You are here

function EditorSecurityTest::testInitialSecurity in Zircon Profile 8

Same name and namespace in other branches
  1. 8.0 core/modules/editor/src/Tests/EditorSecurityTest.php \Drupal\editor\Tests\EditorSecurityTest::testInitialSecurity()

Tests initial security: is the user safe without switching text formats?

Tests 8 scenarios. Tests only with a text editor that is not XSS-safe.

File

core/modules/editor/src/Tests/EditorSecurityTest.php, line 228
Contains \Drupal\editor\Tests\EditorSecurityTest.

Class

EditorSecurityTest
Tests XSS protection for content creators when using text editors.

Namespace

Drupal\editor\Tests

Code

function testInitialSecurity() {
  $expected = array(
    array(
      'node_id' => 1,
      'format' => 'restricted_without_editor',
      // No text editor => no XSS filtering.
      'value' => self::$sampleContent,
      'users' => array(
        $this->untrustedUser,
        $this->privilegedUser,
      ),
    ),
    array(
      'node_id' => 2,
      'format' => 'restricted_with_editor',
      // Text editor => XSS filtering.
      'value' => self::$sampleContentSecured,
      'users' => array(
        $this->normalUser,
        $this->privilegedUser,
      ),
    ),
    array(
      'node_id' => 3,
      'format' => 'restricted_plus_dangerous_tag_with_editor',
      // Text editor => XSS filtering.
      'value' => self::$sampleContentSecuredEmbedAllowed,
      'users' => array(
        $this->trustedUser,
        $this->privilegedUser,
      ),
    ),
    array(
      'node_id' => 4,
      'format' => 'unrestricted_without_editor',
      // No text editor => no XSS filtering.
      'value' => self::$sampleContent,
      'users' => array(
        $this->privilegedUser,
      ),
    ),
    array(
      'node_id' => 5,
      'format' => 'unrestricted_with_editor',
      // Text editor, no security filter => no XSS filtering.
      'value' => self::$sampleContent,
      'users' => array(
        $this->privilegedUser,
      ),
    ),
  );

  // Log in as each user that may edit the content, and assert the value.
  foreach ($expected as $case) {
    foreach ($case['users'] as $account) {
      $this
        ->pass(format_string('Scenario: sample %sample_id, %format.', array(
        '%sample_id' => $case['node_id'],
        '%format' => $case['format'],
      )));
      $this
        ->drupalLogin($account);
      $this
        ->drupalGet('node/' . $case['node_id'] . '/edit');
      $dom_node = $this
        ->xpath('//textarea[@id="edit-body-0-value"]');
      $this
        ->assertIdentical($case['value'], (string) $dom_node[0], 'The value was correctly filtered for XSS attack vectors.');
    }
  }
}