function DisplayTest::testDisplayTitleInButtonsXss
Same name in other branches
- 8.9.x core/modules/views_ui/tests/src/Functional/DisplayTest.php \Drupal\Tests\views_ui\Functional\DisplayTest::testDisplayTitleInButtonsXss()
- 10 core/modules/views_ui/tests/src/Functional/DisplayTest.php \Drupal\Tests\views_ui\Functional\DisplayTest::testDisplayTitleInButtonsXss()
- 11.x core/modules/views_ui/tests/src/Functional/DisplayTest.php \Drupal\Tests\views_ui\Functional\DisplayTest::testDisplayTitleInButtonsXss()
Ensures that no XSS is possible for buttons.
File
-
core/
modules/ views_ui/ tests/ src/ Functional/ DisplayTest.php, line 217
Class
- DisplayTest
- Tests the display UI.
Namespace
Drupal\Tests\views_ui\FunctionalCode
public function testDisplayTitleInButtonsXss() {
$xss_markup = '"><script>alert(123)</script>';
$view = $this->randomView();
$view = View::load($view['id']);
\Drupal::configFactory()->getEditable('views.settings')
->set('ui.show.default_display', TRUE)
->save();
foreach ([
$xss_markup,
'"><script>alert(123)</script>',
] as $input) {
$display =& $view->getDisplay('page_1');
$display['display_title'] = $input;
$view->save();
$this->drupalGet("admin/structure/views/view/{$view->id()}");
$escaped = views_ui_truncate($input, 25);
$this->assertSession()
->assertEscaped($escaped);
$this->assertSession()
->responseNotContains($xss_markup);
$this->drupalGet("admin/structure/views/view/{$view->id()}/edit/page_1");
$this->assertSession()
->assertEscaped("View {$escaped}");
$this->assertSession()
->responseNotContains("View {$xss_markup}");
$this->assertSession()
->assertEscaped("Duplicate {$escaped}");
$this->assertSession()
->responseNotContains("Duplicate {$xss_markup}");
$this->assertSession()
->assertEscaped("Delete {$escaped}");
$this->assertSession()
->responseNotContains("Delete {$xss_markup}");
}
}
Buggy or inaccurate documentation? Please file an issue. Need support? Need help programming? Connect with the Drupal community.