public function FieldTemplateTest::_testDsFieldTemplateXss in Display Suite 8.3
Tests XSS on field templates.
File
- tests/
src/ Functional/ FieldTemplateTest.php, line 473
Class
- FieldTemplateTest
- Tests for display of nodes and fields.
Namespace
Drupal\Tests\ds\FunctionalCode
public function _testDsFieldTemplateXss() {
// Get a node.
/** @var \Drupal\node\NodeInterface $node */
$node = $this
->entitiesTestSetup('hidden');
$edit = [
'fields[body][settings_edit_form][third_party_settings][ds][ft][id]' => 'expert',
'fields[body][settings_edit_form][third_party_settings][ds][ft][settings][fi]' => '1',
];
$this
->dsEditFormatterSettings($edit);
// Inject XSS everywhere and see if it brakes.
$edit = [
'fields[body][settings_edit_form][third_party_settings][ds][ft][settings][prefix]' => '<div class="not-stripped"><script>alert("XSS")</script>',
'fields[body][settings_edit_form][third_party_settings][ds][ft][settings][suffix]' => '</div><script>alert("XSS")</script>',
'fields[body][settings_edit_form][third_party_settings][ds][ft][settings][ow]' => '1',
'fields[body][settings_edit_form][third_party_settings][ds][ft][settings][ow-el]' => '<script>alert("XSS")</script>',
'fields[body][settings_edit_form][third_party_settings][ds][ft][settings][ow-cl]' => '<script>alert("XSS")</script>',
'fields[body][settings_edit_form][third_party_settings][ds][ft][settings][ow-at]' => "name=\"<script>alert('XSS')</script>\"",
'fields[body][settings_edit_form][third_party_settings][ds][ft][settings][fis]' => '1',
'fields[body][settings_edit_form][third_party_settings][ds][ft][settings][fis-el]' => '<script>alert("XSS")</script>',
'fields[body][settings_edit_form][third_party_settings][ds][ft][settings][fis-cl]' => '<script>alert("XSS")</script>',
'fields[body][settings_edit_form][third_party_settings][ds][ft][settings][fis-at]' => "name=\"<script>alert('XSS')</script>\"",
'fields[body][settings_edit_form][third_party_settings][ds][ft][settings][fi]' => '1',
'fields[body][settings_edit_form][third_party_settings][ds][ft][settings][fi-el]' => '<script>alert("XSS")</script>',
'fields[body][settings_edit_form][third_party_settings][ds][ft][settings][fi-cl]' => '<script>alert("XSS")</script>',
'fields[body][settings_edit_form][third_party_settings][ds][ft][settings][fi-at]' => "name=\"<script>alert('XSS')</script>\"",
];
$this
->dsEditFormatterSettings($edit);
drupal_flush_all_caches();
$this
->drupalGet('node/' . $node
->id());
$this
->assertSession()
->responseNotContains('<script>alert("XSS")</script>');
// Verify the prefix/suffix is filtered but not escaped.
$elements = $this
->xpath('//div[@class="not-stripped"]');
$this
->assertEquals(count($elements), 1, 'Stripped but not escaped');
}