CodeExplorer
You are a developer and looking for Shopware projects?
Apply Now!
assertNoEscaped example
/**
* Tests that nothing is escaped other than the blocks explicitly tested.
*/
public function testNoUnexpectedEscaping() {
$this->drupalLogin($this->drupalCreateUser([
'administer blocks',
'access administration pages',
]));
$this->drupalGet(Url::fromRoute('block.admin_display'));
$this->clickLink('Place block');
$this->assertSession()->assertNoEscaped('<');
}
/** * Tests XSS in title. */
public function testXssInTitle() {
$this->container->get('module_installer')->install(['block_test']);
$this->drupalPlaceBlock('test_xss_title', ['label' => '<script>alert("XSS label");</script>']);
\Drupal::state()->set('block_test.content', $this->randomMachineName());
$this->drupalGet('');
public function testNoUnexpectedEscaping() {
$this->drupalLogin($this->drupalCreateUser([
'administer blocks',
'access administration pages',
]));
$this->drupalGet(Url::fromRoute('block.admin_display'));
$this->clickLink('Place block');
$this->assertSession()->assertNoEscaped('<');
}
/** * Tests XSS in title. */
public function testXssInTitle() {
$this->container->get('module_installer')->install(['block_test']);
$this->drupalPlaceBlock('test_xss_title', ['label' => '<script>alert("XSS label");</script>']);
\Drupal::state()->set('block_test.content', $this->randomMachineName());
$this->drupalGet('');
/**
* Tests assertEscaped() and assertUnescaped().
*
* @see \Drupal\Tests\WebAssert::assertNoEscaped()
* @see \Drupal\Tests\WebAssert::assertEscaped()
*/
public function testEscapingAssertions() {
$assert = $this->assertSession();
$this->drupalGet('test-escaped-characters');
$assert->assertNoEscaped('<div class="escaped">');
$assert->responseContains('<div class="escaped">');
$assert->assertEscaped('Escaped: <"\'&>');
$this->drupalGet('test-escaped-script');
$assert->assertNoEscaped('<div class="escaped">');
$assert->responseContains('<div class="escaped">');
$assert->assertEscaped("<script>alert('XSS');alert(\"XSS\");</script>");
$this->drupalGetWithAlert('test-unescaped-script');
$assert->assertNoEscaped('<div class="unescaped">');
$assert->responseContains('<div class="unescaped">');
public function testEscapingAssertions() {
$assert = $this->assertSession();
$this->drupalGet('test-escaped-characters');
$assert->assertNoEscaped('<div class="escaped">');
$assert->responseContains('<div class="escaped">');
$assert->assertEscaped('Escaped: <"\'&>');
$this->drupalGet('test-escaped-script');
$assert->assertNoEscaped('<div class="escaped">');
$assert->responseContains('<div class="escaped">');
$assert->assertEscaped("<script>alert('XSS');alert(\"XSS\");</script>");
$this->drupalGetWithAlert('test-unescaped-script');
$assert->assertNoEscaped('<div class="unescaped">');
$assert->responseContains('<div class="unescaped">');
$this->drupalGet('admin/structure/views/nojs/handler/sa_contrib_2013_035/page_1/header/area');
// Verify that the token label is properly escaped. $this->assertSession()->assertEscaped('{{ title }} == <marquee>test</marquee>');
$this->assertSession()->assertEscaped('{{ title_1 }} == <script>alert("XSS")</script>');
}
/** * Checks the admin UI for double escaping. */
public function testNoDoubleEscaping() {
$this->drupalGet('admin/structure/views');
$this->assertSession()->assertNoEscaped('<');
$this->drupalGet('admin/structure/views/view/sa_contrib_2013_035');
$this->assertSession()->assertNoEscaped('<');
$this->drupalGet('admin/structure/views/nojs/handler/sa_contrib_2013_035/page_1/header/area');
$this->assertSession()->assertNoEscaped('<');
}
}
// Verify that the token label is properly escaped. $this->assertSession()->assertEscaped('{{ title }} == <marquee>test</marquee>');
$this->assertSession()->assertEscaped('{{ title_1 }} == <script>alert("XSS")</script>');
}
/** * Checks the admin UI for double escaping. */
public function testNoDoubleEscaping() {
$this->drupalGet('admin/structure/views');
$this->assertSession()->assertNoEscaped('<');
$this->drupalGet('admin/structure/views/view/sa_contrib_2013_035');
$this->assertSession()->assertNoEscaped('<');
$this->drupalGet('admin/structure/views/nojs/handler/sa_contrib_2013_035/page_1/header/area');
$this->assertSession()->assertNoEscaped('<');
}
}
$edit = [];
