Issue #2506485 by justAChris, akalata, subhojit777: Test that Header label + customized label wrapper of a Views table display is not double escaped

2015-11-25 09:57:08 +00:00 · 2015-11-25 09:57:08 +00:00 · 62dc3b3d9a
parent 3c4cc2a6d5
commit 62dc3b3d9a
2 changed files with 89 additions and 1 deletions
--- a/core/modules/views/src/Tests/ViewsEscapingTest.php
+++ b/core/modules/views/src/Tests/ViewsEscapingTest.php
@ -19,7 +19,7 @@ class ViewsEscapingTest extends ViewTestBase {
   *
   * @var array
   */
-  public static $testViews = array('test_page_display');
+  public static $testViews = array('test_page_display', 'test_field_header');

  /**
   * Used by WebTestBase::setup()
@ -69,4 +69,21 @@ class ViewsEscapingTest extends ViewTestBase {
    $this->assertNoEscaped('<');
  }

+  /**
+   * Tests for incorrectly escaped markup in a header label on a display table.
+   */
+  public function testViewsFieldHeaderEscaping() {
+    // Test with a field header label having an html element wrapper.
+    $this->drupalGet('test_field_header');
+
+    // Assert that there are no escaped '<'s characters.
+    $this->assertNoEscaped('<');
+
+    // Test with a field header label having a XSS test as a wrapper.
+    $this->drupalGet('test_field_header_xss');
+
+    // Assert that XSS test is escaped.
+    $this->assertNoRaw('<script>alert("XSS")</script>', 'Harmful tags are escaped in header label.');
+  }
+
 }
--- a/core/modules/views/tests/modules/views_test_config/test_views/views.view.test_field_header.yml
+++ b/core/modules/views/tests/modules/views_test_config/test_views/views.view.test_field_header.yml
@ -0,0 +1,71 @@
+langcode: en
+status: true
+dependencies: {  }
+id: test_field_header
+label: null
+module: views
+description: ''
+tag: ''
+base_table: views_test_data
+base_field: nid
+core: '8'
+display:
+  default:
+    display_options:
+      fields:
+        name:
+          id: name
+          table: views_test_data
+          field: name
+          plugin_id: string
+          element_label_type: h2
+      style:
+        type: table
+      display_extenders: {  }
+    display_plugin: default
+    display_title: Master
+    id: default
+    position: 0
+    cache_metadata:
+      max-age: 0
+      contexts:
+        - 'languages:language_interface'
+        - url.query_args
+      tags: {  }
+  page_1:
+    display_options:
+      path: test_field_header
+      display_extenders: {  }
+    display_plugin: page
+    display_title: Page
+    id: page_1
+    position: 1
+    cache_metadata:
+      max-age: 0
+      contexts:
+        - 'languages:language_interface'
+        - url.query_args
+      tags: {  }
+  page_2:
+    display_options:
+      path: test_field_header_xss
+      defaults:
+        fields: false
+      fields:
+        name:
+          id: name
+          table: views_test_data
+          field: name
+          plugin_id: string
+          element_label_type: 'script>alert("XSS")</script'
+      display_extenders: {  }
+    display_plugin: page
+    display_title: 'Page 2'
+    id: page_2
+    position: 2
+    cache_metadata:
+      max-age: 0
+      contexts:
+        - 'languages:language_interface'
+        - url.query_args
+      tags: {  }