3 namespace Drupal\metatag\Tests;
5 use Drupal\simpletest\WebTestBase;
8 * Ensures that metatags do not allow xss vulnerabilities.
12 class MetatagXssTest extends WebTestBase {
15 * String that causes an alert when page titles aren't filtered for xss.
19 private $xssTitleString = '<script>alert("xss");</script>';
22 * String that causes an alert when metatags aren't filtered for xss.
26 private $xssString = '"><script>alert("xss");</script><meta "';
29 * Rendered xss tag that has escaped attribute to avoid xss injection.
33 private $escapedXssTag = '<meta name="abstract" content="">alert("xss");" />';
36 * String that causes an alert when metatags aren't filtered for xss.
38 * "Image" meta tags are processed differently to others, so this checks for a
43 private $xssImageString = '"><script>alert("image xss");</script><meta "';
46 * Rendered xss tag that has escaped attribute to avoid xss injection.
50 private $escapedXssImageTag = '<link rel="image_src" href="">alert("image xss");" />';
53 * Administrator user for tests.
55 * @var \Drupal\user\UserInterface
62 public static $modules = [
75 protected function setUp() {
78 // Create a user that can manage content types and create content.
79 $admin_permissions = [
80 'administer content types',
83 'administer meta tags',
84 'administer site configuration',
86 'administer content types',
88 'administer node fields',
91 // Create and login a with the admin-ish permissions user.
92 $this->adminUser = $this->drupalCreateUser($admin_permissions);
93 $this->drupalLogin($this->adminUser);
95 // Set up a content type.
96 $this->drupalCreateContentType(['type' => 'metatag_node', 'name' => 'Test Content Type']);
98 // Add a metatag field to the content type.
99 $this->drupalGet('admin/structure/types/manage/metatag_node/fields/add-field');
100 $this->assertResponse(200);
102 'label' => 'Metatag',
103 'field_name' => 'metatag_field',
104 'new_storage_type' => 'metatag',
106 $this->drupalPostForm(NULL, $edit, t('Save and continue'));
107 $this->drupalPostForm(NULL, [], t('Save field settings'));
111 * Verify XSS injected in global config is not rendered.
113 public function testXssMetatagConfig() {
114 $this->drupalGet('admin/config/search/metatag/global');
116 'title' => $this->xssTitleString,
117 'abstract' => $this->xssString,
118 'image_src' => $this->xssImageString
120 $this->drupalPostForm(NULL, $values, 'Save');
121 $this->assertText('Saved the Global Metatag defaults.');
124 // Load the Views-based front page.
125 $this->drupalGet('node');
126 $this->assertResponse(200);
127 $this->assertText(t('No front page content has been created yet.'));
129 // Check for the title tag, which will have the HTML tags removed and then
130 // be lightly HTML encoded.
131 $this->assertEscaped(strip_tags($this->xssTitleString));
132 $this->assertNoRaw($this->xssTitleString);
134 // Check for the basic meta tag.
135 $this->assertRaw($this->escapedXssTag);
136 $this->assertNoRaw($this->xssString);
138 // Check for the image meta tag.
139 $this->assertRaw($this->escapedXssImageTag);
140 $this->assertNoRaw($this->xssImageString);
144 * Verify XSS injected in the entity metatag override field is not rendered.
146 public function testXssEntityOverride() {
147 $this->drupalGet('node/add/metatag_node');
149 'title[0][value]' => $this->randomString(32),
150 'field_metatag_field[0][basic][title]' => $this->xssTitleString,
151 'field_metatag_field[0][basic][abstract]' => $this->xssString,
152 'field_metatag_field[0][advanced][image_src]' => $this->xssImageString,
154 $this->drupalPostForm(NULL, $edit, t('Save and publish'));
156 // Check for the title tag, which will have the HTML tags removed and then
157 // be lightly HTML encoded.
158 $this->assertEscaped(strip_tags($this->xssTitleString));
159 $this->assertNoRaw($this->xssTitleString);
161 // Check for the basic meta tag.
162 $this->assertRaw($this->escapedXssTag);
163 $this->assertNoRaw($this->xssString);
165 // Check for the image meta tag.
166 $this->assertRaw($this->escapedXssImageTag);
167 $this->assertNoRaw($this->xssImageString);
171 * Verify XSS injected in the entity titles are not rendered.
173 public function testXssEntityTitle() {
174 $this->drupalGet('node/add/metatag_node');
176 'title[0][value]' => $this->xssTitleString,
177 'body[0][value]' => $this->randomString() . ' ' . $this->randomString(),
179 $this->drupalPostForm(NULL, $edit, t('Save and publish'));
181 // Check for the title tag, which will have the HTML tags removed and then
182 // be lightly HTML encoded.
183 $this->assertEscaped(strip_tags($this->xssTitleString));
184 $this->assertNoRaw($this->xssTitleString);
188 * Verify XSS injected in the entity fields are not rendered.
190 public function testXssEntityBody() {
191 $this->drupalGet('node/add/metatag_node');
193 'title[0][value]' => $this->randomString(),
194 'body[0][value]' => $this->xssTitleString,
196 $this->drupalPostForm(NULL, $edit, t('Save and publish'));
198 // Check the body text.
199 // $this->assertNoTitle($this->xssTitleString);
200 $this->assertNoRaw($this->xssTitleString);