function PageTitleTest::testTitleXSS

Same name in other branches
  1. 9 core/modules/system/tests/src/Functional/System/PageTitleTest.php \Drupal\Tests\system\Functional\System\PageTitleTest::testTitleXSS()
  2. 8.9.x core/modules/system/tests/src/Functional/System/PageTitleTest.php \Drupal\Tests\system\Functional\System\PageTitleTest::testTitleXSS()
  3. 11.x core/modules/system/tests/src/Functional/System/PageTitleTest.php \Drupal\Tests\system\Functional\System\PageTitleTest::testTitleXSS()

Tests if the title of the site is XSS proof.

File

core/modules/system/tests/src/Functional/System/PageTitleTest.php, line 77

Class

PageTitleTest
Tests HTML output escaping of page title, site name, and slogan.

Namespace

Drupal\Tests\system\Functional\System

Code

public function testTitleXSS() : void {
    // Set some title with JavaScript and HTML chars to escape.
    $title = '</title><script type="text/javascript">alert("Title XSS!");</script> & < > " \' ';
    $title_filtered = Html::escape($title);
    $slogan = '<script type="text/javascript">alert("Slogan XSS!");</script>';
    $slogan_filtered = Xss::filterAdmin($slogan);
    // Set title and slogan.
    $edit = [
        'site_name' => $title,
        'site_slogan' => $slogan,
    ];
    $this->drupalGet('admin/config/system/site-information');
    $this->submitForm($edit, 'Save configuration');
    // Place branding block with site name and slogan into header region.
    $this->drupalPlaceBlock('system_branding_block', [
        'region' => 'header',
    ]);
    // Load frontpage.
    $this->drupalGet('');
    // Test the title, checking for the lack of the unfiltered version of the
    // title.
    $this->assertSession()
        ->responseNotContains($title);
    // Add </title> to make sure we're checking the title tag, rather than the
    // first 'heading' on the page.
    $this->assertSession()
        ->responseContains($title_filtered . '</title>');
    // Test the slogan.
    // Check the unfiltered version of the slogan is missing.
    $this->assertSession()
        ->responseNotContains($slogan);
    // Check for the filtered version of the slogan.
    $this->assertSession()
        ->responseContains($slogan_filtered);
}

Buggy or inaccurate documentation? Please file an issue. Need support? Need help programming? Connect with the Drupal community.