You are here

public function FppWithPanelsTest::checkAdminUiPaneTitleXss in Fieldable Panels Panes (FPP) 7

Test that an XSS attack in a pane title won't work in the Panels UI.

Parameters

object $fpp: A full FPP entity object.

2 calls to FppWithPanelsTest::checkAdminUiPaneTitleXss()
FppWithPanelsTest::testAdminTitleXss in tests/fpp.with_panels.test
Make sure admin titles with XSS code can't break the site.
FppWithPanelsTest::testTitleXss in tests/fpp.with_panels.test
Make sure titles with XSS code can't break the site.

File

tests/fpp.with_panels.test, line 139
Tests for the Fieldable Panels Panes module with Panels.

Class

FppWithPanelsTest
Tests for the Fieldable Panels Panes module with Panels.

Code

public function checkAdminUiPaneTitleXss($fpp) {

  // Load the test Panels page.
  ctools_include('page', 'page_manager', 'plugins/tasks');
  $page = page_manager_page_load('fpp_with_panels_test');
  $this
    ->verbose(print_r($page, TRUE));

  // Load the handlers for this page.
  $handlers = page_manager_load_task_handlers(page_manager_get_task('page'), $page->name);
  foreach ($page->default_handlers as $name => $handler) {
    $display = $handler->conf['display'];
    $this
      ->verbose(print_r($display, TRUE));

    // Generate a pane for the FPP.
    $pane = panels_new_pane('fieldable_panels_pane', 'fpid:' . $fpp->fpid);
    $pane->panel = 'middle';

    // Add the pane to the display.
    $display->panels[$pane->panel][] = $pane->pid;
    $display->content[$pane->pid] = $pane;

    // Save the display.
    panels_save_display($display);
    $this
      ->verbose(print_r($display, TRUE));
  }

  // Save the page.
  page_manager_page_save($page);

  // Reload the display.
  $page = page_manager_page_load('fpp_with_panels_test');
  $this
    ->verbose(print_r($page, TRUE));

  // Load the Panels page's edit page.
  $this
    ->drupalGet('admin/structure/pages/nojs/operation/page-fpp_with_panels_test/handlers/fpp_with_panels_test__default/content');
  $this
    ->assertResponse(200);

  // Confirm the whether the XSS string is still present but that the threat
  // has been removed.
  $this
    ->assertText("alert('XSS!');", 'The XSS test title string was found.');
  $this
    ->assertNoRaw("<script>alert('XSS!');</script>", 'The XSS test title was properly defanged.');
}