summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorAlex Pott2015-07-30 14:54:13 +0100
committerAlex Pott2015-07-30 14:54:13 +0100
commit93cb20d61d12fa7caa1d88c695b44ca78071f4ac (patch)
treedc67eef42a49c5645b7685cf87ad9fdbbb152354
parentd4011a542322a82a9bbf7dd0412e01a0736ca49b (diff)
Issue #2539246 by brandon.holtsclaw, cilefen, pwolanin: Search page local task label was an XSS vector—add tests
-rw-r--r--core/modules/search/src/Tests/SearchPageTextTest.php17
1 files changed, 16 insertions, 1 deletions
diff --git a/core/modules/search/src/Tests/SearchPageTextTest.php b/core/modules/search/src/Tests/SearchPageTextTest.php
index ad311d6..408848c 100644
--- a/core/modules/search/src/Tests/SearchPageTextTest.php
+++ b/core/modules/search/src/Tests/SearchPageTextTest.php
@@ -31,6 +31,22 @@ class SearchPageTextTest extends SearchTestBase {
}
/**
+ * Tests for XSS in search module local task.
+ *
+ * This is a regression test for https://www.drupal.org/node/2338081
+ */
+ function testSearchLabelXSS() {
+ $this->drupalLogin($this->drupalCreateUser(array('administer search')));
+
+ $keys['label'] = '<script>alert("Dont Panic");</script>';
+ $this->drupalPostForm('admin/config/search/pages/manage/node_search', $keys, t('Save search page'));
+
+ $this->drupalLogin($this->searchingUser);
+ $this->drupalGet('search/node');
+ $this->assertEscaped($keys['label']);
+ }
+
+ /**
* Tests the failed search text, and various other text on the search page.
*/
function testSearchText() {
@@ -135,6 +151,5 @@ class SearchPageTextTest extends SearchTestBase {
$this->drupalPostForm('search/node', array('keys' => '.something'), t('Search'));
$this->assertResponse(200, 'Searching for .something does not lead to a 403 error');
$this->assertText('no results', 'Searching for .something gives you a no search results page');
-
}
}