assertEscaped example



    $this->drupalGet('test-node-view');
    $this->assertSession()->statusCodeEquals(404);

    $this->drupalGet('test-node-view/all');
    $this->assertSession()->statusCodeEquals(200);
    $this->assertNids($all_nids);

    foreach ($types as $type) {
      $this->drupalGet("test-node-view/{$type->id()}");
      $this->assertSession()->assertEscaped($type->label());
      $this->assertNids(array_keys($nodes[$type->id()]));
    }
  }

  /** * Ensures that a list of nodes appear on the page. * * @param array $expected_nids * An array of node IDs. * * @internal */
$this->drupalGet($row_plugin_url);
    $this->submitForm(['row[type]' => 'entity:node'], 'Apply');
    $this->assertSession()->addressEquals($row_options_url);
    // Make sure the custom settings form from the entity row plugin appears.     $this->assertSession()->fieldValueEquals('row_options[view_mode]', 'teaser');

    // Change the teaser label to have markup so we can test escaping.     $teaser = EntityViewMode::load('node.teaser');
    $teaser->set('label', 'Teaser <em>markup</em>');
    $teaser->save();
    $this->drupalGet('admin/structure/views/view/frontpage/edit/default');
    $this->assertSession()->assertEscaped('Teaser <em>markup</em>');
  }

}

  public function testAutoescape() {
    $script = '<script>alert("This alert is unreal!");</script>';
    $build = [
      '#theme' => 'twig_autoescape_test',
      '#script' => $script,
    ];
    $rendered = \Drupal::service('renderer')->renderRoot($build);
    $this->setRawContent($rendered);
    $this->assertEscaped($script);
  }

}

  protected static $modules = ['node', 'user', 'views_ui', 'views_ui_test'];

  /** * {@inheritdoc} */
  protected $defaultTheme = 'stark';

  public function testViewsUi() {
    $this->drupalGet('admin/structure/views/view/sa_contrib_2013_035');
    // Verify that the field admin label is properly escaped.     $this->assertSession()->assertEscaped('<marquee>test</marquee>');

    $this->drupalGet('admin/structure/views/nojs/handler/sa_contrib_2013_035/page_1/header/area');
    // Verify that the token label is properly escaped.     $this->assertSession()->assertEscaped('{{ title }} == <marquee>test</marquee>');
    $this->assertSession()->assertEscaped('{{ title_1 }} == <script>alert("XSS")</script>');
  }

  /** * Checks the admin UI for double escaping. */
  public function testNoDoubleEscaping() {
    
protected function checkFeedViewUi($view_name) {
    $this->drupalGet('admin/structure/views');
    // Verify that the page lists the $view_name view.     // Regression test: ViewListBuilder::getDisplayPaths() did not properly     // check whether a DisplayPluginCollection was returned in iterating over     // all displays.     $this->assertSession()->pageTextContains($view_name);

    // Check the attach TO interface.     $this->drupalGet('admin/structure/views/nojs/display/' . $view_name . '/feed_1/displays');
    // Display labels should be escaped.     $this->assertSession()->assertEscaped('<em>Page</em>');

    // Load all the options of the checkbox.     $result = $this->xpath('//div[@id="edit-displays"]/div');
    $options = [];
    foreach ($result as $item) {
      $input_node = $item->find('css', 'input');
      if ($input_node->hasAttribute('value')) {
        $options[] = $input_node->getAttribute('value');
      }
    }

    
/** * Tests that mails for contact messages are correctly sent. */
  public function testSendPersonalContactMessage() {
    // Ensure that the web user's email needs escaping.     $mail = $this->webUser->getAccountName() . '&escaped@example.com';
    $this->webUser->setEmail($mail)->save();
    $this->drupalLogin($this->webUser);

