public function FppWithPanelsTest::checkAdminUiPaneTitleXss in Fieldable Panels Panes (FPP) 7
Test that an XSS attack in a pane title won't work in the Panels UI.
Parameters
object $fpp: A full FPP entity object.
2 calls to FppWithPanelsTest::checkAdminUiPaneTitleXss()
- FppWithPanelsTest::testAdminTitleXss in tests/
fpp.with_panels.test - Make sure admin titles with XSS code can't break the site.
- FppWithPanelsTest::testTitleXss in tests/
fpp.with_panels.test - Make sure titles with XSS code can't break the site.
File
- tests/
fpp.with_panels.test, line 139 - Tests for the Fieldable Panels Panes module with Panels.
Class
- FppWithPanelsTest
- Tests for the Fieldable Panels Panes module with Panels.
Code
public function checkAdminUiPaneTitleXss($fpp) {
// Load the test Panels page.
ctools_include('page', 'page_manager', 'plugins/tasks');
$page = page_manager_page_load('fpp_with_panels_test');
$this
->verbose(print_r($page, TRUE));
// Load the handlers for this page.
$handlers = page_manager_load_task_handlers(page_manager_get_task('page'), $page->name);
foreach ($page->default_handlers as $name => $handler) {
$display = $handler->conf['display'];
$this
->verbose(print_r($display, TRUE));
// Generate a pane for the FPP.
$pane = panels_new_pane('fieldable_panels_pane', 'fpid:' . $fpp->fpid);
$pane->panel = 'middle';
// Add the pane to the display.
$display->panels[$pane->panel][] = $pane->pid;
$display->content[$pane->pid] = $pane;
// Save the display.
panels_save_display($display);
$this
->verbose(print_r($display, TRUE));
}
// Save the page.
page_manager_page_save($page);
// Reload the display.
$page = page_manager_page_load('fpp_with_panels_test');
$this
->verbose(print_r($page, TRUE));
// Load the Panels page's edit page.
$this
->drupalGet('admin/structure/pages/nojs/operation/page-fpp_with_panels_test/handlers/fpp_with_panels_test__default/content');
$this
->assertResponse(200);
// Confirm the whether the XSS string is still present but that the threat
// has been removed.
$this
->assertText("alert('XSS!');", 'The XSS test title string was found.');
$this
->assertNoRaw("<script>alert('XSS!');</script>", 'The XSS test title was properly defanged.');
}