You are here

public function ClassifiedBasicTest::testSecurity146738 in Classified Ads 6.3

Security issue: XSS on term name on Classified config screen.

File

tests/classified_basic.test, line 774
Basic test for known bugs in previous versions.

Class

ClassifiedBasicTest

Code

public function testSecurity146738() {
  $this->group = 'XSS';

  // 1. Get the Classified vocabulary id and field name.
  $vid = _classified_get('vid');

  // 2. Create a term in it with a XSS attempt,
  $name = <<<XSS
term<script type="text/javascript">alert('XSS');</script>name
XSS;
  $term = array(
    'name' => $name,
    'description' => $this
      ->randomString(20),
    'vid' => $vid,
  );
  $status = taxonomy_save_term($term);
  $tid = $term['tid'];
  $this
    ->assertEqual($status, SAVED_NEW, t('Term @tid created in default vocabulary.', array(
    '@tid' => $tid,
  )), 'setup');

  // 3. Create an administrator using the Classified admin panel.
  $this
    ->createUsers(array(
    'admin',
  ));
  $this
    ->drupalLogin($this->adminUser);
  $this
    ->drupalGet('admin/settings/classified');
  $this
    ->assertResponse(200, t('Admin sees Classified administration.'));
  $this
    ->assertNoRaw($name);
  $this
    ->assertRaw(check_plain($name));
}