$edit['subject[0][value]'] = $this->randomMachineName(8);
$edit['comment_body[0][value]'] = $this->randomMachineName(16);
$this->drupalGet('node/' . $this->node->id());
$this->submitForm($edit, 'Preview');
$this->assertSession()->assertEscaped('<em>' . $this->webUser->id() . '</em>');
\Drupal::state()->set('user_hooks_test_user_format_name_alter_safe', TRUE);
$this->drupalGet('node/' . $this->node->id());
$this->submitForm($edit, 'Preview');
$this->assertInstanceOf(MarkupInterface::class, $this->webUser->getDisplayName());
$this->assertSession()->assertNoEscaped('<em>' . $this->webUser->id() . '</em>');
$this->assertSession()->responseContains('<em>' . $this->webUser->id() . '</em>');
// Add a user picture. $image = current($this->drupalGetTestFiles('image'));
$user_edit['files[user_picture_0]'] = \Drupal::service('file_system')->realpath($image->uri);
$this->drupalGet('user/' . $this->webUser->id() . '/edit');
$this->submitForm($user_edit, 'Save');
// As the web user, fill in the comment form and preview the comment. $this->drupalGet('node/' . $this->node->id());
$this->submitForm($edit, 'Preview');
$edit['subject[0][value]'] = $this->randomMachineName(8);
$edit['comment_body[0][value]'] = $this->randomMachineName(16);
$this->drupalGet('node/' . $this->node->id());
$this->submitForm($edit, 'Preview');
$this->assertSession()->assertEscaped('<em>' . $this->webUser->id() . '</em>');
\Drupal::state()->set('user_hooks_test_user_format_name_alter_safe', TRUE);
$this->drupalGet('node/' . $this->node->id());
$this->submitForm($edit, 'Preview');
$this->assertInstanceOf(MarkupInterface::class, $this->webUser->getDisplayName());
$this->assertSession()->assertNoEscaped('<em>' . $this->webUser->id() . '</em>');
$this->assertSession()->responseContains('<em>' . $this->webUser->id() . '</em>');
// Add a user picture. $image = current($this->drupalGetTestFiles('image'));
$user_edit['files[user_picture_0]'] = \Drupal::service('file_system')->realpath($image->uri);
$this->drupalGet('user/' . $this->webUser->id() . '/edit');
$this->submitForm($user_edit, 'Save');
// As the web user, fill in the comment form and preview the comment. $this->drupalGet('node/' . $this->node->id());
$this->submitForm($edit, 'Preview');
/**
* Tests batches defined in a form submit handler.
*/
public function testBatchForm() {
// Batch 0: no operation. $edit = ['batch' => 'batch_0'];
$this->drupalGet('batch-test');
$this->submitForm($edit, 'Submit');
// If there is any escaped markup it will include at least an escaped '<' // character, so assert on each page that there is no escaped '<' as a way // of verifying that no markup is incorrectly escaped. $this->assertSession()->assertNoEscaped('<');
$this->assertBatchMessages($this->_resultMessages('batch_0'));
$this->assertSession()->pageTextContains('Redirection successful.');
// Batch 1: several simple operations. $edit = ['batch' => 'batch_1'];
$this->drupalGet('batch-test');
$this->submitForm($edit, 'Submit');
$this->assertSession()->assertNoEscaped('<');
$this->assertBatchMessages($this->_resultMessages('batch_1'));
$this->assertEquals($this->_resultStack('batch_1'), batch_test_stack(), 'Execution order was correct.');
$this->assertSession()->pageTextContains('Redirection successful.');
public function testBatchForm() {
// Batch 0: no operation. $edit = ['batch' => 'batch_0'];
$this->drupalGet('batch-test');
$this->submitForm($edit, 'Submit');
// If there is any escaped markup it will include at least an escaped '<' // character, so assert on each page that there is no escaped '<' as a way // of verifying that no markup is incorrectly escaped. $this->assertSession()->assertNoEscaped('<');
$this->assertBatchMessages($this->_resultMessages('batch_0'));
$this->assertSession()->pageTextContains('Redirection successful.');
// Batch 1: several simple operations. $edit = ['batch' => 'batch_1'];
$this->drupalGet('batch-test');
$this->submitForm($edit, 'Submit');
$this->assertSession()->assertNoEscaped('<');
$this->assertBatchMessages($this->_resultMessages('batch_1'));
$this->assertEquals($this->_resultStack('batch_1'), batch_test_stack(), 'Execution order was correct.');
$this->assertSession()->pageTextContains('Redirection successful.');
// Make the image field non-translatable.
