alert("xss");'; /** * String that causes an alert when metatags aren't filtered for xss. * * @var string */ private $xssString = '"> 'Metatag core tests for XSS.', 'description' => 'Test Metatag for XSS vulnerabilities.', 'group' => 'Metatag', ); } /** * {@inheritdoc} */ function setUp(array $modules = array()) { parent::setUp($modules); $content_type = 'page'; // Create an admin user and log them in. $perms = array( // Needed for the content type. 'create ' . $content_type . ' content', 'delete any ' . $content_type . ' content', 'edit any ' . $content_type . ' content', // This permission is required in order to create new revisions. 'administer nodes', ); $this->adminUser = $this->createAdminUser($perms); $this->drupalLogin($this->adminUser); // Generate the encoded version of $xssImageString. // '' $prefix = ''; $this->escapedXssImageTag = $prefix . $url . $value . $suffix; } /** * Verify XSS injected in global Node config is not rendered. */ function testXssMetatagConfig() { // Submit the form with some example XSS values. $this->drupalGet('admin/config/search/metatags/config/global'); $this->assertResponse(200); $edit = array( 'metatags[und][title][value]' => $this->xssTitleString, 'metatags[und][abstract][value]' => $this->xssString, 'metatags[und][image_src][value]' => $this->xssImageString, ); $this->drupalPost(NULL, $edit, t('Save')); $this->assertResponse(200); // Use front page to test. $this->drupalGet(''); // Verify title is clean. $this->assertNoTitle($this->xssTitleString); $this->assertNoRaw($this->xssTitleString); // Verify the abstract is clean. $this->assertRaw($this->escapedXssTag); $this->assertNoRaw($this->xssString); // Verify the image_src is clean. $this->assertRaw($this->escapedXssImageTag); $this->assertNoRaw($this->xssImageString); } /** * Verify XSS injected in the entity metatag override field is not rendered. */ public function testXssEntityOverride() { $title = 'Test Page'; // Load a page node. $this->drupalGet('node/add/page'); $this->assertResponse(200); // Submit the node with some example XSS values. $edit = array( 'title' => $title, 'metatags[und][title][value]' => $this->xssTitleString, 'metatags[und][description][value]' => $this->xssString, 'metatags[und][abstract][value]' => $this->xssString, ); $this->drupalPost(NULL, $edit, t('Save')); // Verify the page saved. $this->assertResponse(200); $this->assertText(t('Basic page @title has been created.', array('@title' => $title))); // Verify title is not the injected string and thus cleaned. $this->assertNoTitle($this->xssTitleString); $this->assertNoRaw($this->xssTitleString); // Verify the description and abstract are clean. $this->assertRaw($this->escapedXssTag); $this->assertNoRaw($this->xssString); } /** * Verify XSS injected in the entity titles are not rendered. */ public function testXssEntityTitle() { // Load a page node. $this->drupalGet('node/add/page'); $this->assertResponse(200); // Submit the node with some example XSS values. $edit = array( 'title' => $this->xssTitleString, 'body[und][0][value]' => 'hello world', ); $this->drupalPost(NULL, $edit, t('Save')); // Verify the page saved. $this->assertResponse(200); $this->assertText(t('has been created.')); // Verify title is not the injected string and thus cleaned. $this->assertNoRaw($this->xssTitleString); } /** * Verify XSS injected in the body field is not rendered. */ public function testXssEntityBody() { $title = 'Hello World'; // Load a page node. $this->drupalGet('node/add/page'); $this->assertResponse(200); // Submit the node with a test body value. $edit = array( 'title' => $title, 'body[und][0][value]' => $this->xssString, ); $this->drupalPost(NULL, $edit, t('Save')); // Verify the page saved. $this->assertResponse(200); $this->assertText(t('Basic page @title has been created.', array('@title' => $title))); // Verify body field is clean. $this->assertNoRaw($this->xssString); } }