public function ClassifiedBasicTest::testSecurity146738 in Classified Ads 6.3
Security issue: XSS on term name on Classified config screen.
File
- tests/
classified_basic.test, line 774 - Basic test for known bugs in previous versions.
Class
Code
public function testSecurity146738() {
$this->group = 'XSS';
// 1. Get the Classified vocabulary id and field name.
$vid = _classified_get('vid');
// 2. Create a term in it with a XSS attempt,
$name = <<<XSS
term<script type="text/javascript">alert('XSS');</script>name
XSS;
$term = array(
'name' => $name,
'description' => $this
->randomString(20),
'vid' => $vid,
);
$status = taxonomy_save_term($term);
$tid = $term['tid'];
$this
->assertEqual($status, SAVED_NEW, t('Term @tid created in default vocabulary.', array(
'@tid' => $tid,
)), 'setup');
// 3. Create an administrator using the Classified admin panel.
$this
->createUsers(array(
'admin',
));
$this
->drupalLogin($this->adminUser);
$this
->drupalGet('admin/settings/classified');
$this
->assertResponse(200, t('Admin sees Classified administration.'));
$this
->assertNoRaw($name);
$this
->assertRaw(check_plain($name));
}