You are here

Home » API reference » Display Suite 8.2 » FieldTemplateTest.php » FieldTemplateTest

public function FieldTemplateTest::testDsFieldTemplateXss in Display Suite 8.2

Tests XSS on field templates.

File

src/Tests/FieldTemplateTest.php, line 466

Class

FieldTemplateTest
Tests for display of nodes and fields.

Namespace

Drupal\ds\Tests

Code

public function testDsFieldTemplateXss() {

  // Get a node.
  $node = $this
    ->entitiesTestSetup('hidden');
  $edit = array(
    'fields[body][settings_edit_form][third_party_settings][ds][ft][id]' => 'expert',
    'fields[body][settings_edit_form][third_party_settings][ds][ft][settings][fi]' => '1',
  );
  $this
    ->dsEditFormatterSettings($edit);

  // Inject XSS everywhere and see if it brakes.
  $edit = array(
    'fields[body][settings_edit_form][third_party_settings][ds][ft][settings][prefix]' => '<div class="not-stripped"><script>alert("XSS")</script>',
    'fields[body][settings_edit_form][third_party_settings][ds][ft][settings][suffix]' => '</div><script>alert("XSS")</script>',
    'fields[body][settings_edit_form][third_party_settings][ds][ft][settings][ow]' => '1',
    'fields[body][settings_edit_form][third_party_settings][ds][ft][settings][ow-el]' => '<script>alert("XSS")</script>',
    'fields[body][settings_edit_form][third_party_settings][ds][ft][settings][ow-cl]' => '<script>alert("XSS")</script>',
    'fields[body][settings_edit_form][third_party_settings][ds][ft][settings][ow-at]' => "name=\"<script>alert('XSS')</script>\"",
    'fields[body][settings_edit_form][third_party_settings][ds][ft][settings][fis]' => '1',
    'fields[body][settings_edit_form][third_party_settings][ds][ft][settings][fis-el]' => '<script>alert("XSS")</script>',
    'fields[body][settings_edit_form][third_party_settings][ds][ft][settings][fis-cl]' => '<script>alert("XSS")</script>',
    'fields[body][settings_edit_form][third_party_settings][ds][ft][settings][fis-at]' => "name=\"<script>alert('XSS')</script>\"",
    'fields[body][settings_edit_form][third_party_settings][ds][ft][settings][fi]' => '1',
    'fields[body][settings_edit_form][third_party_settings][ds][ft][settings][fi-el]' => '<script>alert("XSS")</script>',
    'fields[body][settings_edit_form][third_party_settings][ds][ft][settings][fi-cl]' => '<script>alert("XSS")</script>',
    'fields[body][settings_edit_form][third_party_settings][ds][ft][settings][fi-at]' => "name=\"<script>alert('XSS')</script>\"",
  );
  $this
    ->dsEditFormatterSettings($edit);
  drupal_flush_all_caches();
  $this
    ->drupalGet('node/' . $node
    ->id());
  $this
    ->assertNoRaw('<script>alert("XSS")</script>', 'Harmful tags are escaped when viewing a ds field template.');

  // Verify the prefix/suffix is filtered but not escaped.
  $xpath = $this
    ->xpath('//div[@class="not-stripped"]');
  $this
    ->assertEqual(count($xpath), 1, 'Stripped but not escaped');
}