CodeExplorer
You are a developer and looking for Shopware projects?
Apply Now!
assertEscaped example
$this->drupalGet('test-node-view');
$this->assertSession()->statusCodeEquals(404);
$this->drupalGet('test-node-view/all');
$this->assertSession()->statusCodeEquals(200);
$this->assertNids($all_nids);
foreach ($types as $type) {
$this->drupalGet("test-node-view/{$type->id()}");
$this->assertSession()->assertEscaped($type->label());
$this->assertNids(array_keys($nodes[$type->id()]));
}
}
/** * Ensures that a list of nodes appear on the page. * * @param array $expected_nids * An array of node IDs. * * @internal */
$this->drupalGet($row_plugin_url);
$this->submitForm(['row[type]' => 'entity:node'], 'Apply');
$this->assertSession()->addressEquals($row_options_url);
// Make sure the custom settings form from the entity row plugin appears. $this->assertSession()->fieldValueEquals('row_options[view_mode]', 'teaser');
// Change the teaser label to have markup so we can test escaping. $teaser = EntityViewMode::load('node.teaser');
$teaser->set('label', 'Teaser <em>markup</em>');
$teaser->save();
$this->drupalGet('admin/structure/views/view/frontpage/edit/default');
$this->assertSession()->assertEscaped('Teaser <em>markup</em>');
}
}
$this->submitForm(['row[type]' => 'entity:node'], 'Apply');
$this->assertSession()->addressEquals($row_options_url);
// Make sure the custom settings form from the entity row plugin appears. $this->assertSession()->fieldValueEquals('row_options[view_mode]', 'teaser');
// Change the teaser label to have markup so we can test escaping. $teaser = EntityViewMode::load('node.teaser');
$teaser->set('label', 'Teaser <em>markup</em>');
$teaser->save();
$this->drupalGet('admin/structure/views/view/frontpage/edit/default');
$this->assertSession()->assertEscaped('Teaser <em>markup</em>');
}
}
public function testAutoescape() {
$script = '<script>alert("This alert is unreal!");</script>';
$build = [
'#theme' => 'twig_autoescape_test',
'#script' => $script,
];
$rendered = \Drupal::service('renderer')->renderRoot($build);
$this->setRawContent($rendered);
$this->assertEscaped($script);
}
}
protected static $modules = ['node', 'user', 'views_ui', 'views_ui_test'];
/** * {@inheritdoc} */
protected $defaultTheme = 'stark';
public function testViewsUi() {
$this->drupalGet('admin/structure/views/view/sa_contrib_2013_035');
// Verify that the field admin label is properly escaped. $this->assertSession()->assertEscaped('<marquee>test</marquee>');
$this->drupalGet('admin/structure/views/nojs/handler/sa_contrib_2013_035/page_1/header/area');
// Verify that the token label is properly escaped. $this->assertSession()->assertEscaped('{{ title }} == <marquee>test</marquee>');
$this->assertSession()->assertEscaped('{{ title_1 }} == <script>alert("XSS")</script>');
}
/** * Checks the admin UI for double escaping. */
public function testNoDoubleEscaping() {
protected function checkFeedViewUi($view_name) {
$this->drupalGet('admin/structure/views');
// Verify that the page lists the $view_name view. // Regression test: ViewListBuilder::getDisplayPaths() did not properly // check whether a DisplayPluginCollection was returned in iterating over // all displays. $this->assertSession()->pageTextContains($view_name);
// Check the attach TO interface. $this->drupalGet('admin/structure/views/nojs/display/' . $view_name . '/feed_1/displays');
// Display labels should be escaped. $this->assertSession()->assertEscaped('<em>Page</em>');
// Load all the options of the checkbox. $result = $this->xpath('//div[@id="edit-displays"]/div');
$options = [];
foreach ($result as $item) {
$input_node = $item->find('css', 'input');
if ($input_node->hasAttribute('value')) {
$options[] = $input_node->getAttribute('value');
}
}
$this->drupalGet('admin/structure/views');
// Verify that the page lists the $view_name view. // Regression test: ViewListBuilder::getDisplayPaths() did not properly // check whether a DisplayPluginCollection was returned in iterating over // all displays. $this->assertSession()->pageTextContains($view_name);
// Check the attach TO interface. $this->drupalGet('admin/structure/views/nojs/display/' . $view_name . '/feed_1/displays');
// Display labels should be escaped. $this->assertSession()->assertEscaped('<em>Page</em>');
// Load all the options of the checkbox. $result = $this->xpath('//div[@id="edit-displays"]/div');
$options = [];
foreach ($result as $item) {
$input_node = $item->find('css', 'input');
if ($input_node->hasAttribute('value')) {
$options[] = $input_node->getAttribute('value');
}
}
/**
* Tests that mails for contact messages are correctly sent.
