function DisplayTest::testDisplayTitleInButtonsXss

Same name in other branches
  1. 9 core/modules/views_ui/tests/src/Functional/DisplayTest.php \Drupal\Tests\views_ui\Functional\DisplayTest::testDisplayTitleInButtonsXss()
  2. 10 core/modules/views_ui/tests/src/Functional/DisplayTest.php \Drupal\Tests\views_ui\Functional\DisplayTest::testDisplayTitleInButtonsXss()
  3. 11.x core/modules/views_ui/tests/src/Functional/DisplayTest.php \Drupal\Tests\views_ui\Functional\DisplayTest::testDisplayTitleInButtonsXss()

Ensures that no XSS is possible for buttons.

File

core/modules/views_ui/tests/src/Functional/DisplayTest.php, line 208

Class

DisplayTest
Tests the display UI.

Namespace

Drupal\Tests\views_ui\Functional

Code

public function testDisplayTitleInButtonsXss() {
    $xss_markup = '"><script>alert(123)</script>';
    $view = $this->randomView();
    $view = View::load($view['id']);
    \Drupal::configFactory()->getEditable('views.settings')
        ->set('ui.show.master_display', TRUE)
        ->save();
    foreach ([
        $xss_markup,
        '&quot;><script>alert(123)</script>',
    ] as $input) {
        $display =& $view->getDisplay('page_1');
        $display['display_title'] = $input;
        $view->save();
        $this->drupalGet("admin/structure/views/view/{$view->id()}");
        $escaped = views_ui_truncate($input, 25);
        $this->assertEscaped($escaped);
        $this->assertNoRaw($xss_markup);
        $this->drupalGet("admin/structure/views/view/{$view->id()}/edit/page_1");
        $this->assertEscaped("View {$escaped}");
        $this->assertNoRaw("View {$xss_markup}");
        $this->assertEscaped("Duplicate {$escaped}");
        $this->assertNoRaw("Duplicate {$xss_markup}");
        $this->assertEscaped("Delete {$escaped}");
        $this->assertNoRaw("Delete {$xss_markup}");
    }
}

Buggy or inaccurate documentation? Please file an issue. Need support? Need help programming? Connect with the Drupal community.