$edit = ['settings[node][article][fields][field_image]' => FALSE];
$this->drupalGet('admin/config/regional/content-language');
$this->submitForm($edit, 'Save configuration');
// Create a node. $nid = $this->createEntity(['title' => 'Node with multi-value image field en title'], 'en');
// Add a French translation and assert the title markup is not escaped. $this->drupalGet("node/$nid/translations/add/en/fr");
$markup = 'Image <span class="translation-entity-all-languages">(all languages)</span>';
$this->assertSession()->assertNoEscaped($markup);
$this->assertSession()->responseContains($markup);
}
/** * Test that when content is language neutral, it uses interface language. * * When language neutral content is displayed on interface language, it should * consider the interface language for creating the content link. */
public function testUrlPrefixOnLanguageNeutralContent() {
$this->drupalLogin($this->administrator);
$this->drupalGet('admin/config/regional/content-language');
$this->submitForm($edit, 'Save configuration');
// Create a node. $nid = $this->createEntity(['title' => 'Node with multi-value image field en title'], 'en');
// Add a French translation and assert the title markup is not escaped. $this->drupalGet("node/$nid/translations/add/en/fr");
$markup = 'Image <span class="translation-entity-all-languages">(all languages)</span>';
$this->assertSession()->assertNoEscaped($markup);
$this->assertSession()->responseContains($markup);
}
/** * Test that when content is language neutral, it uses interface language. * * When language neutral content is displayed on interface language, it should * consider the interface language for creating the content link. */
public function testUrlPrefixOnLanguageNeutralContent() {
$this->drupalLogin($this->administrator);
$this->clickLink('Add new comment');
$this->assertSession()->statusCodeEquals(200);
$this->assertSession()->fieldExists('comment_body[0][value]');
// Log in as the first user. $this->drupalLogin($this->adminUser);
// Check that forum renders properly. $this->drupalGet("forum/{$this->forum['tid']}");
$this->assertSession()->statusCodeEquals(200);
// Verify there is no unintentional HTML tag escaping. $this->assertSession()->assertNoEscaped('<');
}
/** * Creates a forum topic. * * @param array $forum * A forum array. * @param bool $container * TRUE if $forum is a container; FALSE otherwise. * * @return object|null * The created topic node or NULL if the forum is a container. */
$this->assertSession()->statusCodeEquals(200);
$this->assertSession()->fieldExists('comment_body[0][value]');
// Log in as the first user. $this->drupalLogin($this->adminUser);
// Check that forum renders properly. $this->drupalGet("forum/{$this->forum['tid']}");
$this->assertSession()->statusCodeEquals(200);
// Verify there is no unintentional HTML tag escaping. $this->assertSession()->assertNoEscaped('<');
}
/** * Creates a forum topic. * * @param array $forum * A forum array. * @param bool $container * TRUE if $forum is a container; FALSE otherwise. * * @return object|null * The created topic node or NULL if the forum is a container. */
/**
* Tests assertEscaped() and assertUnescaped().
