SmartTitleXssTest.php in Smart Title 8
File
tests/src/Functional/SmartTitleXssTest.php
View source
<?php
namespace Drupal\Tests\smart_title\Functional;
use Drupal\Core\Entity\Display\EntityViewDisplayInterface;
class SmartTitleXssTest extends SmartTitleBrowserTestBase {
public function testConfigXss() {
$this
->drupalLogin($this->adminUser);
$this
->drupalPostForm('admin/structure/types/manage/test_page/display', [
'smart_title__enabled' => TRUE,
], 'Save');
$this
->drupalPostForm(NULL, [
'fields[smart_title][weight]' => '-5',
'fields[smart_title][region]' => 'content',
], 'Save');
$this
->click('[name="smart_title_settings_edit"]');
$this
->drupalPostForm(NULL, [
'fields[smart_title][settings_edit_form][settings][smart_title__classes]' => '<script>alert("XSS classes")</script>',
], 'Save');
try {
$this
->drupalPostForm(NULL, [
'fields[smart_title][settings_edit_form][settings][smart_title__tag]' => '<script>alert("XSS tag")</script>',
], 'Save');
$this
->fail('Expected exception has not been thrown.');
} catch (\Exception $e) {
$this
->pass('Expected exception has been thrown.');
}
try {
$this
->drupalPostForm(NULL, [
'fields[smart_title][settings_edit_form][settings][smart_title__link]' => '<script>alert("XSS link")</script>',
], 'Save');
$this
->fail('Expected exception has not been thrown.');
} catch (\Exception $e) {
$this
->pass('Expected exception has been thrown.');
}
$web_assert = $this
->assertSession();
$web_assert
->responseNotContains('<script>alert("XSS classes")</script>');
$this
->drupalGet($this->testPageNode
->toUrl());
$web_assert = $this
->assertSession();
$web_assert
->responseNotContains('<script>alert("XSS classes")</script>');
$display = $this->container
->get('entity_type.manager')
->getStorage('entity_view_display')
->load('node.' . $this->testPageNode
->getType() . '.default');
assert($display instanceof EntityViewDisplayInterface);
$display
->setThirdPartySetting('smart_title', 'settings', [
'smart_title__tag' => '<script>alert("XSS tag")</script>',
'smart_title__classes' => [
'<script>alert("XSS classes")</script>',
],
'smart_title__link' => '<script>alert("XSS link")</script>',
])
->save();
$this
->drupalGet($this->testPageNode
->toUrl());
$web_assert = $this
->assertSession();
$web_assert
->responseNotContains('<script>alert("XSS tag")</script>');
$web_assert
->responseNotContains('<script>alert("XSS classes")</script>');
$web_assert
->responseNotContains('<script>alert("XSS link")</script>');
}
}