projects / yaffs-website / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
Version 1
[yaffs-website] / web / core / modules / field / tests / src / Functional / EntityReference / EntityReferenceXSSTest.php
diff --git a/web/core/modules/field/tests/src/Functional/EntityReference/EntityReferenceXSSTest.php b/web/core/modules/field/tests/src/Functional/EntityReference/EntityReferenceXSSTest.php
new file mode 100644 (file)
index 0000000..46986ec
--- /dev/null
+++ b/web/core/modules/field/tests/src/Functional/EntityReference/EntityReferenceXSSTest.php
@@ -0,0 +1,78 @@
+<?php
+
+namespace Drupal\Tests\field\Functional\EntityReference;
+
+use Drupal\Core\Entity\Entity\EntityFormDisplay;
+use Drupal\Core\Entity\Entity\EntityViewDisplay;
+use Drupal\Tests\BrowserTestBase;
+use Drupal\field\Tests\EntityReference\EntityReferenceTestTrait;
+
+/**
+ * Tests possible XSS security issues in entity references.
+ *
+ * @group entity_reference
+ */
+class EntityReferenceXSSTest extends BrowserTestBase {
+
+  use EntityReferenceTestTrait;
+
+  /**
+   * Modules to enable.
+   *
+   * @var array
+   */
+  protected static $modules = ['node'];
+
+  /**
+   * Tests markup is escaped in the entity reference select and label formatter.
+   */
+  public function testEntityReferenceXSS() {
+    $this->drupalCreateContentType(['type' => 'article']);
+
+    // Create a node with markup in the title.
+    $node_type_one = $this->drupalCreateContentType();
+    $node = [
+      'type' => $node_type_one->id(),
+      'title' => '<em>I am kitten</em>',
+    ];
+    $referenced_node = $this->drupalCreateNode($node);
+
+    $node_type_two = $this->drupalCreateContentType(['name' => '<em>bundle with markup</em>']);
+    $this->drupalCreateNode([
+      'type' => $node_type_two->id(),
+      'title' => 'My bundle has markup',
+    ]);
+
+    $this->createEntityReferenceField('node', 'article', 'entity_reference_test', 'Entity Reference test', 'node', 'default', ['target_bundles' => [$node_type_one->id(), $node_type_two->id()]]);
+
+    EntityFormDisplay::load('node.article.default')
+      ->setComponent('entity_reference_test', ['type' => 'options_select'])
+      ->save();
+    EntityViewDisplay::load('node.article.default')
+      ->setComponent('entity_reference_test', ['type' => 'entity_reference_label'])
+      ->save();
+
+    // Create a node and reference the node with markup in the title.
+    $this->drupalLogin($this->rootUser);
+    $this->drupalGet('node/add/article');
+    $this->assertEscaped($referenced_node->getTitle());
+    $this->assertEscaped($node_type_two->label());
+
+    $edit = [
+      'title[0][value]' => $this->randomString(),
+      'entity_reference_test' => $referenced_node->id()
+    ];
+    $this->drupalPostForm(NULL, $edit, 'Save and publish');
+    $this->assertEscaped($referenced_node->getTitle());
+
+    // Test the options_buttons type.
+    EntityFormDisplay::load('node.article.default')
+      ->setComponent('entity_reference_test', ['type' => 'options_buttons'])
+      ->save();
+    $this->drupalGet('node/add/article');
+    $this->assertEscaped($referenced_node->getTitle());
+    // options_buttons does not support optgroups.
+    $this->assertNoText('bundle with markup');
+  }
+
+}
Unnamed repository; edit this file 'description' to name the repository.