function PageTitleFiltering::testTitleXSS in Drupal 7
Test if the title of the site is XSS proof.
File
- modules/
system/ system.test, line 1584 - Tests for system.module.
Class
Code
function testTitleXSS() {
// Set some title with JavaScript and HTML chars to escape.
$title = '</title><script type="text/javascript">alert("Title XSS!");</script> & < > " \' ';
$title_filtered = check_plain($title);
$slogan = '<script type="text/javascript">alert("Slogan XSS!");</script>';
$slogan_filtered = filter_xss_admin($slogan);
// Activate needed appearance settings.
$edit = array(
'toggle_name' => TRUE,
'toggle_slogan' => TRUE,
'toggle_main_menu' => TRUE,
'toggle_secondary_menu' => TRUE,
);
$this
->drupalPost('admin/appearance/settings', $edit, t('Save configuration'));
// Set title and slogan.
$edit = array(
'site_name' => $title,
'site_slogan' => $slogan,
);
$this
->drupalPost('admin/config/system/site-information', $edit, t('Save configuration'));
// Load frontpage.
$this
->drupalGet('');
// Test the title.
$this
->assertNoRaw($title, 'Check for the unfiltered version of the title.');
// Adding </title> so we do not test the escaped version from drupal_set_title().
$this
->assertRaw($title_filtered . '</title>', 'Check for the filtered version of the title.');
// Test the slogan.
$this
->assertNoRaw($slogan, 'Check for the unfiltered version of the slogan.');
$this
->assertRaw($slogan_filtered, 'Check for the filtered version of the slogan.');
}