    $this->drupalGet('user/' . $this->contactUser->id() . '/contact');
    $this->assertSession()->assertEscaped($mail);
    $message = $this->submitPersonalContact($this->contactUser);
    $mails = $this->getMails();
    $this->assertCount(1, $mails);
    $mail = $mails[0];
    $this->assertEquals($this->contactUser->getEmail()$mail['to']);
    $this->assertEquals($this->config('system.site')->get('mail')$mail['from']);
    $this->assertEquals($this->webUser->getEmail()$mail['reply-to']);
    $this->assertEquals('user_mail', $mail['key']);
    $subject = '[' . $this->config('system.site')->get('name') . '] ' . $message['subject[0][value]'];
    $this->assertEquals($subject$mail['subject'], 'Subject is in sent message.');
    $this->assertStringContainsString('Hello ' . $this->contactUser->getDisplayName()$mail['body'], 'Recipient name is in sent message.');
    
// Ensure Markup objects are rendered as expected.     $this->assertSession()->responseContains('Markup with <em>markup!</em>');
    $this->assertSession()->pageTextMatchesCount(1, '/Markup with markup!/');
    $this->assertSession()->responseContains('Markup2 with <em>markup!</em>');

    // Ensure when the same message is of different types it is not duplicated.     $this->assertSession()->pageTextMatchesCount(1, '$Non duplicate Markup / string.$');
    $this->assertSession()->pageTextMatchesCount(2, '$Duplicate Markup / string.$');

    // Ensure that strings that are not marked as safe are escaped.     $this->assertSession()->assertEscaped('<em>This<span>markup will be</span> escaped</em>.');

    // Ensure messages survive a container rebuild.     $assert = $this->assertSession();
    $this->drupalLogin($this->rootUser);
    $edit = [];
    $edit["modules[help][enable]"] = TRUE;
    $this->drupalGet('admin/modules');
    $this->submitForm($edit, 'Install');
    $assert->pageTextContains('Help has been enabled');
    $assert->pageTextContains('system_test_preinstall_module called');
  }

  
    // written and writes a correctly formatted message to the error log. Set     // $private to TRUE so all possible .htaccess lines are written.     /** @var \Drupal\Core\File\HtaccessWriterInterface $htaccess */
    $htaccess = \Drupal::service('file.htaccess_writer');
    $this->assertFalse($htaccess->write($private, TRUE));
    $this->drupalLogin($this->rootUser);
    $this->drupalGet('admin/reports/dblog');
    $this->clickLink("Security warning: Couldn't write .htaccess file. Pleaseā€¦");

    $lines = FileSecurity::htaccessLines(TRUE);
    foreach (array_filter(explode("\n", $lines)) as $line) {
      $this->assertSession()->assertEscaped($line);
    }
  }

}

  }

  /** * Tests validation of #type 'select' elements. */
  public function testSelect() {
    $form = \Drupal::formBuilder()->getForm('Drupal\form_test\Form\FormTestSelectForm');
    $this->drupalGet('form-test/select');

    // Verify that the options are escaped as expected.     $this->assertSession()->assertEscaped('<strong>four</strong>');
    $this->assertSession()->responseNotContains('<strong>four</strong>');

    // Posting without any values should throw validation errors.     $this->submitForm([], 'Submit');
    $no_errors = [
      'select',
      'select_required',
      'select_optional',
      'empty_value',
      'empty_value_one',
      'no_default_optional',
      
/** * Tests the attachment UI. */
  public function testAttachmentUI() {
    $this->drupalGet('admin/structure/views/view/test_attachment_ui/edit/attachment_1');
    $this->assertSession()->pageTextContains('Not defined');

    $attachment_display_url = 'admin/structure/views/nojs/display/test_attachment_ui/attachment_1/displays';
    $this->drupalGet($attachment_display_url);
    // Display labels should be escaped.     $this->assertSession()->assertEscaped('<em>Page</em>');

    $this->assertSession()->checkboxNotChecked("edit-displays-default");
    $this->assertSession()->checkboxNotChecked("edit-displays-page-1");

    // Save the attachments and test the value on the view.     $this->drupalGet($attachment_display_url);
    $this->submitForm(['displays[page_1]' => 1], 'Apply');
    // Options summary should be escaped.     $this->assertSession()->assertEscaped('<em>Page</em>');
    $this->assertSession()->responseNotContains('<em>Page</em>');
    $this->assertSession()->elementAttributeContains('xpath', '//a[@id = "views-attachment-1-displays"]', 'title', 'Page');
    
