function EditorSecurityTest::testInitialSecurity
Same name in other branches
- 9 core/modules/editor/tests/src/Functional/EditorSecurityTest.php \Drupal\Tests\editor\Functional\EditorSecurityTest::testInitialSecurity()
- 8.9.x core/modules/editor/tests/src/Functional/EditorSecurityTest.php \Drupal\Tests\editor\Functional\EditorSecurityTest::testInitialSecurity()
- 11.x core/modules/editor/tests/src/Functional/EditorSecurityTest.php \Drupal\Tests\editor\Functional\EditorSecurityTest::testInitialSecurity()
Tests initial security: is the user safe without switching text formats?
Tests 8 scenarios. Tests only with a text editor that is not XSS-safe.
File
-
core/
modules/ editor/ tests/ src/ Functional/ EditorSecurityTest.php, line 231
Class
- EditorSecurityTest
- Tests XSS protection for content creators when using text editors.
Namespace
Drupal\Tests\editor\FunctionalCode
public function testInitialSecurity() : void {
$expected = [
[
'node_id' => 1,
'format' => 'restricted_without_editor',
// No text editor => no XSS filtering.
'value' => self::$sampleContent,
'users' => [
$this->untrustedUser,
$this->privilegedUser,
],
],
[
'node_id' => 2,
'format' => 'restricted_with_editor',
// Text editor => XSS filtering.
'value' => self::$sampleContentSecured,
'users' => [
$this->normalUser,
$this->privilegedUser,
],
],
[
'node_id' => 3,
'format' => 'restricted_plus_dangerous_tag_with_editor',
// Text editor => XSS filtering.
'value' => self::$sampleContentSecuredEmbedAllowed,
'users' => [
$this->trustedUser,
$this->privilegedUser,
],
],
[
'node_id' => 4,
'format' => 'unrestricted_without_editor',
// No text editor => no XSS filtering.
'value' => self::$sampleContent,
'users' => [
$this->privilegedUser,
],
],
[
'node_id' => 5,
'format' => 'unrestricted_with_editor',
// Text editor, no security filter => no XSS filtering.
'value' => self::$sampleContent,
'users' => [
$this->privilegedUser,
],
],
];
// Log in as each user that may edit the content, and assert the value.
foreach ($expected as $case) {
foreach ($case['users'] as $account) {
$this->drupalLogin($account);
$this->drupalGet('node/' . $case['node_id'] . '/edit');
// Verify that the value is correctly filtered for XSS attack vectors.
$this->assertSession()
->fieldValueEquals('edit-body-0-value', $case['value']);
}
}
}
Buggy or inaccurate documentation? Please file an issue. Need support? Need help programming? Connect with the Drupal community.