Version 1

[yaffs-website] / web / core / modules / node / tests / src / Functional / NodeTitleXSSTest.php

diff --git a/web/core/modules/node/tests/src/Functional/NodeTitleXSSTest.php b/web/core/modules/node/tests/src/Functional/NodeTitleXSSTest.php
new file mode 100644 (file)
index 0000000..4b75087
--- /dev/null
+++ b/web/core/modules/node/tests/src/Functional/NodeTitleXSSTest.php
@@ -0,0 +1,43 @@
+<?php
+
+namespace Drupal\Tests\node\Functional;
+
+use Drupal\Component\Utility\Html;
+
+/**
+ * Create a node with dangerous tags in its title and test that they are
+ * escaped.
+ *
+ * @group node
+ */
+class NodeTitleXSSTest extends NodeTestBase {
+
+  /**
+   * Tests XSS functionality with a node entity.
+   */
+  public function testNodeTitleXSS() {
+    // Prepare a user to do the stuff.
+    $web_user = $this->drupalCreateUser(['create page content', 'edit any page content']);
+    $this->drupalLogin($web_user);
+
+    $xss = '<script>alert("xss")</script>';
+    $title = $xss . $this->randomMachineName();
+    $edit = [];
+    $edit['title[0][value]'] = $title;
+
+    $this->drupalPostForm('node/add/page', $edit, t('Preview'));
+    $this->assertNoRaw($xss, 'Harmful tags are escaped when previewing a node.');
+
+    $settings = ['title' => $title];
+    $node = $this->drupalCreateNode($settings);
+
+    $this->drupalGet('node/' . $node->id());
+    // Titles should be escaped.
+    $this->assertRaw('<title>' . Html::escape($title) . ' | Drupal</title>', 'Title is displayed when viewing a node.');
+    $this->assertNoRaw($xss, 'Harmful tags are escaped when viewing a node.');
+
+    $this->drupalGet('node/' . $node->id() . '/edit');
+    $this->assertNoRaw($xss, 'Harmful tags are escaped when editing a node.');
+  }
+
+}