FilterSecurityTest.php

Same filename in other branches
  1. 8.9.x core/modules/filter/tests/src/Functional/FilterSecurityTest.php
  2. 10 core/modules/filter/tests/src/Functional/FilterSecurityTest.php
  3. 11.x core/modules/filter/tests/src/Functional/FilterSecurityTest.php

Namespace

Drupal\Tests\filter\Functional

File

core/modules/filter/tests/src/Functional/FilterSecurityTest.php

View source
<?php

namespace Drupal\Tests\filter\Functional;

use Drupal\filter\Entity\FilterFormat;
use Drupal\Tests\BrowserTestBase;
use Drupal\filter\Plugin\FilterInterface;
use Drupal\user\RoleInterface;

/**
 * Tests HTML filtering with missing or skipped filters or text formats.
 *
 * @group filter
 */
class FilterSecurityTest extends BrowserTestBase {
    
    /**
     * Modules to enable.
     *
     * @var array
     */
    protected static $modules = [
        'node',
        'filter_test',
    ];
    
    /**
     * {@inheritdoc}
     */
    protected $defaultTheme = 'stark';
    
    /**
     * A user with administrative permissions.
     *
     * @var \Drupal\user\UserInterface
     */
    protected $adminUser;
    
    /**
     * {@inheritdoc}
     */
    protected function setUp() : void {
        parent::setUp();
        // Create Basic page node type.
        $this->drupalCreateContentType([
            'type' => 'page',
            'name' => 'Basic page',
        ]);
        
        /** @var \Drupal\filter\Entity\FilterFormat $filtered_html_format */
        $filtered_html_format = FilterFormat::load('filtered_html');
        $filtered_html_permission = $filtered_html_format->getPermissionName();
        user_role_grant_permissions(RoleInterface::ANONYMOUS_ID, [
            $filtered_html_permission,
        ]);
        $this->adminUser = $this->drupalCreateUser([
            'administer modules',
            'administer filters',
            'administer site configuration',
        ]);
        $this->drupalLogin($this->adminUser);
    }
    
    /**
     * Tests removal of filtered content when an active filter is disabled.
     *
     * Tests that filtered content is emptied when an actively used filter module
     * is disabled.
     */
    public function testDisableFilterModule() {
        // Create a new node.
        $node = $this->drupalCreateNode([
            'promote' => 1,
        ]);
        $body_raw = $node->body->value;
        $format_id = $node->body->format;
        $this->drupalGet('node/' . $node->id());
        $this->assertSession()
            ->pageTextContains($body_raw);
        // Enable the filter_test_replace filter.
        $edit = [
            'filters[filter_test_replace][status]' => 1,
        ];
        $this->drupalGet('admin/config/content/formats/manage/' . $format_id);
        $this->submitForm($edit, 'Save configuration');
        // Verify that filter_test_replace filter replaced the content.
        $this->drupalGet('node/' . $node->id());
        $this->assertSession()
            ->pageTextNotContains($body_raw);
        $this->assertSession()
            ->pageTextContains('Filter: Testing filter');
        // Disable the text format entirely.
        $this->drupalGet('admin/config/content/formats/manage/' . $format_id . '/disable');
        $this->submitForm([], 'Disable');
        // Verify that the content is empty, because the text format does not exist.
        $this->drupalGet('node/' . $node->id());
        $this->assertSession()
            ->pageTextNotContains($body_raw);
    }
    
    /**
     * Tests that security filters are enforced even when marked to be skipped.
     */
    public function testSkipSecurityFilters() {
        $text = "Text with some disallowed tags: <script />, <p><object>unicorn</object></p>, <i><table></i>.";
        $expected_filtered_text = "Text with some disallowed tags: , <p>unicorn</p>, .";
        $this->assertEquals($expected_filtered_text, check_markup($text, 'filtered_html', '', []), 'Expected filter result.');
        $this->assertEquals($expected_filtered_text, check_markup($text, 'filtered_html', '', [
            FilterInterface::TYPE_HTML_RESTRICTOR,
        ]), 'Expected filter result, even when trying to disable filters of the FilterInterface::TYPE_HTML_RESTRICTOR type.');
    }

}

Classes

Title Deprecated Summary
FilterSecurityTest Tests HTML filtering with missing or skipped filters or text formats.

Buggy or inaccurate documentation? Please file an issue. Need support? Need help programming? Connect with the Drupal community.