projects / yaffs-website / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Security update for Core, with self-updated composer
[yaffs-website] / web / core / modules / field / tests / src / Functional / EntityReference / EntityReferenceXSSTest.php
1 <?php
2
3 namespace Drupal\Tests\field\Functional\EntityReference;
4
5 use Drupal\Core\Entity\Entity\EntityFormDisplay;
6 use Drupal\Core\Entity\Entity\EntityViewDisplay;
7 use Drupal\Tests\BrowserTestBase;
8 use Drupal\field\Tests\EntityReference\EntityReferenceTestTrait;
9
10 /**
11  * Tests possible XSS security issues in entity references.
12  *
13  * @group entity_reference
14  */
15 class EntityReferenceXSSTest extends BrowserTestBase {
16
17   use EntityReferenceTestTrait;
18
19   /**
20    * Modules to enable.
21    *
22    * @var array
23    */
24   protected static $modules = ['node'];
25
26   /**
27    * Tests markup is escaped in the entity reference select and label formatter.
28    */
29   public function testEntityReferenceXSS() {
30     $this->drupalCreateContentType(['type' => 'article']);
31
32     // Create a node with markup in the title.
33     $node_type_one = $this->drupalCreateContentType();
34     $node = [
35       'type' => $node_type_one->id(),
36       'title' => '<em>I am kitten</em>',
37     ];
38     $referenced_node = $this->drupalCreateNode($node);
39
40     $node_type_two = $this->drupalCreateContentType(['name' => '<em>bundle with markup</em>']);
41     $this->drupalCreateNode([
42       'type' => $node_type_two->id(),
43       'title' => 'My bundle has markup',
44     ]);
45
46     $this->createEntityReferenceField('node', 'article', 'entity_reference_test', 'Entity Reference test', 'node', 'default', ['target_bundles' => [$node_type_one->id(), $node_type_two->id()]]);
47
48     EntityFormDisplay::load('node.article.default')
49       ->setComponent('entity_reference_test', ['type' => 'options_select'])
50       ->save();
51     EntityViewDisplay::load('node.article.default')
52       ->setComponent('entity_reference_test', ['type' => 'entity_reference_label'])
53       ->save();
54
55     // Create a node and reference the node with markup in the title.
56     $this->drupalLogin($this->rootUser);
57     $this->drupalGet('node/add/article');
58     $this->assertEscaped($referenced_node->getTitle());
59     $this->assertEscaped($node_type_two->label());
60
61     $edit = [
62       'title[0][value]' => $this->randomString(),
63       'entity_reference_test' => $referenced_node->id()
64     ];
65     $this->drupalPostForm(NULL, $edit, 'Save');
66     $this->assertEscaped($referenced_node->getTitle());
67
68     // Test the options_buttons type.
69     EntityFormDisplay::load('node.article.default')
70       ->setComponent('entity_reference_test', ['type' => 'options_buttons'])
71       ->save();
72     $this->drupalGet('node/add/article');
73     $this->assertEscaped($referenced_node->getTitle());
74     // options_buttons does not support optgroups.
75     $this->assertNoText('bundle with markup');
76   }
77
78 }
Unnamed repository; edit this file 'description' to name the repository.