$sorts =
$view->display_handler->
getOption('sorts'
);
// Change the label to something with special characters.
$sorts['id'
]['expose'
]['label'
] =
$expected_label = "<script>alert('unsafe&dangerous');</script>";
// Use a custom sort field identifier.
$sorts['id'
]['expose'
]['field_identifier'
] =
$field_identifier =
$this->
randomMachineName() . '-_.~';
$view->display_handler->
setOption('sorts',
$sorts);
$view->
save();
// Test label escaping.
$this->
drupalGet('test_exposed_form_sort_items_per_page'
);
$options =
$this->
assertSession()->
selectExists('edit-sort-by'
)->
findAll('css', 'option'
);
$this->
assertCount(1,
$options);
// Check option existence by option label.
$this->
assertSession()->
optionExists('Sort by',
$expected_label);
// Check option existence by option value.
$this->
assertSession()->
optionExists('Sort by',
$field_identifier);
$escape_1 = Html::
escape($expected_label);
$escape_2 = Html::
escape($escape_1);
// Make sure we see the single-escaped string in the raw output.
$this->
assertSession()->
responseContains($escape_1);
// But no double-escaped string.
$this->
assertSession()->
responseNotContains($escape_2);
// And not the raw label, either.