You are here

public function BlockXssTest::testXssInTitle in Zircon Profile 8

Same name and namespace in other branches
  1. 8.0 core/modules/block/src/Tests/BlockXssTest.php \Drupal\block\Tests\BlockXssTest::testXssInTitle()

Tests XSS in title.

File

core/modules/block/src/Tests/BlockXssTest.php, line 44
Contains \Drupal\block\Tests\BlockXssTest.

Class

BlockXssTest
Tests that the block module properly escapes block descriptions.

Namespace

Drupal\block\Tests

Code

public function testXssInTitle() {
  $this->container
    ->get('module_installer')
    ->install([
    'block_test',
  ]);
  $this
    ->drupalPlaceBlock('test_xss_title', [
    'label' => '<script>alert("XSS label");</script>',
  ]);
  \Drupal::state()
    ->set('block_test.content', $this
    ->randomMachineName());
  $this
    ->drupalGet('');
  $this
    ->assertNoRaw('<script>alert("XSS label");</script>', 'The block title was properly sanitized when rendered.');
  $this
    ->drupalLogin($this
    ->drupalCreateUser([
    'administer blocks',
    'access administration pages',
  ]));
  $default_theme = $this
    ->config('system.theme')
    ->get('default');
  $this
    ->drupalGet('admin/structure/block/list/' . $default_theme);
  $this
    ->assertNoRaw("<script>alert('XSS subject');</script>", 'The block title was properly sanitized in Block Plugin UI Admin page.');
}