*/
public function testSendPersonalContactMessage() {
// Ensure that the web user's email needs escaping. $mail = $this->webUser->getAccountName() . '&escaped@example.com';
$this->webUser->setEmail($mail)->save();
$this->drupalLogin($this->webUser);
$this->drupalGet('user/' . $this->contactUser->id() . '/contact');
$this->assertSession()->assertEscaped($mail);
$message = $this->submitPersonalContact($this->contactUser);
$mails = $this->getMails();
$this->assertCount(1, $mails);
$mail = $mails[0];
$this->assertEquals($this->contactUser->getEmail(), $mail['to']);
$this->assertEquals($this->config('system.site')->get('mail'), $mail['from']);
$this->assertEquals($this->webUser->getEmail(), $mail['reply-to']);
$this->assertEquals('user_mail', $mail['key']);
$subject = '[' . $this->config('system.site')->get('name') . '] ' . $message['subject[0][value]'];
$this->assertEquals($subject, $mail['subject'], 'Subject is in sent message.');
$this->assertStringContainsString('Hello ' . $this->contactUser->getDisplayName(), $mail['body'], 'Recipient name is in sent message.');
public function testSendPersonalContactMessage() {
// Ensure that the web user's email needs escaping. $mail = $this->webUser->getAccountName() . '&escaped@example.com';
$this->webUser->setEmail($mail)->save();
$this->drupalLogin($this->webUser);
$this->drupalGet('user/' . $this->contactUser->id() . '/contact');
$this->assertSession()->assertEscaped($mail);
$message = $this->submitPersonalContact($this->contactUser);
$mails = $this->getMails();
$this->assertCount(1, $mails);
$mail = $mails[0];
$this->assertEquals($this->contactUser->getEmail(), $mail['to']);
$this->assertEquals($this->config('system.site')->get('mail'), $mail['from']);
$this->assertEquals($this->webUser->getEmail(), $mail['reply-to']);
$this->assertEquals('user_mail', $mail['key']);
$subject = '[' . $this->config('system.site')->get('name') . '] ' . $message['subject[0][value]'];
$this->assertEquals($subject, $mail['subject'], 'Subject is in sent message.');
$this->assertStringContainsString('Hello ' . $this->contactUser->getDisplayName(), $mail['body'], 'Recipient name is in sent message.');
// Ensure Markup objects are rendered as expected.
