function LocaleStringIsSafeTest::testLocalizedTokenizedString

Same name in other branches
  1. 8.9.x core/modules/locale/tests/src/Kernel/LocaleStringIsSafeTest.php \Drupal\Tests\locale\Kernel\LocaleStringIsSafeTest::testLocalizedTokenizedString()
  2. 10 core/modules/locale/tests/src/Kernel/LocaleStringIsSafeTest.php \Drupal\Tests\locale\Kernel\LocaleStringIsSafeTest::testLocalizedTokenizedString()
  3. 11.x core/modules/locale/tests/src/Kernel/LocaleStringIsSafeTest.php \Drupal\Tests\locale\Kernel\LocaleStringIsSafeTest::testLocalizedTokenizedString()

Tests if a translated and tokenized string is properly escaped by Twig.

In each assert* call we add a new line at the expected result to match the newline at the end of the template file.

File

core/modules/locale/tests/src/Kernel/LocaleStringIsSafeTest.php, line 53

Class

LocaleStringIsSafeTest
Tests locale translation safe string handling.

Namespace

Drupal\Tests\locale\Kernel

Code

public function testLocalizedTokenizedString() {
    $tests_to_do = [
        1 => [
            'original' => 'Go to the <a href="[locale_test:security_test1]">frontpage</a>',
            'replaced' => 'Go to the &lt;a href=&quot;javascript:alert(&amp;#039;Mooooh!&amp;#039;);&quot;&gt;frontpage&lt;/a&gt;',
        ],
        2 => [
            'original' => 'Hello <strong>[locale_test:security_test2]</strong>!',
            'replaced' => 'Hello &lt;strong&gt;&amp;lt;script&amp;gt;alert(&amp;#039;Mooooh!&amp;#039;);&amp;lt;/script&amp;gt;&lt;/strong&gt;!',
        ],
    ];
    foreach ($tests_to_do as $i => $test) {
        $original_string = $test['original'];
        $rendered_original_string = \Drupal::theme()->render('locale_test_tokenized', [
            'content' => $original_string,
        ]);
        // Twig assumes that strings are unsafe so it escapes them, and so the
        // original and the rendered version should be different.
        $this->assertNotEquals($original_string . "\n", $rendered_original_string, 'Security test ' . $i . ' before translation');
        // Pass the original string to the t() function to get it marked as safe.
        $safe_string = t($original_string);
        $rendered_safe_string = \Drupal::theme()->render('locale_test_tokenized', [
            'content' => $safe_string,
        ]);
        // t() function always marks the string as safe so it won't be escaped,
        // and should be the same as the original.
        $this->assertEquals($original_string . "\n", $rendered_safe_string, 'Security test ' . $i . ' after translation before token replacement');
        // Replace tokens in the safe string to inject it with dangerous content.
        // @see locale_test_tokens().
        $unsafe_string = \Drupal::token()->replace($safe_string);
        $rendered_unsafe_string = \Drupal::theme()->render('locale_test_tokenized', [
            'content' => $unsafe_string,
        ]);
        // Token replacement changes the string so it is not marked as safe
        // anymore. Check it is escaped the way we expect.
        $this->assertEquals($test['replaced'] . "\n", $rendered_unsafe_string, 'Security test ' . $i . ' after translation  after token replacement');
    }
}

Buggy or inaccurate documentation? Please file an issue. Need support? Need help programming? Connect with the Drupal community.