function EditorSecurityTest::testInitialSecurity

Same name in other branches
  1. 9 core/modules/editor/tests/src/Functional/EditorSecurityTest.php \Drupal\Tests\editor\Functional\EditorSecurityTest::testInitialSecurity()
  2. 10 core/modules/editor/tests/src/Functional/EditorSecurityTest.php \Drupal\Tests\editor\Functional\EditorSecurityTest::testInitialSecurity()
  3. 11.x core/modules/editor/tests/src/Functional/EditorSecurityTest.php \Drupal\Tests\editor\Functional\EditorSecurityTest::testInitialSecurity()

Tests initial security: is the user safe without switching text formats?

Tests 8 scenarios. Tests only with a text editor that is not XSS-safe.

File

core/modules/editor/tests/src/Functional/EditorSecurityTest.php, line 229

Class

EditorSecurityTest
Tests XSS protection for content creators when using text editors.

Namespace

Drupal\Tests\editor\Functional

Code

public function testInitialSecurity() {
    $expected = [
        [
            'node_id' => 1,
            'format' => 'restricted_without_editor',
            // No text editor => no XSS filtering.
'value' => self::$sampleContent,
            'users' => [
                $this->untrustedUser,
                $this->privilegedUser,
            ],
        ],
        [
            'node_id' => 2,
            'format' => 'restricted_with_editor',
            // Text editor => XSS filtering.
'value' => self::$sampleContentSecured,
            'users' => [
                $this->normalUser,
                $this->privilegedUser,
            ],
        ],
        [
            'node_id' => 3,
            'format' => 'restricted_plus_dangerous_tag_with_editor',
            // Text editor => XSS filtering.
'value' => self::$sampleContentSecuredEmbedAllowed,
            'users' => [
                $this->trustedUser,
                $this->privilegedUser,
            ],
        ],
        [
            'node_id' => 4,
            'format' => 'unrestricted_without_editor',
            // No text editor => no XSS filtering.
'value' => self::$sampleContent,
            'users' => [
                $this->privilegedUser,
            ],
        ],
        [
            'node_id' => 5,
            'format' => 'unrestricted_with_editor',
            // Text editor, no security filter => no XSS filtering.
'value' => self::$sampleContent,
            'users' => [
                $this->privilegedUser,
            ],
        ],
    ];
    // Log in as each user that may edit the content, and assert the value.
    foreach ($expected as $case) {
        foreach ($case['users'] as $account) {
            $this->drupalLogin($account);
            $this->drupalGet('node/' . $case['node_id'] . '/edit');
            $dom_node = $this->xpath('//textarea[@id="edit-body-0-value"]');
            $this->assertIdentical($case['value'], $dom_node[0]->getText(), 'The value was correctly filtered for XSS attack vectors.');
        }
    }
}

Buggy or inaccurate documentation? Please file an issue. Need support? Need help programming? Connect with the Drupal community.