3 namespace Drupal\Tests\field\Functional\EntityReference;
5 use Drupal\Core\Entity\Entity\EntityFormDisplay;
6 use Drupal\Core\Entity\Entity\EntityViewDisplay;
7 use Drupal\Tests\BrowserTestBase;
8 use Drupal\field\Tests\EntityReference\EntityReferenceTestTrait;
11 * Tests possible XSS security issues in entity references.
13 * @group entity_reference
15 class EntityReferenceXSSTest extends BrowserTestBase {
17 use EntityReferenceTestTrait;
24 protected static $modules = ['node'];
27 * Tests markup is escaped in the entity reference select and label formatter.
29 public function testEntityReferenceXSS() {
30 $this->drupalCreateContentType(['type' => 'article']);
32 // Create a node with markup in the title.
33 $node_type_one = $this->drupalCreateContentType();
35 'type' => $node_type_one->id(),
36 'title' => '<em>I am kitten</em>',
38 $referenced_node = $this->drupalCreateNode($node);
40 $node_type_two = $this->drupalCreateContentType(['name' => '<em>bundle with markup</em>']);
41 $this->drupalCreateNode([
42 'type' => $node_type_two->id(),
43 'title' => 'My bundle has markup',
46 $this->createEntityReferenceField('node', 'article', 'entity_reference_test', 'Entity Reference test', 'node', 'default', ['target_bundles' => [$node_type_one->id(), $node_type_two->id()]]);
48 EntityFormDisplay::load('node.article.default')
49 ->setComponent('entity_reference_test', ['type' => 'options_select'])
51 EntityViewDisplay::load('node.article.default')
52 ->setComponent('entity_reference_test', ['type' => 'entity_reference_label'])
55 // Create a node and reference the node with markup in the title.
56 $this->drupalLogin($this->rootUser);
57 $this->drupalGet('node/add/article');
58 $this->assertEscaped($referenced_node->getTitle());
59 $this->assertEscaped($node_type_two->label());
62 'title[0][value]' => $this->randomString(),
63 'entity_reference_test' => $referenced_node->id()
65 $this->drupalPostForm(NULL, $edit, 'Save and publish');
66 $this->assertEscaped($referenced_node->getTitle());
68 // Test the options_buttons type.
69 EntityFormDisplay::load('node.article.default')
70 ->setComponent('entity_reference_test', ['type' => 'options_buttons'])
72 $this->drupalGet('node/add/article');
73 $this->assertEscaped($referenced_node->getTitle());
74 // options_buttons does not support optgroups.
75 $this->assertNoText('bundle with markup');