You are here

protected function BlockXssTest::doViewTest in Zircon Profile 8.0

Same name and namespace in other branches
  1. 8 core/modules/block/src/Tests/BlockXssTest.php \Drupal\block\Tests\BlockXssTest::doViewTest()

Tests XSS coming from View block labels.

1 call to BlockXssTest::doViewTest()
BlockXssTest::testBlockXss in core/modules/block/src/Tests/BlockXssTest.php
Tests various modules that provide blocks for XSS.

File

core/modules/block/src/Tests/BlockXssTest.php, line 88
Contains \Drupal\block\Tests\BlockXssTest.

Class

BlockXssTest
Tests that the block module properly escapes block descriptions.

Namespace

Drupal\block\Tests

Code

protected function doViewTest() {

  // Create a View without a custom label for its block Display. The
  // admin_label of the block then becomes just the View's label.
  $view = View::create([
    'id' => $this
      ->randomMachineName(),
    'label' => '<script>alert("view1");</script>',
  ]);
  $view
    ->addDisplay('block');
  $view
    ->save();

  // Create a View with a custom label for its block Display. The
  // admin_label of the block then becomes the View's label combined with
  // the Display's label.
  $view = View::create([
    'id' => $this
      ->randomMachineName(),
    'label' => '<script>alert("view2");</script>',
  ]);
  $view
    ->addDisplay('block', 'Fish & chips');
  $view
    ->save();
  $this
    ->drupalGet(Url::fromRoute('block.admin_display'));
  $this
    ->clickLinkPartialName('Place block');

  // \Drupal\views\Plugin\Derivative\ViewsBlock::getDerivativeDefinitions()
  // has a different code path for an admin label based only on the View
  // label versus one based on both the View label and the Display label.
  // Ensure that this test is covering both code paths by asserting the
  // absence of a ":" for the first View and the presence of a ":" for the
  // second one. Note that the second assertion is redundant with the one
  // further down which also checks for the Display label, but is included
  // here for clarity.
  $this
    ->assertNoEscaped('<script>alert("view1");</script>:');
  $this
    ->assertEscaped('<script>alert("view2");</script>:');

  // Assert that the blocks have their admin labels escaped and
  // don't appear anywhere unescaped.
  $this
    ->assertEscaped('<script>alert("view1");</script>');
  $this
    ->assertNoRaw('<script>alert("view1");</script>');
  $this
    ->assertEscaped('<script>alert("view2");</script>: Fish & chips');
  $this
    ->assertNoRaw('<script>alert("view2");</script>');
  $this
    ->assertNoRaw('Fish & chips');

  // Assert the Display label doesn't appear anywhere double escaped.
  $this
    ->assertNoRaw('Fish & chips');
  $this
    ->assertNoRaw('Fish &amp;amp; chips');
}