function ExceptionHandlingTest::testExceptionEscaping

Tests exception message escaping.

File

core/tests/Drupal/KernelTests/Core/Routing/ExceptionHandlingTest.php, line 188

Class

ExceptionHandlingTest

Tests the exception handling for various cases.

Namespace

Code

public function testExceptionEscaping() : void {
  // Enable verbose error logging.
  $this->config('system.logging')
    ->set('error_level', ERROR_REPORTING_DISPLAY_VERBOSE)
    ->save();
  // Using \Drupal\Component\Render\FormattableMarkup.
  $request = Request::create('/router_test/test24');
  $request->setFormat('html', [
    'text/html',
  ]);
  /** @var \Symfony\Component\HttpKernel\HttpKernelInterface $kernel */
  $kernel = \Drupal::getContainer()->get('http_kernel');
  $response = $kernel->handle($request)
    ->prepare($request);
  $this->assertEquals(Response::HTTP_INTERNAL_SERVER_ERROR, $response->getStatusCode());
  $this->assertEquals('text/html; charset=UTF-8', $response->headers
    ->get('Content-type'));
  // Test message is properly escaped, and that the unescaped string is not
  // output at all.
  $this->setRawContent($response->getContent());
  $this->assertRaw(Html::escape('Escaped content: <p> <br> <h3>'));
  $this->assertNoRaw('<p> <br> <h3>');
  $string = '<script>alert(123);</script>';
  $request = Request::create('/router_test/test2?_format=json' . urlencode($string), 'GET');
  $kernel = \Drupal::getContainer()->get('http_kernel');
  $response = $kernel->handle($request)
    ->prepare($request);
  // As the Content-type is text/plain the fact that the raw string is
  // contained in the output would not matter, but because it is output by the
  // final exception subscriber, it is printed as partial HTML, and hence
  // escaped.
  $this->assertEquals('text/plain; charset=UTF-8', $response->headers
    ->get('Content-type'));
  // cspell:ignore jsonalert
  $this->assertStringStartsWith('Not acceptable format: jsonalert(123);', $response->getContent());
}