function ExceptionHandlingTest::testExceptionEscaping
Same name in other branches
- 9 core/tests/Drupal/KernelTests/Core/Routing/ExceptionHandlingTest.php \Drupal\KernelTests\Core\Routing\ExceptionHandlingTest::testExceptionEscaping()
- 8.9.x core/tests/Drupal/KernelTests/Core/Routing/ExceptionHandlingTest.php \Drupal\KernelTests\Core\Routing\ExceptionHandlingTest::testExceptionEscaping()
- 11.x core/tests/Drupal/KernelTests/Core/Routing/ExceptionHandlingTest.php \Drupal\KernelTests\Core\Routing\ExceptionHandlingTest::testExceptionEscaping()
Tests exception message escaping.
File
-
core/
tests/ Drupal/ KernelTests/ Core/ Routing/ ExceptionHandlingTest.php, line 188
Class
- ExceptionHandlingTest
- Tests the exception handling for various cases.
Namespace
Drupal\KernelTests\Core\RoutingCode
public function testExceptionEscaping() : void {
// Enable verbose error logging.
$this->config('system.logging')
->set('error_level', ERROR_REPORTING_DISPLAY_VERBOSE)
->save();
// Using \Drupal\Component\Render\FormattableMarkup.
$request = Request::create('/router_test/test24');
$request->setFormat('html', [
'text/html',
]);
/** @var \Symfony\Component\HttpKernel\HttpKernelInterface $kernel */
$kernel = \Drupal::getContainer()->get('http_kernel');
$response = $kernel->handle($request)
->prepare($request);
$this->assertEquals(Response::HTTP_INTERNAL_SERVER_ERROR, $response->getStatusCode());
$this->assertEquals('text/html; charset=UTF-8', $response->headers
->get('Content-type'));
// Test message is properly escaped, and that the unescaped string is not
// output at all.
$this->setRawContent($response->getContent());
$this->assertRaw(Html::escape('Escaped content: <p> <br> <h3>'));
$this->assertNoRaw('<p> <br> <h3>');
$string = '<script>alert(123);</script>';
$request = Request::create('/router_test/test2?_format=json' . urlencode($string), 'GET');
$kernel = \Drupal::getContainer()->get('http_kernel');
$response = $kernel->handle($request)
->prepare($request);
// As the Content-type is text/plain the fact that the raw string is
// contained in the output would not matter, but because it is output by the
// final exception subscriber, it is printed as partial HTML, and hence
// escaped.
$this->assertEquals('text/plain; charset=UTF-8', $response->headers
->get('Content-type'));
// cspell:ignore jsonalert
$this->assertStringStartsWith('Not acceptable format: jsonalert(123);', $response->getContent());
}
Buggy or inaccurate documentation? Please file an issue. Need support? Need help programming? Connect with the Drupal community.