assertNoEscaped example

/** * Tests that nothing is escaped other than the blocks explicitly tested. */
  public function testNoUnexpectedEscaping() {
    $this->drupalLogin($this->drupalCreateUser([
      'administer blocks',
      'access administration pages',
    ]));
    $this->drupalGet(Url::fromRoute('block.admin_display'));
    $this->clickLink('Place block');
    $this->assertSession()->assertNoEscaped('<');
  }

  /** * Tests XSS in title. */
  public function testXssInTitle() {
    $this->container->get('module_installer')->install(['block_test']);
    $this->drupalPlaceBlock('test_xss_title', ['label' => '<script>alert("XSS label");</script>']);

    \Drupal::state()->set('block_test.content', $this->randomMachineName());
    $this->drupalGet('');
    
/** * Tests assertEscaped() and assertUnescaped(). * * @see \Drupal\Tests\WebAssert::assertNoEscaped() * @see \Drupal\Tests\WebAssert::assertEscaped() */
  public function testEscapingAssertions() {
    $assert = $this->assertSession();

    $this->drupalGet('test-escaped-characters');
    $assert->assertNoEscaped('<div class="escaped">');
    $assert->responseContains('<div class="escaped">');
    $assert->assertEscaped('Escaped: <"\'&>');

    $this->drupalGet('test-escaped-script');
    $assert->assertNoEscaped('<div class="escaped">');
    $assert->responseContains('<div class="escaped">');
    $assert->assertEscaped("<script>alert('XSS');alert(\"XSS\");</script>");

    $this->drupalGetWithAlert('test-unescaped-script');
    $assert->assertNoEscaped('<div class="unescaped">');
    $assert->responseContains('<div class="unescaped">');
    
$this->drupalGet('admin/structure/views/nojs/handler/sa_contrib_2013_035/page_1/header/area');
    // Verify that the token label is properly escaped.     $this->assertSession()->assertEscaped('{{ title }} == <marquee>test</marquee>');
    $this->assertSession()->assertEscaped('{{ title_1 }} == <script>alert("XSS")</script>');
  }

  /** * Checks the admin UI for double escaping. */
  public function testNoDoubleEscaping() {
    $this->drupalGet('admin/structure/views');
    $this->assertSession()->assertNoEscaped('&lt;');

    $this->drupalGet('admin/structure/views/view/sa_contrib_2013_035');
    $this->assertSession()->assertNoEscaped('&lt;');

    $this->drupalGet('admin/structure/views/nojs/handler/sa_contrib_2013_035/page_1/header/area');
    $this->assertSession()->assertNoEscaped('&lt;');
  }

}
$edit = [];
    $edit['subject[0][value]'] = $this->randomMachineName(8);
    $edit['comment_body[0][value]'] = $this->randomMachineName(16);
    $this->drupalGet('node/' . $this->node->id());
    $this->submitForm($edit, 'Preview');
    $this->assertSession()->assertEscaped('<em>' . $this->webUser->id() . '</em>');

    \Drupal::state()->set('user_hooks_test_user_format_name_alter_safe', TRUE);
    $this->drupalGet('node/' . $this->node->id());
    $this->submitForm($edit, 'Preview');
    $this->assertInstanceOf(MarkupInterface::class$this->webUser->getDisplayName());
    $this->assertSession()->assertNoEscaped('<em>' . $this->webUser->id() . '</em>');
    $this->assertSession()->responseContains('<em>' . $this->webUser->id() . '</em>');

    // Add a user picture.     $image = current($this->drupalGetTestFiles('image'));
    $user_edit['files[user_picture_0]'] = \Drupal::service('file_system')->realpath($image->uri);
    $this->drupalGet('user/' . $this->webUser->id() . '/edit');
    $this->submitForm($user_edit, 'Save');

    // As the web user, fill in the comment form and preview the comment.     $this->drupalGet('node/' . $this->node->id());
    $this->submitForm($edit, 'Preview');

