'full_html',
'name' => 'Full HTML',
'weight' => 1,
'filters' => [],
]);
$full_html_format->save();
// Create and log in an administrative user having access to the Full HTML
// text format.
$permissions = [
'administer filters',
$full_html_format->getPermissionName(),
'administer permissions',
'create page content',
'post comments',
'skip comment approval',
'access comments',
];
$this->adminUser = $this->drupalCreateUser($permissions);
$this->drupalLogin($this->adminUser);
// Add a comment field.
$this->addDefaultCommentField('node', 'article');
}
/**
* Verify that comments are rendered using proper format in search results.
*/
public function testSearchResultsComment() {
$node_storage = $this->container->get('entity.manager')->getStorage('node');
// Create basic_html format that escapes all HTML.
$basic_html_format = FilterFormat::create([
'format' => 'basic_html',
'name' => 'Basic HTML',
'weight' => 1,
'filters' => [
'filter_html_escape' => ['status' => 1],
],
'roles' => [RoleInterface::AUTHENTICATED_ID],
]);
$basic_html_format->save();
$comment_body = 'Test comment body';
// Make preview optional.
$field = FieldConfig::loadByName('node', 'article', 'comment');
$field->setSetting('preview', DRUPAL_OPTIONAL);
$field->save();
// Allow anonymous users to search content.
$edit = [
RoleInterface::ANONYMOUS_ID . '[search content]' => 1,
RoleInterface::ANONYMOUS_ID . '[access comments]' => 1,
RoleInterface::ANONYMOUS_ID . '[post comments]' => 1,
];
$this->drupalPostForm('admin/people/permissions', $edit, t('Save permissions'));
// Create a node.
$node = $this->drupalCreateNode(['type' => 'article']);
// Post a comment using 'Full HTML' text format.
$edit_comment = [];
$edit_comment['subject[0][value]'] = 'Test comment subject';
$edit_comment['comment_body[0][value]'] = '
' . $comment_body . '
';
$full_html_format_id = 'full_html';
$edit_comment['comment_body[0][format]'] = $full_html_format_id;
$this->drupalPostForm('comment/reply/node/' . $node->id() . '/comment', $edit_comment, t('Save'));
// Post a comment with an evil script tag in the comment subject and a
// script tag nearby a keyword in the comment body. Use the 'FULL HTML' text
// format so the script tag stored.
$edit_comment2 = [];
$edit_comment2['subject[0][value]'] = "";
$edit_comment2['comment_body[0][value]'] = "nearbykeyword";
$edit_comment2['comment_body[0][format]'] = $full_html_format_id;
$this->drupalPostForm('comment/reply/node/' . $node->id() . '/comment', $edit_comment2, t('Save'));
// Post a comment with a keyword inside an evil script tag in the comment
// body. Use the 'FULL HTML' text format so the script tag is stored.
$edit_comment3 = [];
$edit_comment3['subject[0][value]'] = 'asubject';
$edit_comment3['comment_body[0][value]'] = "";
$edit_comment3['comment_body[0][format]'] = $full_html_format_id;
$this->drupalPostForm('comment/reply/node/' . $node->id() . '/comment', $edit_comment3, t('Save'));
// Invoke search index update.
$this->drupalLogout();
$this->cronRun();
// Search for the comment subject.
$edit = [
'keys' => "'" . $edit_comment['subject[0][value]'] . "'",
];
$this->drupalPostForm('search/node', $edit, t('Search'));
$node_storage->resetCache([$node->id()]);
$node2 = $node_storage->load($node->id());
$this->assertText($node2->label(), 'Node found in search results.');
$this->assertText($edit_comment['subject[0][value]'], 'Comment subject found in search results.');
// Search for the comment body.
$edit = [
'keys' => "'" . $comment_body . "'",
];
$this->drupalPostForm(NULL, $edit, t('Search'));
$this->assertText($node2->label(), 'Node found in search results.');
// Verify that comment is rendered using proper format.
$this->assertText($comment_body, 'Comment body text found in search results.');
$this->assertNoRaw(t('n/a'), 'HTML in comment body is not hidden.');
$this->assertNoEscaped($edit_comment['comment_body[0][value]'], 'HTML in comment body is not escaped.');
// Search for the evil script comment subject.
$edit = [
'keys' => 'subjectkeyword',
];
$this->drupalPostForm('search/node', $edit, t('Search'));
// Verify the evil comment subject is escaped in search results.
$this->assertRaw('<script>alert('subjectkeyword');');
$this->assertNoRaw('