3 namespace Drupal\Tests\block\Functional;
5 use Drupal\block_content\Entity\BlockContent;
6 use Drupal\block_content\Entity\BlockContentType;
8 use Drupal\system\Entity\Menu;
9 use Drupal\Tests\BrowserTestBase;
10 use Drupal\views\Entity\View;
13 * Tests that the block module properly escapes block descriptions.
17 class BlockXssTest extends BrowserTestBase {
24 public static $modules = ['block', 'block_content', 'menu_ui', 'views'];
27 * Tests that nothing is escaped other than the blocks explicitly tested.
29 public function testNoUnexpectedEscaping() {
30 $this->drupalLogin($this->drupalCreateUser(['administer blocks', 'access administration pages']));
31 $this->drupalGet(Url::fromRoute('block.admin_display'));
32 $this->clickLink('Place block');
33 $this->assertNoEscaped('<');
39 public function testXssInTitle() {
40 $this->container->get('module_installer')->install(['block_test']);
41 $this->drupalPlaceBlock('test_xss_title', ['label' => '<script>alert("XSS label");</script>']);
43 \Drupal::state()->set('block_test.content', $this->randomMachineName());
45 $this->assertNoRaw('<script>alert("XSS label");</script>', 'The block title was properly sanitized when rendered.');
47 $this->drupalLogin($this->drupalCreateUser(['administer blocks', 'access administration pages']));
48 $default_theme = $this->config('system.theme')->get('default');
49 $this->drupalGet('admin/structure/block/list/' . $default_theme);
50 $this->assertNoRaw("<script>alert('XSS subject');</script>", 'The block title was properly sanitized in Block Plugin UI Admin page.');
54 * Tests XSS in category.
56 public function testXssInCategory() {
57 $this->container->get('module_installer')->install(['block_test']);
58 $this->drupalPlaceBlock('test_xss_title');
59 $this->drupalLogin($this->drupalCreateUser(['administer blocks', 'access administration pages']));
60 $this->drupalGet(Url::fromRoute('block.admin_display'));
61 $this->clickLink('Place block');
62 $this->assertNoRaw("<script>alert('XSS category');</script>");
66 * Tests various modules that provide blocks for XSS.
68 public function testBlockXss() {
69 $this->drupalLogin($this->rootUser);
73 $this->doBlockContentTest();
75 $this->drupalGet(Url::fromRoute('block.admin_display'));
76 $this->clickLink('Place block');
77 $this->assertNoRaw('&lt;', 'The page does not have double escaped HTML tags.');
81 * Tests XSS coming from View block labels.
83 protected function doViewTest() {
84 // Create a View without a custom label for its block Display. The
85 // admin_label of the block then becomes just the View's label.
86 $view = View::create([
87 'id' => $this->randomMachineName(),
88 'label' => '<script>alert("view1");</script>',
90 $view->addDisplay('block');
93 // Create a View with a custom label for its block Display. The
94 // admin_label of the block then becomes the View's label combined with
95 // the Display's label.
96 $view = View::create([
97 'id' => $this->randomMachineName(),
98 'label' => '<script>alert("view2");</script>',
100 $view->addDisplay('block', 'Fish & chips');
103 $this->drupalGet(Url::fromRoute('block.admin_display'));
104 $this->clickLink('Place block');
106 // \Drupal\views\Plugin\Derivative\ViewsBlock::getDerivativeDefinitions()
107 // has a different code path for an admin label based only on the View
108 // label versus one based on both the View label and the Display label.
109 // Ensure that this test is covering both code paths by asserting the
110 // absence of a ":" for the first View and the presence of a ":" for the
111 // second one. Note that the second assertion is redundant with the one
112 // further down which also checks for the Display label, but is included
114 $this->assertNoEscaped('<script>alert("view1");</script>:');
115 $this->assertEscaped('<script>alert("view2");</script>:');
117 // Assert that the blocks have their admin labels escaped and
118 // don't appear anywhere unescaped.
119 $this->assertEscaped('<script>alert("view1");</script>');
120 $this->assertNoRaw('<script>alert("view1");</script>');
121 $this->assertEscaped('<script>alert("view2");</script>: Fish & chips');
122 $this->assertNoRaw('<script>alert("view2");</script>');
123 $this->assertNoRaw('Fish & chips');
125 // Assert the Display label doesn't appear anywhere double escaped.
126 $this->assertNoRaw('Fish & chips');
127 $this->assertNoRaw('Fish &amp; chips');
131 * Tests XSS coming from Menu block labels.
133 protected function doMenuTest() {
135 'id' => $this->randomMachineName(),
136 'label' => '<script>alert("menu");</script>',
139 $this->drupalGet(Url::fromRoute('block.admin_display'));
140 $this->clickLink('Place block');
142 $this->assertEscaped('<script>alert("menu");</script>');
143 $this->assertNoRaw('<script>alert("menu");</script>');
147 * Tests XSS coming from Block Content block info.
149 protected function doBlockContentTest() {
150 BlockContentType::create([
155 BlockContent::create([
157 'info' => '<script>alert("block_content");</script>',
160 $this->drupalGet(Url::fromRoute('block.admin_display'));
161 $this->clickLink('Place block');
163 $this->assertEscaped('<script>alert("block_content");</script>');
164 $this->assertNoRaw('<script>alert("block_content");</script>');