    
/** * Tests batches defined in a form submit handler. */
  public function testBatchForm() {
    // Batch 0: no operation.     $edit = ['batch' => 'batch_0'];
    $this->drupalGet('batch-test');
    $this->submitForm($edit, 'Submit');
    // If there is any escaped markup it will include at least an escaped '<'     // character, so assert on each page that there is no escaped '<' as a way     // of verifying that no markup is incorrectly escaped.     $this->assertSession()->assertNoEscaped('<');
    $this->assertBatchMessages($this->_resultMessages('batch_0'));
    $this->assertSession()->pageTextContains('Redirection successful.');

    // Batch 1: several simple operations.     $edit = ['batch' => 'batch_1'];
    $this->drupalGet('batch-test');
    $this->submitForm($edit, 'Submit');
    $this->assertSession()->assertNoEscaped('<');
    $this->assertBatchMessages($this->_resultMessages('batch_1'));
    $this->assertEquals($this->_resultStack('batch_1')batch_test_stack(), 'Execution order was correct.');
    $this->assertSession()->pageTextContains('Redirection successful.');

    
// Make the image field non-translatable.     $edit = ['settings[node][article][fields][field_image]' => FALSE];
    $this->drupalGet('admin/config/regional/content-language');
    $this->submitForm($edit, 'Save configuration');

    // Create a node.     $nid = $this->createEntity(['title' => 'Node with multi-value image field en title'], 'en');

    // Add a French translation and assert the title markup is not escaped.     $this->drupalGet("node/$nid/translations/add/en/fr");
    $markup = 'Image <span class="translation-entity-all-languages">(all languages)</span>';
    $this->assertSession()->assertNoEscaped($markup);
    $this->assertSession()->responseContains($markup);
  }

  /** * Test that when content is language neutral, it uses interface language. * * When language neutral content is displayed on interface language, it should * consider the interface language for creating the content link. */
  public function testUrlPrefixOnLanguageNeutralContent() {
    $this->drupalLogin($this->administrator);
    
    $this->clickLink('Add new comment');
    $this->assertSession()->statusCodeEquals(200);
    $this->assertSession()->fieldExists('comment_body[0][value]');

    // Log in as the first user.     $this->drupalLogin($this->adminUser);
    // Check that forum renders properly.     $this->drupalGet("forum/{$this->forum['tid']}");
    $this->assertSession()->statusCodeEquals(200);

    // Verify there is no unintentional HTML tag escaping.     $this->assertSession()->assertNoEscaped('<');
  }

  /** * Creates a forum topic. * * @param array $forum * A forum array. * @param bool $container * TRUE if $forum is a container; FALSE otherwise. * * @return object|null * The created topic node or NULL if the forum is a container. */
/** * Tests assertEscaped() and assertUnescaped(). * * @see \Drupal\Tests\WebAssert::assertNoEscaped() * @see \Drupal\Tests\WebAssert::assertEscaped() */
  public function testEscapingAssertions() {
    $assert = $this->assertSession();

    $this->drupalGet('test-escaped-characters');
    $assert->assertNoEscaped('<div class="escaped">');
    $assert->responseContains('<div class="escaped">');
    $assert->assertEscaped('Escaped: <"\'&>');

    $this->drupalGet('test-escaped-script');
    $assert->assertNoEscaped('<div class="escaped">');
    $assert->responseContains('<div class="escaped">');
    $assert->assertEscaped("<script>alert('XSS');alert(\"XSS\");</script>");

    $this->drupalGet('test-unescaped-script');
    $assert->assertNoEscaped('<div class="unescaped">');
    $assert->responseContains('<div class="unescaped">');
    
$this->enableViewsTestModule();
  }

  /** * Tests for incorrectly escaped markup in the views-view-fields.html.twig. */
  public function testViewsViewFieldsEscaping() {
    // Test with system theme using theme function.     $this->drupalGet('test_page_display_200');

    // Assert that there are no escaped '<'s characters.     $this->assertSession()->assertNoEscaped('<');

    // Install theme to test with template system.     \Drupal::service('theme_installer')->install(['views_test_theme']);

    // Make base theme default then test for hook invocations.     $this->config('system.theme')
      ->set('default', 'views_test_theme')
      ->save();
    $this->assertEquals('views_test_theme', $this->config('system.theme')->get('default'));

