function PageTitleTest::testTitleXSS
Same name in other branches
- 9 core/modules/system/tests/src/Functional/System/PageTitleTest.php \Drupal\Tests\system\Functional\System\PageTitleTest::testTitleXSS()
- 8.9.x core/modules/system/tests/src/Functional/System/PageTitleTest.php \Drupal\Tests\system\Functional\System\PageTitleTest::testTitleXSS()
- 11.x core/modules/system/tests/src/Functional/System/PageTitleTest.php \Drupal\Tests\system\Functional\System\PageTitleTest::testTitleXSS()
Tests if the title of the site is XSS proof.
File
-
core/
modules/ system/ tests/ src/ Functional/ System/ PageTitleTest.php, line 77
Class
- PageTitleTest
- Tests HTML output escaping of page title, site name, and slogan.
Namespace
Drupal\Tests\system\Functional\SystemCode
public function testTitleXSS() : void {
// Set some title with JavaScript and HTML chars to escape.
$title = '</title><script type="text/javascript">alert("Title XSS!");</script> & < > " \' ';
$title_filtered = Html::escape($title);
$slogan = '<script type="text/javascript">alert("Slogan XSS!");</script>';
$slogan_filtered = Xss::filterAdmin($slogan);
// Set title and slogan.
$edit = [
'site_name' => $title,
'site_slogan' => $slogan,
];
$this->drupalGet('admin/config/system/site-information');
$this->submitForm($edit, 'Save configuration');
// Place branding block with site name and slogan into header region.
$this->drupalPlaceBlock('system_branding_block', [
'region' => 'header',
]);
// Load frontpage.
$this->drupalGet('');
// Test the title, checking for the lack of the unfiltered version of the
// title.
$this->assertSession()
->responseNotContains($title);
// Add </title> to make sure we're checking the title tag, rather than the
// first 'heading' on the page.
$this->assertSession()
->responseContains($title_filtered . '</title>');
// Test the slogan.
// Check the unfiltered version of the slogan is missing.
$this->assertSession()
->responseNotContains($slogan);
// Check for the filtered version of the slogan.
$this->assertSession()
->responseContains($slogan_filtered);
}
Buggy or inaccurate documentation? Please file an issue. Need support? Need help programming? Connect with the Drupal community.