alert("xss");'; /** * String that causes an alert when metatags aren't filtered for xss. * * @var string */ private $xssString = '">adminUser = $this->drupalCreateUser($admin_permissions); $this->drupalLogin($this->adminUser); // Set up a content type. $this->drupalCreateContentType(['type' => 'metatag_node', 'name' => 'Test Content Type']); // Add a metatag field to the content type. $this->drupalGet('admin/structure/types/manage/metatag_node/fields/add-field'); $this->assertResponse(200); $edit = [ 'label' => 'Metatag', 'field_name' => 'metatag_field', 'new_storage_type' => 'metatag', ]; $this->drupalPostForm(NULL, $edit, t('Save and continue')); $this->drupalPostForm(NULL, [], t('Save field settings')); } /** * Verify XSS injected in global config is not rendered. */ public function testXssMetatagConfig() { $this->drupalGet('admin/config/search/metatag/global'); $values = [ 'title' => $this->xssTitleString, 'abstract' => $this->xssString, 'image_src' => $this->xssImageString ]; $this->drupalPostForm(NULL, $values, 'Save'); $this->assertText('Saved the Global Metatag defaults.'); $this->rebuildAll(); // Load the Views-based front page. $this->drupalGet('node'); $this->assertResponse(200); $this->assertText(t('No front page content has been created yet.')); // Check for the title tag, which will have the HTML tags removed and then // be lightly HTML encoded. $this->assertEscaped(strip_tags($this->xssTitleString)); $this->assertNoRaw($this->xssTitleString); // Check for the basic meta tag. $this->assertRaw($this->escapedXssTag); $this->assertNoRaw($this->xssString); // Check for the image meta tag. $this->assertRaw($this->escapedXssImageTag); $this->assertNoRaw($this->xssImageString); } /** * Verify XSS injected in the entity metatag override field is not rendered. */ public function testXssEntityOverride() { $this->drupalGet('node/add/metatag_node'); $edit = [ 'title[0][value]' => $this->randomString(32), 'field_metatag_field[0][basic][title]' => $this->xssTitleString, 'field_metatag_field[0][basic][abstract]' => $this->xssString, 'field_metatag_field[0][advanced][image_src]' => $this->xssImageString, ]; $this->drupalPostForm(NULL, $edit, t('Save and publish')); // Check for the title tag, which will have the HTML tags removed and then // be lightly HTML encoded. $this->assertEscaped(strip_tags($this->xssTitleString)); $this->assertNoRaw($this->xssTitleString); // Check for the basic meta tag. $this->assertRaw($this->escapedXssTag); $this->assertNoRaw($this->xssString); // Check for the image meta tag. $this->assertRaw($this->escapedXssImageTag); $this->assertNoRaw($this->xssImageString); } /** * Verify XSS injected in the entity titles are not rendered. */ public function testXssEntityTitle() { $this->drupalGet('node/add/metatag_node'); $edit = [ 'title[0][value]' => $this->xssTitleString, 'body[0][value]' => $this->randomString() . ' ' . $this->randomString(), ]; $this->drupalPostForm(NULL, $edit, t('Save and publish')); // Check for the title tag, which will have the HTML tags removed and then // be lightly HTML encoded. $this->assertEscaped(strip_tags($this->xssTitleString)); $this->assertNoRaw($this->xssTitleString); } /** * Verify XSS injected in the entity fields are not rendered. */ public function testXssEntityBody() { $this->drupalGet('node/add/metatag_node'); $edit = [ 'title[0][value]' => $this->randomString(), 'body[0][value]' => $this->xssTitleString, ]; $this->drupalPostForm(NULL, $edit, t('Save and publish')); // Check the body text. // $this->assertNoTitle($this->xssTitleString); $this->assertNoRaw($this->xssTitleString); } }