X-Git-Url: http://aleph1.co.uk/gitweb/?a=blobdiff_plain;f=web%2Fcore%2Fmodules%2Fsystem%2Ftests%2Fsrc%2FFunctional%2FForm%2FElementsLabelsTest.php;h=91f3ec4a59d47d3d1e35b380ae4a5655c38fd62e;hb=1c1cb0980bfa6caf0c24cce671b6bb541dc87583;hp=6747ed63fb108b3c1d38c86b0325e8239b589e33;hpb=9917807b03b64faf00f6a1f29dcb6eafc454efa5;p=yaffs-website

diff --git a/web/core/modules/system/tests/src/Functional/Form/ElementsLabelsTest.php b/web/core/modules/system/tests/src/Functional/Form/ElementsLabelsTest.php
index 6747ed63f..91f3ec4a5 100644
--- a/web/core/modules/system/tests/src/Functional/Form/ElementsLabelsTest.php
+++ b/web/core/modules/system/tests/src/Functional/Form/ElementsLabelsTest.php
@@ -2,6 +2,7 @@
 
 namespace Drupal\Tests\system\Functional\Form;
 
+use Drupal\form_test\Form\FormTestLabelForm;
 use Drupal\Tests\BrowserTestBase;
 
 /**
@@ -96,6 +97,17 @@ class ElementsLabelsTest extends BrowserTestBase {
     $this->assertTrue(!empty($elements), "Title/Label not displayed when 'visually-hidden' attribute is set in radios.");
   }
 
+  /**
+   * Tests XSS-protection of element labels.
+   */
+  public function testTitleEscaping() {
+    $this->drupalGet('form_test/form-labels');
+    foreach (FormTestLabelForm::$typesWithTitle as $type) {
+      $this->assertSession()->responseContains("$type alert('XSS') is XSS filtered!");
+      $this->assertSession()->responseNotContains("$type <script>alert('XSS')</script> is XSS filtered!");
+    }
+  }
+
   /**
    * Tests different display options for form element descriptions.
    */