'full_html', 'name' => 'Full HTML', 'weight' => 1, 'filters' => [], ]); $full_html_format->save(); // Create and log in an administrative user having access to the Full HTML // text format. $permissions = [ 'administer filters', $full_html_format->getPermissionName(), 'administer permissions', 'create page content', 'post comments', 'skip comment approval', 'access comments', ]; $this->adminUser = $this->drupalCreateUser($permissions); $this->drupalLogin($this->adminUser); // Add a comment field. $this->addDefaultCommentField('node', 'article'); } /** * Verify that comments are rendered using proper format in search results. */ public function testSearchResultsComment() { $node_storage = $this->container->get('entity.manager')->getStorage('node'); // Create basic_html format that escapes all HTML. $basic_html_format = FilterFormat::create([ 'format' => 'basic_html', 'name' => 'Basic HTML', 'weight' => 1, 'filters' => [ 'filter_html_escape' => ['status' => 1], ], 'roles' => [RoleInterface::AUTHENTICATED_ID], ]); $basic_html_format->save(); $comment_body = 'Test comment body'; // Make preview optional. $field = FieldConfig::loadByName('node', 'article', 'comment'); $field->setSetting('preview', DRUPAL_OPTIONAL); $field->save(); // Allow anonymous users to search content. $edit = [ RoleInterface::ANONYMOUS_ID . '[search content]' => 1, RoleInterface::ANONYMOUS_ID . '[access comments]' => 1, RoleInterface::ANONYMOUS_ID . '[post comments]' => 1, ]; $this->drupalPostForm('admin/people/permissions', $edit, t('Save permissions')); // Create a node. $node = $this->drupalCreateNode(['type' => 'article']); // Post a comment using 'Full HTML' text format. $edit_comment = []; $edit_comment['subject[0][value]'] = 'Test comment subject'; $edit_comment['comment_body[0][value]'] = '

' . $comment_body . '

'; $full_html_format_id = 'full_html'; $edit_comment['comment_body[0][format]'] = $full_html_format_id; $this->drupalPostForm('comment/reply/node/' . $node->id() . '/comment', $edit_comment, t('Save')); // Post a comment with an evil script tag in the comment subject and a // script tag nearby a keyword in the comment body. Use the 'FULL HTML' text // format so the script tag stored. $edit_comment2 = []; $edit_comment2['subject[0][value]'] = ""; $edit_comment2['comment_body[0][value]'] = "nearbykeyword"; $edit_comment2['comment_body[0][format]'] = $full_html_format_id; $this->drupalPostForm('comment/reply/node/' . $node->id() . '/comment', $edit_comment2, t('Save')); // Post a comment with a keyword inside an evil script tag in the comment // body. Use the 'FULL HTML' text format so the script tag is stored. $edit_comment3 = []; $edit_comment3['subject[0][value]'] = 'asubject'; $edit_comment3['comment_body[0][value]'] = ""; $edit_comment3['comment_body[0][format]'] = $full_html_format_id; $this->drupalPostForm('comment/reply/node/' . $node->id() . '/comment', $edit_comment3, t('Save')); // Invoke search index update. $this->drupalLogout(); $this->cronRun(); // Search for the comment subject. $edit = [ 'keys' => "'" . $edit_comment['subject[0][value]'] . "'", ]; $this->drupalPostForm('search/node', $edit, t('Search')); $node_storage->resetCache([$node->id()]); $node2 = $node_storage->load($node->id()); $this->assertText($node2->label(), 'Node found in search results.'); $this->assertText($edit_comment['subject[0][value]'], 'Comment subject found in search results.'); // Search for the comment body. $edit = [ 'keys' => "'" . $comment_body . "'", ]; $this->drupalPostForm(NULL, $edit, t('Search')); $this->assertText($node2->label(), 'Node found in search results.'); // Verify that comment is rendered using proper format. $this->assertText($comment_body, 'Comment body text found in search results.'); $this->assertNoRaw(t('n/a'), 'HTML in comment body is not hidden.'); $this->assertNoEscaped($edit_comment['comment_body[0][value]'], 'HTML in comment body is not escaped.'); // Search for the evil script comment subject. $edit = [ 'keys' => 'subjectkeyword', ]; $this->drupalPostForm('search/node', $edit, t('Search')); // Verify the evil comment subject is escaped in search results. $this->assertRaw('<script>alert('subjectkeyword');'); $this->assertNoRaw('