drupalLogin($this->drupalCreateUser(['administer blocks', 'access administration pages'])); $this->drupalGet(Url::fromRoute('block.admin_display')); $this->clickLink('Place block'); $this->assertNoEscaped('<'); } /** * Tests XSS in title. */ public function testXssInTitle() { $this->container->get('module_installer')->install(['block_test']); $this->drupalPlaceBlock('test_xss_title', ['label' => '']); \Drupal::state()->set('block_test.content', $this->randomMachineName()); $this->drupalGet(''); $this->assertNoRaw('', 'The block title was properly sanitized when rendered.'); $this->drupalLogin($this->drupalCreateUser(['administer blocks', 'access administration pages'])); $default_theme = $this->config('system.theme')->get('default'); $this->drupalGet('admin/structure/block/list/' . $default_theme); $this->assertNoRaw("", 'The block title was properly sanitized in Block Plugin UI Admin page.'); } /** * Tests XSS in category. */ public function testXssInCategory() { $this->container->get('module_installer')->install(['block_test']); $this->drupalPlaceBlock('test_xss_title'); $this->drupalLogin($this->drupalCreateUser(['administer blocks', 'access administration pages'])); $this->drupalGet(Url::fromRoute('block.admin_display')); $this->clickLink('Place block'); $this->assertNoRaw(""); } /** * Tests various modules that provide blocks for XSS. */ public function testBlockXss() { $this->drupalLogin($this->rootUser); $this->doViewTest(); $this->doMenuTest(); $this->doBlockContentTest(); $this->drupalGet(Url::fromRoute('block.admin_display')); $this->clickLink('Place block'); $this->assertNoRaw('&lt;', 'The page does not have double escaped HTML tags.'); } /** * Tests XSS coming from View block labels. */ protected function doViewTest() { // Create a View without a custom label for its block Display. The // admin_label of the block then becomes just the View's label. $view = View::create([ 'id' => $this->randomMachineName(), 'label' => '', ]); $view->addDisplay('block'); $view->save(); // Create a View with a custom label for its block Display. The // admin_label of the block then becomes the View's label combined with // the Display's label. $view = View::create([ 'id' => $this->randomMachineName(), 'label' => '', ]); $view->addDisplay('block', 'Fish & chips'); $view->save(); $this->drupalGet(Url::fromRoute('block.admin_display')); $this->clickLink('Place block'); // \Drupal\views\Plugin\Derivative\ViewsBlock::getDerivativeDefinitions() // has a different code path for an admin label based only on the View // label versus one based on both the View label and the Display label. // Ensure that this test is covering both code paths by asserting the // absence of a ":" for the first View and the presence of a ":" for the // second one. Note that the second assertion is redundant with the one // further down which also checks for the Display label, but is included // here for clarity. $this->assertNoEscaped(':'); $this->assertEscaped(':'); // Assert that the blocks have their admin labels escaped and // don't appear anywhere unescaped. $this->assertEscaped(''); $this->assertNoRaw(''); $this->assertEscaped(': Fish & chips'); $this->assertNoRaw(''); $this->assertNoRaw('Fish & chips'); // Assert the Display label doesn't appear anywhere double escaped. $this->assertNoRaw('Fish & chips'); $this->assertNoRaw('Fish &amp; chips'); } /** * Tests XSS coming from Menu block labels. */ protected function doMenuTest() { Menu::create([ 'id' => $this->randomMachineName(), 'label' => '', ])->save(); $this->drupalGet(Url::fromRoute('block.admin_display')); $this->clickLink('Place block'); $this->assertEscaped(''); $this->assertNoRaw(''); } /** * Tests XSS coming from Block Content block info. */ protected function doBlockContentTest() { BlockContentType::create([ 'id' => 'basic', 'label' => 'basic', 'revision' => TRUE, ])->save(); BlockContent::create([ 'type' => 'basic', 'info' => '', ])->save(); $this->drupalGet(Url::fromRoute('block.admin_display')); $this->clickLink('Place block'); $this->assertEscaped(''); $this->assertNoRaw(''); } }