public function MetatagXssTest::testXssMetatagConfig in Metatag 8
Verify XSS injected in global config is not rendered.
File
- tests/
src/ Functional/ MetatagXssTest.php, line 121
Class
- MetatagXssTest
- Ensures that meta tags do not allow xss vulnerabilities.
Namespace
Drupal\Tests\metatag\FunctionalCode
public function testXssMetatagConfig() {
$this
->drupalGet('admin/config/search/metatag/global');
$session = $this
->assertSession();
$session
->statusCodeEquals(200);
$values = [
'title' => $this->xssTitleString,
'abstract' => $this->xssString,
'image_src' => $this->xssImageString,
];
$this
->drupalPostForm(NULL, $values, 'Save');
$session
->pageTextContains('Saved the Global Metatag defaults.');
$this
->rebuildAll();
// Load the Views-based front page.
$this
->drupalGet('node');
$session
->statusCodeEquals(200);
$session
->pageTextContains('No front page content has been created yet.');
// Check for the title tag, which will have the HTML tags removed and then
// be lightly HTML encoded.
$session
->assertEscaped(strip_tags($this->xssTitleString));
$session
->responseNotContains($this->xssTitleString);
// Check for the basic meta tag.
$session
->responseContains($this->escapedXssTag);
$session
->responseNotContains($this->xssString);
// Check for the image meta tag.
$session
->responseContains($this->escapedXssImageTag);
$session
->responseNotContains($this->xssImageString);
}