$this->assertSession()->responseContains('Markup with <em>markup!</em>');
$this->assertSession()->pageTextMatchesCount(1, '/Markup with markup!/');
$this->assertSession()->responseContains('Markup2 with <em>markup!</em>');
// Ensure when the same message is of different types it is not duplicated. $this->assertSession()->pageTextMatchesCount(1, '$Non duplicate Markup / string.$');
$this->assertSession()->pageTextMatchesCount(2, '$Duplicate Markup / string.$');
// Ensure that strings that are not marked as safe are escaped. $this->assertSession()->assertEscaped('<em>This<span>markup will be</span> escaped</em>.');
// Ensure messages survive a container rebuild. $assert = $this->assertSession();
$this->drupalLogin($this->rootUser);
$edit = [];
$edit["modules[help][enable]"] = TRUE;
$this->drupalGet('admin/modules');
$this->submitForm($edit, 'Install');
$assert->pageTextContains('Help has been enabled');
$assert->pageTextContains('system_test_preinstall_module called');
}
$this->assertSession()->pageTextMatchesCount(1, '/Markup with markup!/');
$this->assertSession()->responseContains('Markup2 with <em>markup!</em>');
// Ensure when the same message is of different types it is not duplicated. $this->assertSession()->pageTextMatchesCount(1, '$Non duplicate Markup / string.$');
$this->assertSession()->pageTextMatchesCount(2, '$Duplicate Markup / string.$');
// Ensure that strings that are not marked as safe are escaped. $this->assertSession()->assertEscaped('<em>This<span>markup will be</span> escaped</em>.');
// Ensure messages survive a container rebuild. $assert = $this->assertSession();
$this->drupalLogin($this->rootUser);
$edit = [];
$edit["modules[help][enable]"] = TRUE;
$this->drupalGet('admin/modules');
$this->submitForm($edit, 'Install');
$assert->pageTextContains('Help has been enabled');
$assert->pageTextContains('system_test_preinstall_module called');
}
// written and writes a correctly formatted message to the error log. Set
// $private to TRUE so all possible .htaccess lines are written.
/** @var \Drupal\Core\File\HtaccessWriterInterface $htaccess */
$htaccess = \Drupal::service('file.htaccess_writer');
$this->assertFalse($htaccess->write($private, TRUE));
$this->drupalLogin($this->rootUser);
$this->drupalGet('admin/reports/dblog');
$this->clickLink("Security warning: Couldn't write .htaccess file. Pleaseā¦");
$lines = FileSecurity::htaccessLines(TRUE);
foreach (array_filter(explode("\n", $lines)) as $line) {
$this->assertSession()->assertEscaped($line);
}
}
}
$htaccess = \Drupal::service('file.htaccess_writer');
$this->assertFalse($htaccess->write($private, TRUE));
$this->drupalLogin($this->rootUser);
$this->drupalGet('admin/reports/dblog');
$this->clickLink("Security warning: Couldn't write .htaccess file. Pleaseā¦");
$lines = FileSecurity::htaccessLines(TRUE);
foreach (array_filter(explode("\n", $lines)) as $line) {
$this->assertSession()->assertEscaped($line);
}
}
}
}
/** * Tests validation of #type 'select' elements. */
public function testSelect() {
$form = \Drupal::formBuilder()->getForm('Drupal\form_test\Form\FormTestSelectForm');
$this->drupalGet('form-test/select');
// Verify that the options are escaped as expected. $this->assertSession()->assertEscaped('<strong>four</strong>');
$this->assertSession()->responseNotContains('<strong>four</strong>');
// Posting without any values should throw validation errors. $this->submitForm([], 'Submit');
$no_errors = [
'select',
'select_required',
'select_optional',
'empty_value',
'empty_value_one',
'no_default_optional',
/**
* Tests the attachment UI.