*
* @see \Drupal\Tests\WebAssert::assertNoEscaped()
* @see \Drupal\Tests\WebAssert::assertEscaped()
*/
public function testEscapingAssertions() {
$assert = $this->assertSession();
$this->drupalGet('test-escaped-characters');
$assert->assertNoEscaped('<div class="escaped">');
$assert->responseContains('<div class="escaped">');
$assert->assertEscaped('Escaped: <"\'&>');
$this->drupalGet('test-escaped-script');
$assert->assertNoEscaped('<div class="escaped">');
$assert->responseContains('<div class="escaped">');
$assert->assertEscaped("<script>alert('XSS');alert(\"XSS\");</script>");
$this->drupalGet('test-unescaped-script');
$assert->assertNoEscaped('<div class="unescaped">');
$assert->responseContains('<div class="unescaped">');
public function testEscapingAssertions() {
$assert = $this->assertSession();
$this->drupalGet('test-escaped-characters');
$assert->assertNoEscaped('<div class="escaped">');
$assert->responseContains('<div class="escaped">');
$assert->assertEscaped('Escaped: <"\'&>');
$this->drupalGet('test-escaped-script');
$assert->assertNoEscaped('<div class="escaped">');
$assert->responseContains('<div class="escaped">');
$assert->assertEscaped("<script>alert('XSS');alert(\"XSS\");</script>");
$this->drupalGet('test-unescaped-script');
$assert->assertNoEscaped('<div class="unescaped">');
$assert->responseContains('<div class="unescaped">');
$this->enableViewsTestModule();
}
/** * Tests for incorrectly escaped markup in the views-view-fields.html.twig. */
public function testViewsViewFieldsEscaping() {
// Test with system theme using theme function. $this->drupalGet('test_page_display_200');
// Assert that there are no escaped '<'s characters. $this->assertSession()->assertNoEscaped('<');
// Install theme to test with template system. \Drupal::service('theme_installer')->install(['views_test_theme']);
// Make base theme default then test for hook invocations. $this->config('system.theme')
->set('default', 'views_test_theme')
->save();
$this->assertEquals('views_test_theme', $this->config('system.theme')->get('default'));
$this->drupalGet('test_page_display_200');
}
/** * Tests for incorrectly escaped markup in the views-view-fields.html.twig. */
public function testViewsViewFieldsEscaping() {
// Test with system theme using theme function. $this->drupalGet('test_page_display_200');
// Assert that there are no escaped '<'s characters. $this->assertSession()->assertNoEscaped('<');
// Install theme to test with template system. \Drupal::service('theme_installer')->install(['views_test_theme']);
// Make base theme default then test for hook invocations. $this->config('system.theme')
->set('default', 'views_test_theme')
->save();
$this->assertEquals('views_test_theme', $this->config('system.theme')->get('default'));
$this->drupalGet('test_page_display_200');
// Search for the comment body.
$edit = [
'keys' => "'" . $comment_body . "'",
];
$this->submitForm($edit, 'Search');
$this->assertSession()->pageTextContains($node2->label());
// Verify that comment is rendered using proper format. $this->assertSession()->pageTextContains($comment_body);
// Verify that HTML in comment body is not hidden. $this->assertSession()->pageTextNotContains('n/a');
$this->assertSession()->assertNoEscaped($edit_comment['comment_body[0][value]']);
// Search for the evil script comment subject. $edit = [
'keys' => 'subjectkeyword',
];
$this->drupalGet('search/node');
$this->submitForm($edit, 'Search');
// Verify the evil comment subject is escaped in search results. $this->assertSession()->responseContains('<script>alert('<strong>subjectkeyword</strong>');');
$this->assertSession()->responseNotContains('<script>');
'keys' => "'" . $comment_body . "'",
];
$this->submitForm($edit, 'Search');
$this->assertSession()->pageTextContains($node2->label());
// Verify that comment is rendered using proper format. $this->assertSession()->pageTextContains($comment_body);
// Verify that HTML in comment body is not hidden. $this->assertSession()->pageTextNotContains('n/a');
$this->assertSession()->assertNoEscaped($edit_comment['comment_body[0][value]']);
// Search for the evil script comment subject. $edit = [
'keys' => 'subjectkeyword',
];
$this->drupalGet('search/node');
$this->submitForm($edit, 'Search');
// Verify the evil comment subject is escaped in search results. $this->assertSession()->responseContains('<script>alert('<strong>subjectkeyword</strong>');');
$this->assertSession()->responseNotContains('<script>');
if ($response == 200) {
$this->assertSession()->titleEquals("$name | Drupal");
$this->assertEquals($name, $this->cssSelect('h1.page-title')[0]->getText(), "$module heading was displayed");
$info = \Drupal::service('extension.list.module')->getExtensionInfo($module);
$admin_tasks = system_get_module_admin_tasks($module, $info);
if (!empty($admin_tasks)) {
$this->assertSession()->pageTextContains($name . ' administration pages');
}
