1.20.x link.validate.test LinkValidateTest::testXss()

Test if a bad URL will display if validation is disabled.

File

modules/link/tests/link.validate.test, line 97
Tests that exercise the validation functions in the link module.

Class

LinkValidateTest

Code

function testXss() {
  // Disable validation.
  $edit = array(
    'instance[settings][validate_url]' => FALSE,
  );
  $this->backdropPost('admin/structure/types/manage/page/fields/' . $this->field_name, $edit, t('Save settings'));

  $title = $this->randomName();
  $url = 'javascript:alert("http://example.com/")';
  $edit = array(
    'title' => 'Simple title',
    $this->field_name . '[und][0][url]' => $url,
    $this->field_name . '[und][0][title]' => $title,
  );
  $this->backdropPost('node/add/page', $edit, t('Save'));
  $this->assertNoText(t('The value %value provided for %field is not a valid URL.', array('%field' => $this->field_name, '%value' => trim($url))));

  $nid = db_query("SELECT MAX(nid) FROM {node}")->fetchField();
  $node = node_load($nid);
  $this->assertEqual($url, $node->{$this->field_name}['und'][0]['url']);

  $this->backdropGet('node/' . $node->nid);
  $this->assertNoRaw($url, 'Make sure Javascript does not display.');

  // Enable validation.
  $edit = array(
    'instance[settings][validate_url]' => TRUE,
  );
  $this->backdropPost('admin/structure/types/manage/page/fields/' . $this->field_name, $edit, t('Save settings'));
  $this->backdropGet('node/' . $node->nid);

  // Ensure that the field still does not render JS.
  $this->assertNoRaw($url, 'Make sure Javascript does not display.');
}