You are here

function NodeTitleXSSTestCase::testNodeTitleXSS in Drupal 7

Tests XSS functionality with a node entity.

File

modules/node/node.test, line 795
Tests for node.module.

Class

NodeTitleXSSTestCase
Tests XSS functionality with a node entity.

Code

function testNodeTitleXSS() {

  // Prepare a user to do the stuff.
  $web_user = $this
    ->drupalCreateUser(array(
    'create page content',
    'edit any page content',
  ));
  $this
    ->drupalLogin($web_user);
  $xss = '<script>alert("xss")</script>';
  $title = $xss . $this
    ->randomName();
  $edit = array(
    "title" => $title,
  );
  $this
    ->drupalPost('node/add/page', $edit, t('Preview'));
  $this
    ->assertNoRaw($xss, 'Harmful tags are escaped when previewing a node.');
  $settings = array(
    'title' => $title,
  );
  $node = $this
    ->drupalCreateNode($settings);
  $this
    ->drupalGet('node/' . $node->nid);

  // assertTitle() decodes HTML-entities inside the <title> element.
  $this
    ->assertTitle($edit["title"] . ' | Drupal', 'Title is diplayed when viewing a node.');
  $this
    ->assertNoRaw($xss, 'Harmful tags are escaped when viewing a node.');
  $this
    ->drupalGet('node/' . $node->nid . '/edit');
  $this
    ->assertNoRaw($xss, 'Harmful tags are escaped when editing a node.');
}