function EditorSecurityTest::setUp

Same name in other branches
  1. 9 core/modules/editor/tests/src/Functional/EditorSecurityTest.php \Drupal\Tests\editor\Functional\EditorSecurityTest::setUp()
  2. 10 core/modules/editor/tests/src/Functional/EditorSecurityTest.php \Drupal\Tests\editor\Functional\EditorSecurityTest::setUp()
  3. 11.x core/modules/editor/tests/src/Functional/EditorSecurityTest.php \Drupal\Tests\editor\Functional\EditorSecurityTest::setUp()

Overrides BrowserTestBase::setUp

File

core/modules/editor/tests/src/Functional/EditorSecurityTest.php, line 79

Class

EditorSecurityTest
Tests XSS protection for content creators when using text editors.

Namespace

Drupal\Tests\editor\Functional

Code

protected function setUp() {
    parent::setUp();
    // Create 5 text formats, to cover all potential use cases:
    //  1. restricted_without_editor (untrusted: anonymous)
    //  2. restricted_with_editor (normal: authenticated)
    //  3. restricted_plus_dangerous_tag_with_editor (privileged: trusted)
    //  4. unrestricted_without_editor (privileged: admin)
    //  5. unrestricted_with_editor (privileged: admin)
    // With text formats 2, 3 and 5, we also associate a text editor that does
    // not guarantee XSS safety. "restricted" means the text format has XSS
    // filters on output, "unrestricted" means the opposite.
    $format = FilterFormat::create([
        'format' => 'restricted_without_editor',
        'name' => 'Restricted HTML, without text editor',
        'weight' => 0,
        'filters' => [
            // A filter of the FilterInterface::TYPE_HTML_RESTRICTOR type.
'filter_html' => [
                'status' => 1,
                'settings' => [
                    'allowed_html' => '<h2> <h3> <h4> <h5> <h6> <p> <br> <strong> <a>',
                ],
            ],
        ],
    ]);
    $format->save();
    $format = FilterFormat::create([
        'format' => 'restricted_with_editor',
        'name' => 'Restricted HTML, with text editor',
        'weight' => 1,
        'filters' => [
            // A filter of the FilterInterface::TYPE_HTML_RESTRICTOR type.
'filter_html' => [
                'status' => 1,
                'settings' => [
                    'allowed_html' => '<h2> <h3> <h4> <h5> <h6> <p> <br> <strong> <a>',
                ],
            ],
        ],
    ]);
    $format->save();
    $editor = Editor::create([
        'format' => 'restricted_with_editor',
        'editor' => 'unicorn',
    ]);
    $editor->save();
    $format = FilterFormat::create([
        'format' => 'restricted_plus_dangerous_tag_with_editor',
        'name' => 'Restricted HTML, dangerous tag allowed, with text editor',
        'weight' => 1,
        'filters' => [
            // A filter of the FilterInterface::TYPE_HTML_RESTRICTOR type.
'filter_html' => [
                'status' => 1,
                'settings' => [
                    'allowed_html' => '<h2> <h3> <h4> <h5> <h6> <p> <br> <strong> <a> <embed>',
                ],
            ],
        ],
    ]);
    $format->save();
    $editor = Editor::create([
        'format' => 'restricted_plus_dangerous_tag_with_editor',
        'editor' => 'unicorn',
    ]);
    $editor->save();
    $format = FilterFormat::create([
        'format' => 'unrestricted_without_editor',
        'name' => 'Unrestricted HTML, without text editor',
        'weight' => 0,
        'filters' => [],
    ]);
    $format->save();
    $format = FilterFormat::create([
        'format' => 'unrestricted_with_editor',
        'name' => 'Unrestricted HTML, with text editor',
        'weight' => 1,
        'filters' => [],
    ]);
    $format->save();
    $editor = Editor::create([
        'format' => 'unrestricted_with_editor',
        'editor' => 'unicorn',
    ]);
    $editor->save();
    // Create node type.
    $this->drupalCreateContentType([
        'type' => 'article',
        'name' => 'Article',
    ]);
    // Create 4 users, each with access to different text formats/editors:
    //   - "untrusted": restricted_without_editor
    //   - "normal": restricted_with_editor,
    //   - "trusted": restricted_plus_dangerous_tag_with_editor
    //   - "privileged": restricted_without_editor, restricted_with_editor,
    //     restricted_plus_dangerous_tag_with_editor,
    //     unrestricted_without_editor and unrestricted_with_editor
    $this->untrustedUser = $this->drupalCreateUser([
        'create article content',
        'edit any article content',
        'use text format restricted_without_editor',
    ]);
    $this->normalUser = $this->drupalCreateUser([
        'create article content',
        'edit any article content',
        'use text format restricted_with_editor',
    ]);
    $this->trustedUser = $this->drupalCreateUser([
        'create article content',
        'edit any article content',
        'use text format restricted_plus_dangerous_tag_with_editor',
    ]);
    $this->privilegedUser = $this->drupalCreateUser([
        'create article content',
        'edit any article content',
        'use text format restricted_without_editor',
        'use text format restricted_with_editor',
        'use text format restricted_plus_dangerous_tag_with_editor',
        'use text format unrestricted_without_editor',
        'use text format unrestricted_with_editor',
    ]);
    // Create an "article" node for each possible text format, with the same
    // sample content, to do our tests on.
    $samples = [
        [
            'author' => $this->untrustedUser
                ->id(),
            'format' => 'restricted_without_editor',
        ],
        [
            'author' => $this->normalUser
                ->id(),
            'format' => 'restricted_with_editor',
        ],
        [
            'author' => $this->trustedUser
                ->id(),
            'format' => 'restricted_plus_dangerous_tag_with_editor',
        ],
        [
            'author' => $this->privilegedUser
                ->id(),
            'format' => 'unrestricted_without_editor',
        ],
        [
            'author' => $this->privilegedUser
                ->id(),
            'format' => 'unrestricted_with_editor',
        ],
    ];
    foreach ($samples as $sample) {
        $this->drupalCreateNode([
            'type' => 'article',
            'body' => [
                [
                    'value' => self::$sampleContent,
                    'format' => $sample['format'],
                ],
            ],
            'uid' => $sample['author'],
        ]);
    }
}

Buggy or inaccurate documentation? Please file an issue. Need support? Need help programming? Connect with the Drupal community.