function NodeTitleXSSTestCase::testNodeTitleXSS

7.x node.test NodeTitleXSSTestCase::testNodeTitleXSS()

Tests XSS functionality with a node entity.

File

drupal-7.x/modules/node/node.test, line 723: Tests for node.module.

Class

NodeTitleXSSTestCase: Tests XSS functionality with a node entity.

Code

function testNodeTitleXSS() {
  // Prepare a user to do the stuff.
  $web_user = $this->drupalCreateUser(array('create page content', 'edit any page content'));
  $this->drupalLogin($web_user);

  $xss = '<script>alert("xss")</script>';
  $title = $xss . $this->randomName();
  $edit = array("title" => $title);

  $this->drupalPost('node/add/page', $edit, t('Preview'));
  $this->assertNoRaw($xss, 'Harmful tags are escaped when previewing a node.');

  $settings = array('title' => $title);
  $node = $this->drupalCreateNode($settings);

  $this->drupalGet('node/' . $node->nid);
  // assertTitle() decodes HTML-entities inside the <title> element.
  $this->assertTitle($edit["title"] . ' | Drupal', 'Title is diplayed when viewing a node.');
  $this->assertNoRaw($xss, 'Harmful tags are escaped when viewing a node.');

  $this->drupalGet('node/' . $node->nid . '/edit');
  $this->assertNoRaw($xss, 'Harmful tags are escaped when editing a node.');
}