You are here

Home » API reference » Display Suite 8.4 » FieldTemplateTest.php » FieldTemplateTest

public function FieldTemplateTest::testDsFieldTemplateXss in Display Suite 8.4

Tests XSS on field templates.

File

tests/src/Functional/FieldTemplateTest.php, line 472

Class

FieldTemplateTest
Tests for display of nodes and fields.

Namespace

Drupal\Tests\ds\Functional

Code

public function testDsFieldTemplateXss() {

  // Get a node.

  /** @var \Drupal\node\NodeInterface $node */
  $node = $this
    ->entitiesTestSetup('hidden');
  $edit = [
    'fields[body][settings_edit_form][third_party_settings][ds][ft][id]' => 'expert',
    'fields[body][settings_edit_form][third_party_settings][ds][ft][settings][fi]' => '1',
  ];
  $this
    ->dsEditFormatterSettings($edit);

  // Inject XSS everywhere and see if it brakes.
  $edit = [
    'fields[body][settings_edit_form][third_party_settings][ds][ft][settings][prefix]' => '<div class="not-stripped"><script>alert("XSS")</script>',
    'fields[body][settings_edit_form][third_party_settings][ds][ft][settings][suffix]' => '</div><script>alert("XSS")</script>',
    'fields[body][settings_edit_form][third_party_settings][ds][ft][settings][ow]' => '1',
    'fields[body][settings_edit_form][third_party_settings][ds][ft][settings][ow-el]' => '<script>alert("XSS")</script>',
    'fields[body][settings_edit_form][third_party_settings][ds][ft][settings][ow-cl]' => '<script>alert("XSS")</script>',
    'fields[body][settings_edit_form][third_party_settings][ds][ft][settings][ow-at]' => "name=\"<script>alert('XSS')</script>\"",
    'fields[body][settings_edit_form][third_party_settings][ds][ft][settings][fis]' => '1',
    'fields[body][settings_edit_form][third_party_settings][ds][ft][settings][fis-el]' => '<script>alert("XSS")</script>',
    'fields[body][settings_edit_form][third_party_settings][ds][ft][settings][fis-cl]' => '<script>alert("XSS")</script>',
    'fields[body][settings_edit_form][third_party_settings][ds][ft][settings][fis-at]' => "name=\"<script>alert('XSS')</script>\"",
    'fields[body][settings_edit_form][third_party_settings][ds][ft][settings][fi]' => '1',
    'fields[body][settings_edit_form][third_party_settings][ds][ft][settings][fi-el]' => '<script>alert("XSS")</script>',
    'fields[body][settings_edit_form][third_party_settings][ds][ft][settings][fi-cl]' => '<script>alert("XSS")</script>',
    'fields[body][settings_edit_form][third_party_settings][ds][ft][settings][fi-at]' => "name=\"<script>alert('XSS')</script>\"",
  ];
  $this
    ->dsEditFormatterSettings($edit);
  drupal_flush_all_caches();
  $this
    ->drupalGet('node/' . $node
    ->id());
  $this
    ->assertSession()
    ->responseNotContains('<script>alert("XSS")</script>');

  // Verify the prefix/suffix is filtered but not escaped.
  $elements = $this
    ->xpath('//div[@class="not-stripped"]');
  $this
    ->assertEquals(count($elements), 1, 'Stripped but not escaped');
}