    $this->drupalGet('test_page_display_200');

    
// Search for the comment body.     $edit = [
      'keys' => "'" . $comment_body . "'",
    ];
    $this->submitForm($edit, 'Search');
    $this->assertSession()->pageTextContains($node2->label());

    // Verify that comment is rendered using proper format.     $this->assertSession()->pageTextContains($comment_body);
    // Verify that HTML in comment body is not hidden.     $this->assertSession()->pageTextNotContains('n/a');
    $this->assertSession()->assertNoEscaped($edit_comment['comment_body[0][value]']);

    // Search for the evil script comment subject.     $edit = [
      'keys' => 'subjectkeyword',
    ];
    $this->drupalGet('search/node');
    $this->submitForm($edit, 'Search');

    // Verify the evil comment subject is escaped in search results.     $this->assertSession()->responseContains('&lt;script&gt;alert(&#039;<strong>subjectkeyword</strong>&#039;);');
    $this->assertSession()->responseNotContains('<script>');

    
if ($response == 200) {
        $this->assertSession()->titleEquals("$name | Drupal");
        $this->assertEquals($name$this->cssSelect('h1.page-title')[0]->getText(), "$module heading was displayed");
        $info = \Drupal::service('extension.list.module')->getExtensionInfo($module);
        $admin_tasks = system_get_module_admin_tasks($module$info);
        if (!empty($admin_tasks)) {
          $this->assertSession()->pageTextContains($name . ' administration pages');
        }
        foreach ($admin_tasks as $task) {
          $this->assertSession()->linkExists($task['title']);
          // Ensure there are no double escaped '&' or '<' characters.           $this->assertSession()->assertNoEscaped('&amp;');
          $this->assertSession()->assertNoEscaped('&lt;');
          // Ensure there are no escaped '<' characters.           $this->assertSession()->assertNoEscaped('<');
        }
        // Ensure there are no double escaped '&' or '<' characters.         $this->assertSession()->assertNoEscaped('&amp;');
        $this->assertSession()->assertNoEscaped('&lt;');

        // The help for CKEditor 5 intentionally has escaped '<' so leave this         // iteration before the assertion below.         if ($module === 'ckeditor5') {
          
$this->assertSession()->pageTextContains('filtered text');

    // Disable the format.     $format->disable()->save();

    $this->drupalGet($node->toUrl());

    // The format is not used anymore.     $this->assertSession()->pageTextNotContains('filtered text');
    // The text is not displayed unfiltered or escaped.     $this->assertSession()->responseNotContains($body_value);
    $this->assertSession()->assertNoEscaped($body_value);

    // Visit the dblog report page.     $this->drupalLogin($this->adminUser);
    $this->drupalGet('admin/reports/dblog');
    // The correct message has been logged.     $this->assertSession()->pageTextContains(sprintf('Disabled text format: %s.', $format_id));

    // Programmatically change the text format to something random so we trigger     // the missing text format message.     $format_id = $this->randomMachineName();
    $node->body->format = $format_id;
    
// Test escaping of title on user's tracker tab.     \Drupal::service('module_installer')->install(['user_hooks_test']);
    Cache::invalidateTags(['rendered']);
    \Drupal::state()->set('user_hooks_test_user_format_name_alter', TRUE);
    $this->drupalGet('user/' . $this->user->id() . '/activity');
    $this->assertSession()->assertEscaped('<em>' . $this->user->id() . '</em>');

    \Drupal::state()->set('user_hooks_test_user_format_name_alter_safe', TRUE);
    Cache::invalidateTags(['rendered']);
    $this->drupalGet('user/' . $this->user->id() . '/activity');
    $this->assertSession()->assertNoEscaped('<em>' . $this->user->id() . '</em>');
    $this->assertSession()->responseContains('<em>' . $this->user->id() . '</em>');
  }

  /** * Tests the metadata for the "new"/"updated" indicators. */
  public function testTrackerHistoryMetadata() {
    $this->drupalLogin($this->user);

    // Create a page node.     $edit = [
      
Home | Imprint | This part of the site doesn't use cookies.