function SearchCommentTest::testSearchResultsComment

Same name in other branches
  1. 9 core/modules/search/tests/src/Functional/SearchCommentTest.php \Drupal\Tests\search\Functional\SearchCommentTest::testSearchResultsComment()
  2. 8.9.x core/modules/search/tests/src/Functional/SearchCommentTest.php \Drupal\Tests\search\Functional\SearchCommentTest::testSearchResultsComment()
  3. 11.x core/modules/search/tests/src/Functional/SearchCommentTest.php \Drupal\Tests\search\Functional\SearchCommentTest::testSearchResultsComment()

Verify that comments are rendered using proper format in search results.

File

core/modules/search/tests/src/Functional/SearchCommentTest.php, line 101

Class

SearchCommentTest
Tests integration searching comments.

Namespace

Drupal\Tests\search\Functional

Code

public function testSearchResultsComment() : void {
    $node_storage = $this->container
        ->get('entity_type.manager')
        ->getStorage('node');
    // Create basic_html format that escapes all HTML.
    $basic_html_format = FilterFormat::create([
        'format' => 'basic_html',
        'name' => 'Basic HTML',
        'weight' => 1,
        'filters' => [
            'filter_html_escape' => [
                'status' => 1,
            ],
        ],
        'roles' => [
            RoleInterface::AUTHENTICATED_ID,
        ],
    ]);
    $basic_html_format->save();
    $comment_body = 'Test comment body';
    // Make preview optional.
    $field = FieldConfig::loadByName('node', 'article', 'comment');
    $field->setSetting('preview', DRUPAL_OPTIONAL);
    $field->save();
    // Allow anonymous users to search content.
    $edit = [
        RoleInterface::ANONYMOUS_ID . '[search content]' => 1,
        RoleInterface::ANONYMOUS_ID . '[access comments]' => 1,
        RoleInterface::ANONYMOUS_ID . '[post comments]' => 1,
    ];
    $this->drupalGet('admin/people/permissions');
    $this->submitForm($edit, 'Save permissions');
    // Create a node.
    $node = $this->drupalCreateNode([
        'type' => 'article',
    ]);
    // Post a comment using 'Full HTML' text format.
    $edit_comment = [];
    $edit_comment['subject[0][value]'] = 'Test comment subject';
    $edit_comment['comment_body[0][value]'] = '<h1>' . $comment_body . '</h1>';
    $full_html_format_id = 'full_html';
    $edit_comment['comment_body[0][format]'] = $full_html_format_id;
    $this->drupalGet('comment/reply/node/' . $node->id() . '/comment');
    $this->submitForm($edit_comment, 'Save');
    // Post a comment with an evil script tag in the comment subject and a
    // script tag nearby a keyword in the comment body. Use the 'FULL HTML' text
    // format so the script tag stored.
    $edit_comment2 = [];
    $edit_comment2['subject[0][value]'] = "<script>alert('subject_keyword');</script>";
    $edit_comment2['comment_body[0][value]'] = "nearby-keyword<script>alert('something generic');</script>";
    $edit_comment2['comment_body[0][format]'] = $full_html_format_id;
    $this->drupalGet('comment/reply/node/' . $node->id() . '/comment');
    $this->submitForm($edit_comment2, 'Save');
    // Post a comment with a keyword inside an evil script tag in the comment
    // body. Use the 'FULL HTML' text format so the script tag is stored.
    $edit_comment3 = [];
    $edit_comment3['subject[0][value]'] = 'a subject';
    $edit_comment3['comment_body[0][value]'] = "<script>alert('inside-keyword');</script>";
    $edit_comment3['comment_body[0][format]'] = $full_html_format_id;
    $this->drupalGet('comment/reply/node/' . $node->id() . '/comment');
    $this->submitForm($edit_comment3, 'Save');
    // Invoke search index update.
    $this->drupalLogout();
    $this->cronRun();
    // Search for the comment subject.
    $edit = [
        'keys' => "'" . $edit_comment['subject[0][value]'] . "'",
    ];
    $this->drupalGet('search/node');
    $this->submitForm($edit, 'Search');
    $node_storage->resetCache([
        $node->id(),
    ]);
    $node2 = $node_storage->load($node->id());
    $this->assertSession()
        ->pageTextContains($node2->label());
    $this->assertSession()
        ->pageTextContains($edit_comment['subject[0][value]']);
    // Search for the comment body.
    $edit = [
        'keys' => "'" . $comment_body . "'",
    ];
    $this->submitForm($edit, 'Search');
    $this->assertSession()
        ->pageTextContains($node2->label());
    // Verify that comment is rendered using proper format.
    $this->assertSession()
        ->pageTextContains($comment_body);
    // Verify that HTML in comment body is not hidden.
    $this->assertSession()
        ->pageTextNotContains('n/a');
    $this->assertSession()
        ->assertNoEscaped($edit_comment['comment_body[0][value]']);
    // Search for the evil script comment subject.
    $edit = [
        'keys' => 'subject_keyword',
    ];
    $this->drupalGet('search/node');
    $this->submitForm($edit, 'Search');
    // Verify the evil comment subject is escaped in search results.
    $this->assertSession()
        ->responseContains('&lt;script&gt;alert(&#039;<strong>subject_keyword</strong>&#039;);');
    $this->assertSession()
        ->responseNotContains('<script>');
    // Search for the keyword near the evil script tag in the comment body.
    $edit = [
        'keys' => 'nearby-keyword',
    ];
    $this->drupalGet('search/node');
    $this->submitForm($edit, 'Search');
    // Verify that nearby script tag in the evil comment body is stripped from
    // search results.
    $this->assertSession()
        ->responseContains('<strong>nearby-keyword</strong>');
    $this->assertSession()
        ->responseNotContains('<script>');
    // Search for contents inside the evil script tag in the comment body.
    $edit = [
        'keys' => 'inside-keyword',
    ];
    $this->drupalGet('search/node');
    $this->submitForm($edit, 'Search');
    // @todo Verify the actual search results.
    //   https://www.drupal.org/node/2551135
    // Verify there is no script tag in search results.
    $this->assertSession()
        ->responseNotContains('<script>');
    // Hide comments.
    $this->drupalLogin($this->adminUser);
    $node->set('comment', CommentItemInterface::HIDDEN);
    $node->save();
    // Invoke search index update.
    $this->drupalLogout();
    $this->cronRun();
    // Search for $title.
    $this->drupalGet('search/node');
    $this->submitForm($edit, 'Search');
    $this->assertSession()
        ->pageTextContains('Your search yielded no results.');
}

Buggy or inaccurate documentation? Please file an issue. Need support? Need help programming? Connect with the Drupal community.