diff options
| author | Dries Buytaert <dries@buytaert.net> | 2008-08-30 13:08:05 +0000 |
|---|---|---|
| committer | Dries Buytaert <dries@buytaert.net> | 2008-08-30 13:08:05 +0000 |
| commit | 1689a63f38411158c27e921e09ea4e651bf0255f (patch) | |
| tree | b443d94d50684ba3f71ebf5d2dbcf84217ef2791 | |
| parent | 3ccf6d89e4628e484c5e534d3451540fecfa120f (diff) | |
| download | brdo-1689a63f38411158c27e921e09ea4e651bf0255f.tar.gz brdo-1689a63f38411158c27e921e09ea4e651bf0255f.tar.bz2 | |
- Patch #268706 by flobruit, lilou, bjaspan: fixed XSS on node edit form.
| -rw-r--r-- | modules/node/node.test | 41 |
1 files changed, 38 insertions, 3 deletions
diff --git a/modules/node/node.test b/modules/node/node.test index 62ddfbe82..9a34fa484 100644 --- a/modules/node/node.test +++ b/modules/node/node.test @@ -372,9 +372,9 @@ class PageViewTestCase extends DrupalWebTestCase { 'name' => t('Unauthorized node view'), 'description' => t('Creates a node of type page and then an unpermissioned user attempts to edit the node, ' . 'before tries with an anonymous user. Asserts failure.' - . '</ br>WARNING: This is based on default registered user permissions (no administer nodes).') - , 'group' => t('Node'), - ); + . '</ br>WARNING: This is based on default registered user permissions (no administer nodes).'), + 'group' => t('Node'), + ); } function testPageView() { @@ -399,3 +399,38 @@ class PageViewTestCase extends DrupalWebTestCase { node_delete($node->nid); } } + +class NodeTitleXSSTestCase extends DrupalWebTestCase { + /** + * Implementation of getInfo(). + */ + function getInfo() { + return array( + 'name' => t('XSS attacks in node title'), + 'description' => t('Create a node with dangerous tags in its title, and make sure that they are escaped.'), + 'group' => t('Node'), + ); + } + + function testNodeTitleXSS() { + // Prepare a user to do the stuff. + $web_user = $this->drupalCreateUser(array('create page content', 'edit any page content')); + $this->drupalLogin($web_user); + + $xss = '<script>alert("xss")</script>'; + + $edit = array( + 'title' => $xss . $this->randomName(), + ); + $this->drupalPost('node/add/page', $edit, t('Preview')); + $this->assertNoRaw($xss, t('Harmful tags are escaped when previewing a node.')); + + $node = $this->drupalCreateNode($edit); + + $this->drupalGet('node/' . $node->nid); + $this->assertNoRaw($xss, t('Harmful tags are escaped when viewing a node.')); + + $this->drupalGet('node/' . $node->nid . '/edit'); + $this->assertNoRaw($xss, t('Harmful tags are escaped when editing a node.')); + } +}
\ No newline at end of file |