You are here

public function FormActionXssTest::testFormActionXss in Drupal 9

Same name and namespace in other branches
  1. 8 core/tests/Drupal/KernelTests/Core/Form/FormActionXssTest.php \Drupal\KernelTests\Core\Form\FormActionXssTest::testFormActionXss()

Tests form action attribute for XSS.

File

core/tests/Drupal/KernelTests/Core/Form/FormActionXssTest.php, line 72

Class

FormActionXssTest
Ensures that a form's action attribute can't be exploited with XSS.

Namespace

Drupal\KernelTests\Core\Form

Code

public function testFormActionXss() {

  // Create a new request with a uri which attempts XSS.
  $request_stack = \Drupal::service('request_stack');

  /** @var \Symfony\Component\HttpFoundation\RequestStack $original_request */
  $original_request = $request_stack
    ->pop();

  // Just request some more so there is no request left.
  $request_stack
    ->pop();
  $request_stack
    ->pop();
  $request = Request::create($original_request
    ->getSchemeAndHttpHost() . '/test/"injected=\'attribute\'close="');
  $request_stack
    ->push($request);
  $form = \Drupal::formBuilder()
    ->getForm($this);
  $markup = \Drupal::service('renderer')
    ->renderRoot($form);
  $this
    ->setRawContent($markup);
  $elements = $this
    ->xpath('//form');
  $action = isset($elements[0]['action']) ? (string) $elements[0]['action'] : FALSE;
  $injected = isset($elements[0]['injected']) ? (string) $elements[0]['injected'] : FALSE;
  $this
    ->assertSame('/test/"injected=\'attribute\'close="', $action);
  $this
    ->assertRaw('action="/test/"injected='attribute'close=""');
  $this
    ->assertNotSame('attribute', $injected);
}