foreach ($admin_tasks as $task) {
$this->assertSession()->linkExists($task['title']);
// Ensure there are no double escaped '&' or '<' characters. $this->assertSession()->assertNoEscaped('&');
$this->assertSession()->assertNoEscaped('<');
// Ensure there are no escaped '<' characters. $this->assertSession()->assertNoEscaped('<');
}
// Ensure there are no double escaped '&' or '<' characters. $this->assertSession()->assertNoEscaped('&');
$this->assertSession()->assertNoEscaped('<');
// The help for CKEditor 5 intentionally has escaped '<' so leave this // iteration before the assertion below. if ($module === 'ckeditor5') {
$this->assertSession()->titleEquals("$name | Drupal");
$this->assertEquals($name, $this->cssSelect('h1.page-title')[0]->getText(), "$module heading was displayed");
$info = \Drupal::service('extension.list.module')->getExtensionInfo($module);
$admin_tasks = system_get_module_admin_tasks($module, $info);
if (!empty($admin_tasks)) {
$this->assertSession()->pageTextContains($name . ' administration pages');
}
foreach ($admin_tasks as $task) {
$this->assertSession()->linkExists($task['title']);
// Ensure there are no double escaped '&' or '<' characters. $this->assertSession()->assertNoEscaped('&');
$this->assertSession()->assertNoEscaped('<');
// Ensure there are no escaped '<' characters. $this->assertSession()->assertNoEscaped('<');
}
// Ensure there are no double escaped '&' or '<' characters. $this->assertSession()->assertNoEscaped('&');
$this->assertSession()->assertNoEscaped('<');
// The help for CKEditor 5 intentionally has escaped '<' so leave this // iteration before the assertion below. if ($module === 'ckeditor5') {
$this->assertSession()->pageTextContains('filtered text');
// Disable the format. $format->disable()->save();
$this->drupalGet($node->toUrl());
// The format is not used anymore. $this->assertSession()->pageTextNotContains('filtered text');
// The text is not displayed unfiltered or escaped. $this->assertSession()->responseNotContains($body_value);
$this->assertSession()->assertNoEscaped($body_value);
// Visit the dblog report page. $this->drupalLogin($this->adminUser);
$this->drupalGet('admin/reports/dblog');
// The correct message has been logged. $this->assertSession()->pageTextContains(sprintf('Disabled text format: %s.', $format_id));
// Programmatically change the text format to something random so we trigger // the missing text format message. $format_id = $this->randomMachineName();
$node->body->format = $format_id;
// Disable the format. $format->disable()->save();
$this->drupalGet($node->toUrl());
// The format is not used anymore. $this->assertSession()->pageTextNotContains('filtered text');
// The text is not displayed unfiltered or escaped. $this->assertSession()->responseNotContains($body_value);
$this->assertSession()->assertNoEscaped($body_value);
// Visit the dblog report page. $this->drupalLogin($this->adminUser);
$this->drupalGet('admin/reports/dblog');
// The correct message has been logged. $this->assertSession()->pageTextContains(sprintf('Disabled text format: %s.', $format_id));
// Programmatically change the text format to something random so we trigger // the missing text format message. $format_id = $this->randomMachineName();
$node->body->format = $format_id;
// Test escaping of title on user's tracker tab.
\Drupal::service('module_installer')->install(['user_hooks_test']);
Cache::invalidateTags(['rendered']);
\Drupal::state()->set('user_hooks_test_user_format_name_alter', TRUE);
$this->drupalGet('user/' . $this->user->id() . '/activity');
$this->assertSession()->assertEscaped('<em>' . $this->user->id() . '</em>');
\Drupal::state()->set('user_hooks_test_user_format_name_alter_safe', TRUE);
Cache::invalidateTags(['rendered']);
$this->drupalGet('user/' . $this->user->id() . '/activity');
$this->assertSession()->assertNoEscaped('<em>' . $this->user->id() . '</em>');
$this->assertSession()->responseContains('<em>' . $this->user->id() . '</em>');
}
/** * Tests the metadata for the "new"/"updated" indicators. */
public function testTrackerHistoryMetadata() {
$this->drupalLogin($this->user);
// Create a page node. $edit = [
Cache::invalidateTags(['rendered']);
\Drupal::state()->set('user_hooks_test_user_format_name_alter', TRUE);
$this->drupalGet('user/' . $this->user->id() . '/activity');
$this->assertSession()->assertEscaped('<em>' . $this->user->id() . '</em>');
\Drupal::state()->set('user_hooks_test_user_format_name_alter_safe', TRUE);
Cache::invalidateTags(['rendered']);
$this->drupalGet('user/' . $this->user->id() . '/activity');
$this->assertSession()->assertNoEscaped('<em>' . $this->user->id() . '</em>');
$this->assertSession()->responseContains('<em>' . $this->user->id() . '</em>');
}
/** * Tests the metadata for the "new"/"updated" indicators. */
public function testTrackerHistoryMetadata() {
$this->drupalLogin($this->user);
// Create a page node. $edit = [