You are here

Home » API reference » Fieldable Panels Panes (FPP) 7 » fpp.with_panels.test » FppWithPanelsTest

public function FppWithPanelsTest::testAdminTitleLinkWithAmpersands in Fieldable Panels Panes (FPP) 7

Make sure admin titles with XSS code can't break the site.

File

tests/fpp.with_panels.test, line 47
Tests for the Fieldable Panels Panes module with Panels.

Class

FppWithPanelsTest
Tests for the Fieldable Panels Panes module with Panels.

Code

public function testAdminTitleLinkWithAmpersands() {

  // Create an FPP with an XSS payload in the admin title.
  $fpp = new StdClass();
  $fpp->bundle = $this->bundle;
  $fpp->title = 'This is a "test" & it should work';
  $fpp->reusable = 1;
  $fpp->link = 1;
  $fpp->path = 'fpp-with-panels-test';
  $fpp = fieldable_panels_panes_save($fpp);

  // Load the test Panels page.
  ctools_include('page', 'page_manager', 'plugins/tasks');
  $page = page_manager_page_load('fpp_with_panels_test');
  $this
    ->verbose(print_r($page, TRUE));

  // Load the handlers for this page.
  $handlers = page_manager_load_task_handlers(page_manager_get_task('page'), $page->name);
  foreach ($page->default_handlers as $name => $handler) {
    $display = $handler->conf['display'];
    $this
      ->verbose(print_r($display, TRUE));

    // Generate a pane for the FPP.
    $pane = panels_new_pane('fieldable_panels_pane', 'fpid:' . $fpp->fpid);
    $pane->panel = 'middle';

    // Add the pane to the display.
    $display->panels[$pane->panel][] = $pane->pid;
    $display->content[$pane->pid] = $pane;

    // Save the display.
    panels_save_display($display);
    $this
      ->verbose(print_r($display, TRUE));
  }

  // Save the page.
  page_manager_page_save($page);

  // Reload the display.
  $page = page_manager_page_load('fpp_with_panels_test');
  $this
    ->verbose(print_r($page, TRUE));

  // Load the test Panels page.
  $this
    ->drupalGet('fpp-with-panels-test');
  $this
    ->assertResponse(200);

  // Confirm that the string is on the page in htmlencoded format.
  $this
    ->assertRaw(str_replace('&', '&', $fpp->title));

  // Confirm that the text does not exist on the page as-is, i.e. it has been
  // htmlencoded.
  $this
    ->assertNoRaw($fpp->title);
  $this
    ->assertNoRaw(str_replace('&', '&', str_replace('&', '&', $fpp->title)));

  // Confirm the link exists.
  $this
    ->assertLink($fpp->title);
}