    $test_image = current($this->drupalGetTestFiles('image', 39325));
    $edit['files[field_image_0][]'] = \Drupal::service('file_system')->realpath($test_image->uri);
    $this->drupalGet('node/add/page');
    $this->submitForm($edit, 'Upload');

    // Add an alt tag and preview the node.     $this->submitForm(['field_image[0][alt]' => 'Picture of llamas'], 'Preview');

    // Check that the preview is displaying the title, body and term.     $expected_title = $edit[$title_key] . ' | Drupal';
    $this->assertSession()->titleEquals($expected_title);
    $this->assertSession()->assertEscaped($edit[$title_key]);
    $this->assertSession()->pageTextContains($edit[$body_key]);
    $this->assertSession()->pageTextContains($edit[$term_key]);
    $this->assertSession()->linkExists('Back to content editing');

    // Check that we see the class of the node type on the body element.     $this->assertSession()->elementExists('xpath', "//body[contains(@class, 'page-node-type-page')]");

    // Get the UUID.     $url = parse_url($this->getUrl());
    $paths = explode('/', $url['path']);
    $view_mode = array_pop($paths);
    

  public function testEscapingAssertions() {
    $assert = $this->assertSession();

    $this->drupalGet('test-escaped-characters');
    $assert->assertNoEscaped('<div class="escaped">');
    $assert->responseContains('<div class="escaped">');
    $assert->assertEscaped('Escaped: <"\'&>');

    $this->drupalGet('test-escaped-script');
    $assert->assertNoEscaped('<div class="escaped">');
    $assert->responseContains('<div class="escaped">');
    $assert->assertEscaped("<script>alert('XSS');alert(\"XSS\");</script>");

    $this->drupalGet('test-unescaped-script');
    $assert->assertNoEscaped('<div class="unescaped">');
    $assert->responseContains('<div class="unescaped">');
    $assert->responseContains("<script>alert('Marked safe');alert(\"Marked safe\");</script>");
    $assert->assertNoEscaped("<script>alert('Marked safe');alert(\"Marked safe\");</script>");
  }
'Job: Singer',
      'Job: ' . $unsafe_markup,
    ];

    // Ensure that we don't find the caption containing unsafe markup.     $this->assertSession()->responseNotContains($unsafe_markup);
    // Ensure that the summary isn't shown.     $this->assertSession()->elementNotExists('xpath', '//caption/details');

    // Ensure that all expected captions are found.     foreach ($expected_captions as $raw_caption) {
      $this->assertSession()->assertEscaped($raw_caption);
    }

    $display = &$view->getDisplay('default');
    // Remove the label from the grouping field.     $display['display_options']['fields']['job']['label'] = '';
    $view->save();

    $this->drupalGet('test-table');
    $expected_captions = [
      'Speaker',
      'Songwriter',
      
$this->removeWhiteSpace();
    $this->assertRaw('<tbody><tr><td>1-one</td><td>1-two</td><td>1-three</td></tr>', 'Table row 1 found.');
    $this->assertRaw('<tr><td>2-one</td><td>2-two</td><td><b>2-three</b></td></tr></tbody>', 'Table row 2 found.');
  }

  /** * Tests that the select/checkbox label is being generated and escaped. */
  public function testThemeTableTitle() {
    $form = \Drupal::formBuilder()->getForm('\Drupal\form_test\Form\FormTestTableForm');
    $this->render($form);
    $this->assertEscaped('Update <em>kitten</em>');
    $this->assertRaw('Update my favorite fruit is <strong>bananas</strong>');
  }

}
// There are expected to be failed updates.     $this->checkFailedUpdates = FALSE;

    $this->runUpdates();
    $this->assertSession()->pageTextContains('Failed: RuntimeException: This post update fails in post_update_test_failing_post_update_exception()');
  }

  /** * {@inheritdoc} */
  protected function doSelectionTest() {
    $this->assertSession()->assertEscaped("Post update that throws an exception.");
  }

}
Home | Imprint | This part of the site doesn't use cookies.