public function MaillogTestCase::testBodyXss in Maillog / Mail Developer 7

Confirm that it is not possible to create XSS attacks via an email body.

File

tests/MaillogTestCase.test, line 177: Unit-ish tests for the Maillog module.

Class

MaillogTestCase: All unit tests for the module.

Code

public function testBodyXss() {
  $xss_string = '<script type="text/javascript">alert("XSS test")</script>';

  // Send an email.
  $this
    ->sendTestEmail('maillog_body_xss_test');

  // Compare the maillog db entry with the sent mail.
  $logged_email = $this
    ->getLatestMaillogEntry();
  $this
    ->assertTrue(!empty($logged_email), 'The test email was captured.');

  // Login as an admin.
  $this
    ->loginAdminUser();

  // Load the maillog view page.
  $this
    ->drupalGet('admin/reports/maillog/view/' . $logged_email['id']);
  $this
    ->assertResponse(200);

  // The body field will be passed through check_plain, which will remove all
  // possible XSS attacks. The JavaScript tag itself will be removed, but the
  // code that was in it will be displayed.
  $this
    ->assertText(check_plain(strip_tags($xss_string)));
  $this
    ->assertRaw(check_plain(strip_tags($xss_string)));

  // $this->assertRaw(check_plain('alert("XSS test")'));
  $this
    ->assertNoRaw(check_plain($xss_string));
  $this
    ->assertNoRaw($xss_string);
}

You are here

public function MaillogTestCase::testBodyXss in Maillog / Mail Developer 7

File

Class

Code

API Navigation