You are here

public function MetatagXssTest::testXssMetatagConfig in Metatag 8

Verify XSS injected in global config is not rendered.

File

tests/src/Functional/MetatagXssTest.php, line 121

Class

MetatagXssTest
Ensures that meta tags do not allow xss vulnerabilities.

Namespace

Drupal\Tests\metatag\Functional

Code

public function testXssMetatagConfig() {
  $this
    ->drupalGet('admin/config/search/metatag/global');
  $session = $this
    ->assertSession();
  $session
    ->statusCodeEquals(200);
  $values = [
    'title' => $this->xssTitleString,
    'abstract' => $this->xssString,
    'image_src' => $this->xssImageString,
  ];
  $this
    ->drupalPostForm(NULL, $values, 'Save');
  $session
    ->pageTextContains('Saved the Global Metatag defaults.');
  $this
    ->rebuildAll();

  // Load the Views-based front page.
  $this
    ->drupalGet('node');
  $session
    ->statusCodeEquals(200);
  $session
    ->pageTextContains('No front page content has been created yet.');

  // Check for the title tag, which will have the HTML tags removed and then
  // be lightly HTML encoded.
  $session
    ->assertEscaped(strip_tags($this->xssTitleString));
  $session
    ->responseNotContains($this->xssTitleString);

  // Check for the basic meta tag.
  $session
    ->responseContains($this->escapedXssTag);
  $session
    ->responseNotContains($this->xssString);

  // Check for the image meta tag.
  $session
    ->responseContains($this->escapedXssImageTag);
  $session
    ->responseNotContains($this->xssImageString);
}