public function DisplayTest::testDisplayTitleInButtonsXss in Zircon Profile 8
Same name and namespace in other branches
- 8.0 core/modules/views_ui/src/Tests/DisplayTest.php \Drupal\views_ui\Tests\DisplayTest::testDisplayTitleInButtonsXss()
Ensures that no XSS is possible for buttons.
File
- core/
modules/ views_ui/ src/ Tests/ DisplayTest.php, line 251 - Contains \Drupal\views_ui\Tests\DisplayTest.
Class
- DisplayTest
- Tests the display UI.
Namespace
Drupal\views_ui\TestsCode
public function testDisplayTitleInButtonsXss() {
$xss_markup = '"><script>alert(123)</script>';
$view = $this
->randomView();
$view = View::load($view['id']);
\Drupal::configFactory()
->getEditable('views.settings')
->set('ui.show.master_display', TRUE)
->save();
foreach ([
$xss_markup,
'"><script>alert(123)</script>',
] as $input) {
$display =& $view
->getDisplay('page_1');
$display['display_title'] = $input;
$view
->save();
$this
->drupalGet("admin/structure/views/view/{$view->id()}");
$escaped = views_ui_truncate($input, 25);
$this
->assertEscaped($escaped);
$this
->assertNoRaw($xss_markup);
$this
->drupalGet("admin/structure/views/view/{$view->id()}/edit/page_1");
$this
->assertEscaped("View {$escaped}");
$this
->assertNoRaw("View {$xss_markup}");
$this
->assertEscaped("Duplicate {$escaped}");
$this
->assertNoRaw("Duplicate {$xss_markup}");
$this
->assertEscaped("Delete {$escaped}");
$this
->assertNoRaw("Delete {$xss_markup}");
}
}