*/
public function testAttachmentUI() {
$this->drupalGet('admin/structure/views/view/test_attachment_ui/edit/attachment_1');
$this->assertSession()->pageTextContains('Not defined');
$attachment_display_url = 'admin/structure/views/nojs/display/test_attachment_ui/attachment_1/displays';
$this->drupalGet($attachment_display_url);
// Display labels should be escaped. $this->assertSession()->assertEscaped('<em>Page</em>');
$this->assertSession()->checkboxNotChecked("edit-displays-default");
$this->assertSession()->checkboxNotChecked("edit-displays-page-1");
// Save the attachments and test the value on the view. $this->drupalGet($attachment_display_url);
$this->submitForm(['displays[page_1]' => 1], 'Apply');
// Options summary should be escaped. $this->assertSession()->assertEscaped('<em>Page</em>');
$this->assertSession()->responseNotContains('<em>Page</em>');
$this->assertSession()->elementAttributeContains('xpath', '//a[@id = "views-attachment-1-displays"]', 'title', 'Page');
public function testAttachmentUI() {
$this->drupalGet('admin/structure/views/view/test_attachment_ui/edit/attachment_1');
$this->assertSession()->pageTextContains('Not defined');
$attachment_display_url = 'admin/structure/views/nojs/display/test_attachment_ui/attachment_1/displays';
$this->drupalGet($attachment_display_url);
// Display labels should be escaped. $this->assertSession()->assertEscaped('<em>Page</em>');
$this->assertSession()->checkboxNotChecked("edit-displays-default");
$this->assertSession()->checkboxNotChecked("edit-displays-page-1");
// Save the attachments and test the value on the view. $this->drupalGet($attachment_display_url);
$this->submitForm(['displays[page_1]' => 1], 'Apply');
// Options summary should be escaped. $this->assertSession()->assertEscaped('<em>Page</em>');
$this->assertSession()->responseNotContains('<em>Page</em>');
$this->assertSession()->elementAttributeContains('xpath', '//a[@id = "views-attachment-1-displays"]', 'title', 'Page');
$test_image = current($this->drupalGetTestFiles('image', 39325));
$edit['files[field_image_0][]'] = \Drupal::service('file_system')->realpath($test_image->uri);
$this->drupalGet('node/add/page');
$this->submitForm($edit, 'Upload');
// Add an alt tag and preview the node. $this->submitForm(['field_image[0][alt]' => 'Picture of llamas'], 'Preview');
// Check that the preview is displaying the title, body and term. $expected_title = $edit[$title_key] . ' | Drupal';
$this->assertSession()->titleEquals($expected_title);
$this->assertSession()->assertEscaped($edit[$title_key]);
$this->assertSession()->pageTextContains($edit[$body_key]);
$this->assertSession()->pageTextContains($edit[$term_key]);
$this->assertSession()->linkExists('Back to content editing');
// Check that we see the class of the node type on the body element. $this->assertSession()->elementExists('xpath', "//body[contains(@class, 'page-node-type-page')]");
// Get the UUID. $url = parse_url($this->getUrl());
$paths = explode('/', $url['path']);
$view_mode = array_pop($paths);
$edit['files[field_image_0][]'] = \Drupal::service('file_system')->realpath($test_image->uri);
$this->drupalGet('node/add/page');
$this->submitForm($edit, 'Upload');
// Add an alt tag and preview the node. $this->submitForm(['field_image[0][alt]' => 'Picture of llamas'], 'Preview');
// Check that the preview is displaying the title, body and term. $expected_title = $edit[$title_key] . ' | Drupal';
$this->assertSession()->titleEquals($expected_title);
$this->assertSession()->assertEscaped($edit[$title_key]);
$this->assertSession()->pageTextContains($edit[$body_key]);
$this->assertSession()->pageTextContains($edit[$term_key]);
$this->assertSession()->linkExists('Back to content editing');
// Check that we see the class of the node type on the body element. $this->assertSession()->elementExists('xpath', "//body[contains(@class, 'page-node-type-page')]");
// Get the UUID. $url = parse_url($this->getUrl());
$paths = explode('/', $url['path']);
$view_mode = array_pop($paths);
