public function MaillogTestCase::testSubjectXss in Maillog / Mail Developer 7

Confirm that it is not possible to create XSS attacks via an email subject.

File

tests/MaillogTestCase.test, line 139: Unit-ish tests for the Maillog module.

Class

MaillogTestCase: All unit tests for the module.

Code

public function testSubjectXss() {
  $xss_string = '<script type="text/javascript">alert("XSS test")</script>';

  // Send an email.
  $this
    ->sendTestEmail('maillog_subject_xss_test');

  // Compare the maillog db entry with the sent mail.
  $logged_email = $this
    ->getLatestMaillogEntry();
  $this
    ->assertTrue(!empty($logged_email), 'The test email was captured.');

  // Login as an admin.
  $this
    ->loginAdminUser();

  // Load the admin list page.
  $this
    ->drupalGet('admin/reports/maillog');
  $this
    ->assertResponse(200);

  // Confirm that the page has been defanged.
  $this
    ->assertText('XSS test');
  $this
    ->assertRaw(check_plain($xss_string));
  $this
    ->assertNoRaw($xss_string);

  // Load the maillog view page.
  $this
    ->drupalGet('admin/reports/maillog/view/' . $logged_email['id']);
  $this
    ->assertResponse(200);

  // Confirm that the page has been defanged.
  $this
    ->assertText('XSS test');
  $this
    ->assertRaw(check_plain($xss_string));
  $this
    ->assertNoRaw($xss_string);

  // Check the title.
  $this
    ->assertTitle($xss_string . ' | ' . variable_get('site_name', 'Drupal'));
}

You are here

public function MaillogTestCase::testSubjectXss in Maillog / Mail Developer 7

File

Class

Code

API Navigation