You are here

Home » API reference » Classified Ads 7.3 » classified_test_basic.test » ClassifiedTestTestBasicTest

public function ClassifiedTestTestBasicTest::testSecurity146738 in Classified Ads 7.3

Security issue: XSS on term name on Classified config screen.

File

tests/classified_test_basic.test, line 678

Class

ClassifiedTestTestBasicTest
Basic test for known bugs in previous versions.

Code

public function testSecurity146738() {
  $this->group = 'XSS';

  // 1. Get the Classified vocabulary id.
  $vid = _classified_get('vid');

  // 2. Create a term in it with a XSS attempt,
  $name = <<<XSS
term<script type="text/javascript">alert('XSS');</script>name
XSS;
  $term = (object) array(
    'name' => $name,
    'description' => $this
      ->randomString(20),
    'vid' => $vid,
  );
  $status = taxonomy_term_save($term);
  $tid = $term->tid;
  $this
    ->assertEqual($status, SAVED_NEW, t('Term @tid created in default vocabulary.', array(
    '@tid' => $tid,
  )), 'setup');

  // 3. Create an administrator using the Classified admin panel.
  $this
    ->createUsers(array(
    'admin',
  ));
  $this
    ->drupalLogin($this->adminUser);
  $this
    ->drupalGet('admin/config/content/classified');
  $this
    ->assertResponse(200, t('Admin sees Classified administration.'));
  $this
    ->assertNoRaw($name);
  $this
    ->assertRaw(check_plain($name));
}