You are here

Home » API reference » Metatag 8 » MetatagXssTest.php » MetatagXssTest

public function MetatagXssTest::testXssEntityTitle in Metatag 8

Verify XSS injected in the entity titles are not rendered.

File

tests/src/Functional/MetatagXssTest.php, line 187

Class

MetatagXssTest
Ensures that meta tags do not allow xss vulnerabilities.

Namespace

Drupal\Tests\metatag\Functional

Code

public function testXssEntityTitle() {
  $save_label = floatval(\Drupal::VERSION) <= 8.300000000000001 ? $this
    ->t('Save and publish') : $this
    ->t('Save');
  $this
    ->drupalGet('node/add/metatag_node');
  $session = $this
    ->assertSession();
  $session
    ->statusCodeEquals(200);
  $edit = [
    'title[0][value]' => $this->xssTitleString,
    'body[0][value]' => $this
      ->randomString() . ' ' . $this
      ->randomString(),
  ];
  $this
    ->drupalPostForm(NULL, $edit, $save_label);

  // Check for the title tag, which will have the HTML tags removed and then
  // be lightly HTML encoded.
  $session
    ->assertEscaped(strip_tags($this->xssTitleString));
  $session
    ->responseNotContains($this->xssTitleString);
}