Updated Drupal to 8.6. This goes with the following updates because it's possible...

[yaffs-website] / web / core / modules / system / tests / src / Functional / Form / ElementsLabelsTest.php

diff --git a/web/core/modules/system/tests/src/Functional/Form/ElementsLabelsTest.php b/web/core/modules/system/tests/src/Functional/Form/ElementsLabelsTest.php
index 6747ed63fb108b3c1d38c86b0325e8239b589e33..91f3ec4a59d47d3d1e35b380ae4a5655c38fd62e 100644 (file)
--- a/web/core/modules/system/tests/src/Functional/Form/ElementsLabelsTest.php
+++ b/web/core/modules/system/tests/src/Functional/Form/ElementsLabelsTest.php
@@ -2,6 +2,7 @@
 
 namespace Drupal\Tests\system\Functional\Form;
 
+use Drupal\form_test\Form\FormTestLabelForm;
 use Drupal\Tests\BrowserTestBase;
 
 /**
@@ -96,6 +97,17 @@ class ElementsLabelsTest extends BrowserTestBase {
     $this->assertTrue(!empty($elements), "Title/Label not displayed when 'visually-hidden' attribute is set in radios.");
   }
 
+  /**
+   * Tests XSS-protection of element labels.
+   */
+  public function testTitleEscaping() {
+    $this->drupalGet('form_test/form-labels');
+    foreach (FormTestLabelForm::$typesWithTitle as $type) {
+      $this->assertSession()->responseContains("$type alert('XSS') is XSS filtered!");
+      $this->assertSession()->responseNotContains("$type <script>alert('XSS')</script> is XSS filtered!");
+    }
+  }
+
   /**
    * Tests different display options for form element descriptions.
    */