public function FieldTemplateTest::testDsFieldTemplateXss in Display Suite 8.2
Tests XSS on field templates.
File
- src/
Tests/ FieldTemplateTest.php, line 466
Class
- FieldTemplateTest
- Tests for display of nodes and fields.
Namespace
Drupal\ds\TestsCode
public function testDsFieldTemplateXss() {
// Get a node.
$node = $this
->entitiesTestSetup('hidden');
$edit = array(
'fields[body][settings_edit_form][third_party_settings][ds][ft][id]' => 'expert',
'fields[body][settings_edit_form][third_party_settings][ds][ft][settings][fi]' => '1',
);
$this
->dsEditFormatterSettings($edit);
// Inject XSS everywhere and see if it brakes.
$edit = array(
'fields[body][settings_edit_form][third_party_settings][ds][ft][settings][prefix]' => '<div class="not-stripped"><script>alert("XSS")</script>',
'fields[body][settings_edit_form][third_party_settings][ds][ft][settings][suffix]' => '</div><script>alert("XSS")</script>',
'fields[body][settings_edit_form][third_party_settings][ds][ft][settings][ow]' => '1',
'fields[body][settings_edit_form][third_party_settings][ds][ft][settings][ow-el]' => '<script>alert("XSS")</script>',
'fields[body][settings_edit_form][third_party_settings][ds][ft][settings][ow-cl]' => '<script>alert("XSS")</script>',
'fields[body][settings_edit_form][third_party_settings][ds][ft][settings][ow-at]' => "name=\"<script>alert('XSS')</script>\"",
'fields[body][settings_edit_form][third_party_settings][ds][ft][settings][fis]' => '1',
'fields[body][settings_edit_form][third_party_settings][ds][ft][settings][fis-el]' => '<script>alert("XSS")</script>',
'fields[body][settings_edit_form][third_party_settings][ds][ft][settings][fis-cl]' => '<script>alert("XSS")</script>',
'fields[body][settings_edit_form][third_party_settings][ds][ft][settings][fis-at]' => "name=\"<script>alert('XSS')</script>\"",
'fields[body][settings_edit_form][third_party_settings][ds][ft][settings][fi]' => '1',
'fields[body][settings_edit_form][third_party_settings][ds][ft][settings][fi-el]' => '<script>alert("XSS")</script>',
'fields[body][settings_edit_form][third_party_settings][ds][ft][settings][fi-cl]' => '<script>alert("XSS")</script>',
'fields[body][settings_edit_form][third_party_settings][ds][ft][settings][fi-at]' => "name=\"<script>alert('XSS')</script>\"",
);
$this
->dsEditFormatterSettings($edit);
drupal_flush_all_caches();
$this
->drupalGet('node/' . $node
->id());
$this
->assertNoRaw('<script>alert("XSS")</script>', 'Harmful tags are escaped when viewing a ds field template.');
// Verify the prefix/suffix is filtered but not escaped.
$xpath = $this
->xpath('//div[@class="not-stripped"]');
$this
->assertEqual(count($xpath), 1, 'Stripped but not escaped');
}