function DisplayTest::testDisplayTitleInButtonsXss

Ensures that no XSS is possible for buttons.

File

core/modules/views_ui/tests/src/Functional/DisplayTest.php, line 219

Class

DisplayTest

Tests the display UI.

Namespace

Code

public function testDisplayTitleInButtonsXss() : void {
  $xss_markup = '"><script>alert(123)</script>';
  $view = $this->randomView();
  $view = View::load($view['id']);
  \Drupal::configFactory()->getEditable('views.settings')
    ->set('ui.show.default_display', TRUE)
    ->save();
  foreach ([
    $xss_markup,
    '&quot;><script>alert(123)</script>',
  ] as $input) {
    $display =& $view->getDisplay('page_1');
    $display['display_title'] = $input;
    $view->save();
    $this->drupalGet("admin/structure/views/view/{$view->id()}");
    $escaped = Unicode::truncate($input, 25, FALSE, TRUE);
    $this->assertSession()
      ->assertEscaped($escaped);
    $this->assertSession()
      ->responseNotContains($xss_markup);
    $this->drupalGet("admin/structure/views/view/{$view->id()}/edit/page_1");
    $this->assertSession()
      ->assertEscaped("View {$escaped}");
    $this->assertSession()
      ->responseNotContains("View {$xss_markup}");
    $this->assertSession()
      ->assertEscaped("Duplicate {$escaped}");
    $this->assertSession()
      ->responseNotContains("Duplicate {$xss_markup}");
    $this->assertSession()
      ->assertEscaped("Delete {$escaped}");
    $this->assertSession()
      ->responseNotContains("Delete {$xss_markup}");
  }
}