renderer')
->renderRoot($form);
$this
->setRawContent($markup);
$elements = $this
->xpath('//form');
$action = isset($elements[0]['action']) ? (string) $elements[0]['action'] : FALSE;
$injected = isset($elements[0]['injected']) ? (string) $elements[0]['injected'] : FALSE;
$this
->assertSame('/test/"injected=\'attribute\'close="', $action);
$this
->assertRaw('action="/test/"injected='attribute'close=""');
$this
->assertNotSame('attribute', $injected);
}