3 namespace Drupal\metatag\Tests;
5 use Drupal\simpletest\WebTestBase;
8 * Ensures that metatags do not allow xss vulnerabilities.
12 class MetatagXssTest extends WebTestBase {
15 * String that causes an alert when page titles aren't filtered for xss.
19 private $xssTitleString = '<script>alert("xss");</script>';
22 * String that causes an alert when metatags aren't filtered for xss.
26 private $xssString = '"><script>alert("xss");</script><meta "';
29 * Rendered xss tag that has escaped attribute to avoid xss injection.
33 private $escapedXssTag = '<meta name="abstract" content="">alert("xss");" />';
36 * String that causes an alert when metatags aren't filtered for xss.
38 * "Image" meta tags are processed differently to others, so this checks for a
43 private $xssImageString = '"><script>alert("image xss");</script><meta "';
46 * Rendered xss tag that has escaped attribute to avoid xss injection.
50 private $escapedXssImageTag = '<link rel="image_src" href="">alert("image xss");" />';
53 * Administrator user for tests.
55 * @var \Drupal\user\UserInterface
62 public static $modules = [
75 protected function setUp() {
78 // Create a user that can manage content types and create content.
79 $admin_permissions = [
80 'administer content types',
83 'administer meta tags',
84 'administer site configuration',
86 'administer content types',
88 'administer node fields',
91 // Create and login a with the admin-ish permissions user.
92 $this->adminUser = $this->drupalCreateUser($admin_permissions);
93 $this->drupalLogin($this->adminUser);
95 // Set up a content type.
96 $this->drupalCreateContentType(['type' => 'metatag_node', 'name' => 'Test Content Type']);
98 // Add a metatag field to the content type.
99 $this->drupalGet('admin/structure/types/manage/metatag_node/fields/add-field');
100 $this->assertResponse(200);
102 'label' => 'Metatag',
103 'field_name' => 'metatag_field',
104 'new_storage_type' => 'metatag',
106 $this->drupalPostForm(NULL, $edit, t('Save and continue'));
107 $this->drupalPostForm(NULL, [], t('Save field settings'));
111 * Verify XSS injected in global config is not rendered.
113 public function testXssMetatagConfig() {
114 $this->drupalGet('admin/config/search/metatag/global');
115 $this->assertResponse(200);
117 'title' => $this->xssTitleString,
118 'abstract' => $this->xssString,
119 'image_src' => $this->xssImageString
121 $this->drupalPostForm(NULL, $values, 'Save');
122 $this->assertText('Saved the Global Metatag defaults.');
125 // Load the Views-based front page.
126 $this->drupalGet('node');
127 $this->assertResponse(200);
128 $this->assertText(t('No front page content has been created yet.'));
130 // Check for the title tag, which will have the HTML tags removed and then
131 // be lightly HTML encoded.
132 $this->assertEscaped(strip_tags($this->xssTitleString));
133 $this->assertNoRaw($this->xssTitleString);
135 // Check for the basic meta tag.
136 $this->assertRaw($this->escapedXssTag);
137 $this->assertNoRaw($this->xssString);
139 // Check for the image meta tag.
140 $this->assertRaw($this->escapedXssImageTag);
141 $this->assertNoRaw($this->xssImageString);
145 * Verify XSS injected in the entity metatag override field is not rendered.
147 public function testXssEntityOverride() {
148 $this->drupalGet('node/add/metatag_node');
149 $this->assertResponse(200);
151 'title[0][value]' => $this->randomString(32),
152 'field_metatag_field[0][basic][title]' => $this->xssTitleString,
153 'field_metatag_field[0][basic][abstract]' => $this->xssString,
154 'field_metatag_field[0][advanced][image_src]' => $this->xssImageString,
156 $this->drupalPostForm(NULL, $edit, t('Save and publish'));
158 // Check for the title tag, which will have the HTML tags removed and then
159 // be lightly HTML encoded.
160 $this->assertEscaped(strip_tags($this->xssTitleString));
161 $this->assertNoRaw($this->xssTitleString);
163 // Check for the basic meta tag.
164 $this->assertRaw($this->escapedXssTag);
165 $this->assertNoRaw($this->xssString);
167 // Check for the image meta tag.
168 $this->assertRaw($this->escapedXssImageTag);
169 $this->assertNoRaw($this->xssImageString);
173 * Verify XSS injected in the entity titles are not rendered.
175 public function testXssEntityTitle() {
176 $this->drupalGet('node/add/metatag_node');
177 $this->assertResponse(200);
179 'title[0][value]' => $this->xssTitleString,
180 'body[0][value]' => $this->randomString() . ' ' . $this->randomString(),
182 $this->drupalPostForm(NULL, $edit, t('Save and publish'));
184 // Check for the title tag, which will have the HTML tags removed and then
185 // be lightly HTML encoded.
186 $this->assertEscaped(strip_tags($this->xssTitleString));
187 $this->assertNoRaw($this->xssTitleString);
191 * Verify XSS injected in the entity fields are not rendered.
193 public function testXssEntityBody() {
194 $this->drupalGet('node/add/metatag_node');
195 $this->assertResponse(200);
197 'title[0][value]' => $this->randomString(),
198 'body[0][value]' => $this->xssTitleString,
200 $this->drupalPostForm(NULL, $edit, t('Save and publish'));
202 // Check the body text.
203 // $this->assertNoTitle($this->xssTitleString);
204 $this->assertNoRaw($this->xssTitleString);