You are here

public function DisplayTest::testDisplayTitleInButtonsXss in Zircon Profile 8

Same name and namespace in other branches
  1. 8.0 core/modules/views_ui/src/Tests/DisplayTest.php \Drupal\views_ui\Tests\DisplayTest::testDisplayTitleInButtonsXss()

Ensures that no XSS is possible for buttons.

File

core/modules/views_ui/src/Tests/DisplayTest.php, line 251
Contains \Drupal\views_ui\Tests\DisplayTest.

Class

DisplayTest
Tests the display UI.

Namespace

Drupal\views_ui\Tests

Code

public function testDisplayTitleInButtonsXss() {
  $xss_markup = '"><script>alert(123)</script>';
  $view = $this
    ->randomView();
  $view = View::load($view['id']);
  \Drupal::configFactory()
    ->getEditable('views.settings')
    ->set('ui.show.master_display', TRUE)
    ->save();
  foreach ([
    $xss_markup,
    '&quot;><script>alert(123)</script>',
  ] as $input) {
    $display =& $view
      ->getDisplay('page_1');
    $display['display_title'] = $input;
    $view
      ->save();
    $this
      ->drupalGet("admin/structure/views/view/{$view->id()}");
    $escaped = views_ui_truncate($input, 25);
    $this
      ->assertEscaped($escaped);
    $this
      ->assertNoRaw($xss_markup);
    $this
      ->drupalGet("admin/structure/views/view/{$view->id()}/edit/page_1");
    $this
      ->assertEscaped("View {$escaped}");
    $this
      ->assertNoRaw("View {$xss_markup}");
    $this
      ->assertEscaped("Duplicate {$escaped}");
    $this
      ->assertNoRaw("Duplicate {$xss_markup}");
    $this
      ->assertEscaped("Delete {$escaped}");
    $this
      ->assertNoRaw("Delete {$xss_markup}");
  }
}