public function testEscapingAssertions() {
$assert = $this->assertSession();
$this->drupalGet('test-escaped-characters');
$assert->assertNoEscaped('<div class="escaped">');
$assert->responseContains('<div class="escaped">');
$assert->assertEscaped('Escaped: <"\'&>');
$this->drupalGet('test-escaped-script');
$assert->assertNoEscaped('<div class="escaped">');
$assert->responseContains('<div class="escaped">');
$assert->assertEscaped("<script>alert('XSS');alert(\"XSS\");</script>");
$this->drupalGet('test-unescaped-script');
$assert->assertNoEscaped('<div class="unescaped">');
$assert->responseContains('<div class="unescaped">');
$assert->responseContains("<script>alert('Marked safe');alert(\"Marked safe\");</script>");
$assert->assertNoEscaped("<script>alert('Marked safe');alert(\"Marked safe\");</script>");
}
'Job: Singer',
'Job: ' . $unsafe_markup,
];
// Ensure that we don't find the caption containing unsafe markup. $this->assertSession()->responseNotContains($unsafe_markup);
// Ensure that the summary isn't shown. $this->assertSession()->elementNotExists('xpath', '//caption/details');
// Ensure that all expected captions are found. foreach ($expected_captions as $raw_caption) {
$this->assertSession()->assertEscaped($raw_caption);
}
$display = &$view->getDisplay('default');
// Remove the label from the grouping field. $display['display_options']['fields']['job']['label'] = '';
$view->save();
$this->drupalGet('test-table');
$expected_captions = [
'Speaker',
'Songwriter',
'Job: ' . $unsafe_markup,
];
// Ensure that we don't find the caption containing unsafe markup. $this->assertSession()->responseNotContains($unsafe_markup);
// Ensure that the summary isn't shown. $this->assertSession()->elementNotExists('xpath', '//caption/details');
// Ensure that all expected captions are found. foreach ($expected_captions as $raw_caption) {
$this->assertSession()->assertEscaped($raw_caption);
}
$display = &$view->getDisplay('default');
// Remove the label from the grouping field. $display['display_options']['fields']['job']['label'] = '';
$view->save();
$this->drupalGet('test-table');
$expected_captions = [
'Speaker',
'Songwriter',
$this->removeWhiteSpace();
$this->assertRaw('<tbody><tr><td>1-one</td><td>1-two</td><td>1-three</td></tr>', 'Table row 1 found.');
$this->assertRaw('<tr><td>2-one</td><td>2-two</td><td><b>2-three</b></td></tr></tbody>', 'Table row 2 found.');
}
/** * Tests that the select/checkbox label is being generated and escaped. */
public function testThemeTableTitle() {
$form = \Drupal::formBuilder()->getForm('\Drupal\form_test\Form\FormTestTableForm');
$this->render($form);
$this->assertEscaped('Update <em>kitten</em>');
$this->assertRaw('Update my favorite fruit is <strong>bananas</strong>');
}
}
$this->assertRaw('<tbody><tr><td>1-one</td><td>1-two</td><td>1-three</td></tr>', 'Table row 1 found.');
$this->assertRaw('<tr><td>2-one</td><td>2-two</td><td><b>2-three</b></td></tr></tbody>', 'Table row 2 found.');
}
/** * Tests that the select/checkbox label is being generated and escaped. */
public function testThemeTableTitle() {
$form = \Drupal::formBuilder()->getForm('\Drupal\form_test\Form\FormTestTableForm');
$this->render($form);
$this->assertEscaped('Update <em>kitten</em>');
$this->assertRaw('Update my favorite fruit is <strong>bananas</strong>');
}
}
// There are expected to be failed updates.
$this->checkFailedUpdates = FALSE;
$this->runUpdates();
$this->assertSession()->pageTextContains('Failed: RuntimeException: This post update fails in post_update_test_failing_post_update_exception()');
}
/** * {@inheritdoc} */
protected function doSelectionTest() {
$this->assertSession()->assertEscaped("Post update that throws an exception.");
}
}
$this->runUpdates();
$this->assertSession()->pageTextContains('Failed: RuntimeException: This post update fails in post_update_test_failing_post_update_exception()');
}
/** * {@inheritdoc} */
protected function doSelectionTest() {
$this->assertSession()->assertEscaped("Post update that throws an exception.");
}
}