You are here

Home » API reference » Metatag 8 » MetatagXssTest.php » MetatagXssTest

public function MetatagXssTest::testXssEntityOverride in Metatag 8

Verify XSS injected in the entity metatag override field is not rendered.

File

tests/src/Functional/MetatagXssTest.php, line 156

Class

MetatagXssTest
Ensures that meta tags do not allow xss vulnerabilities.

Namespace

Drupal\Tests\metatag\Functional

Code

public function testXssEntityOverride() {
  $save_label = floatval(\Drupal::VERSION) <= 8.300000000000001 ? $this
    ->t('Save and publish') : $this
    ->t('Save');
  $this
    ->drupalGet('node/add/metatag_node');
  $session = $this
    ->assertSession();
  $session
    ->statusCodeEquals(200);
  $edit = [
    'title[0][value]' => $this
      ->randomString(32),
    'field_metatag_field[0][basic][title]' => $this->xssTitleString,
    'field_metatag_field[0][basic][abstract]' => $this->xssString,
    'field_metatag_field[0][advanced][image_src]' => $this->xssImageString,
  ];
  $this
    ->drupalPostForm(NULL, $edit, $save_label);

  // Check for the title tag, which will have the HTML tags removed and then
  // be lightly HTML encoded.
  $session
    ->assertEscaped(strip_tags($this->xssTitleString));
  $session
    ->responseNotContains($this->xssTitleString);

  // Check for the basic meta tag.
  $session
    ->responseContains($this->escapedXssTag);
  $session
    ->responseNotContains($this->xssString);

  // Check for the image meta tag.
  $session
    ->responseContains($this->escapedXssImageTag);
  $session
    ->responseNotContains($this->xssImageString);
}