You are here

function RelationDummyFieldTestCase::testDummyFieldXSS in Relation 7

Verify that the dummy field protects against XSS attacks.

File

relation_dummy_field/tests/relation_dummy_field.test, line 82
Tests for Relation Dummy Field module.

Class

RelationDummyFieldTestCase
Functional test of Relation's integration with the Dummy Field.

Code

function testDummyFieldXSS() {

  // Attempt to execute a script via the relation type label.
  $relation_type = array(
    'relation_type' => 'directional-xss',
    'label' => 'directional<script>alert("relation-type-label-xss");</script>',
    'directional' => TRUE,
    'source_bundles' => array(
      'node:*',
    ),
    'target_bundles' => array(
      'node:*',
    ),
  );
  relation_type_save($relation_type);

  // Create a relation of type directional-xss between article 1 and page 4.
  $endpoints = array(
    array(
      'entity_type' => 'node',
      'entity_id' => $this->node1->nid,
    ),
    array(
      'entity_type' => 'node',
      'entity_id' => $this->node4->nid,
    ),
  );
  $this
    ->saveRelation('directional-xss', $endpoints);

  // Add a dummy field with the natural language formatter.
  $this
    ->createDummyField('relation_natural');

  // Attempt to execute a script via the subject title.
  $this->node1->title = 'subject<script>alert("subject-xss");</script>';
  node_save($this->node1);

  // Visit the parent and ensure that the title and relation type label have
  // been escaped properly.
  $this
    ->drupalGet('node/' . $this->node1->nid);
  $this
    ->assertNoRaw('directional<script>alert("relation-type-label-xss');
  $this
    ->assertNoRaw('subject<script>alert("subject-xss");</script>');
}