diff --git a/core/modules/user/src/Tests/UserAdminTest.php b/core/modules/user/src/Tests/UserAdminTest.php
index cf942f9..43eca37 100644
--- a/core/modules/user/src/Tests/UserAdminTest.php
+++ b/core/modules/user/src/Tests/UserAdminTest.php
@@ -42,7 +42,7 @@ function testUserAdmin() {
$user_storage = $this->container->get('entity.manager')->getStorage('user');
// Create admin user to delete registered user.
- $admin_user = $this->drupalCreateUser(array('administer users'));
+ $admin_user = $this->drupalCreateUser(array('administer users', 'administer permissions'));
// Use a predictable name so that we can reliably order the user admin page
// by name.
$admin_user->name = 'Admin user';
@@ -95,6 +95,16 @@ function testUserAdmin() {
$this->assertNoText($user_b->getUsername(), 'User B not on filtered by role on admin users page');
$this->assertText($user_c->getUsername(), 'User C on filtered by role on admin users page');
+ // Check that a role is correctly escaped.
+ $role_name = "123 & more";
+ $edit = array('label' => $role_name, 'id' => '123');
+ $this->drupalPostForm('admin/people/roles/add', $edit, t('Save'));
+ $this->drupalGet('admin/people');
+ // Assert escaped correctly.
+ $this->assertEscaped("123 & alert('xss');more");
+ $this->assertNoRaw("");
+ $this->assertNoEscaped('&');
+
// Test blocking of a user.
$account = $user_storage->load($user_c->id());
$this->assertTrue($account->isActive(), 'User C not blocked');
diff --git a/core/modules/user/src/Tests/UserRoleAdminTest.php b/core/modules/user/src/Tests/UserRoleAdminTest.php
index a01c01e..91ca773 100644
--- a/core/modules/user/src/Tests/UserRoleAdminTest.php
+++ b/core/modules/user/src/Tests/UserRoleAdminTest.php
@@ -8,6 +8,7 @@
namespace Drupal\user\Tests;
use Drupal\simpletest\WebTestBase;
+use Drupal\system\Entity\Action;
use Drupal\user\Entity\Role;
use Drupal\user\RoleInterface;
@@ -58,12 +59,21 @@ function testRoleAdministration() {
// Test adding a role. (In doing so, we use a role name that happens to
// correspond to an integer, to test that the role administration pages
// correctly distinguish between role names and IDs.)
- $role_name = '123';
- $edit = array('label' => $role_name, 'id' => $role_name);
+ $role_name = '123 & more';
+ $edit = array('label' => $role_name, 'id' => '123');
$this->drupalPostForm('admin/people/roles/add', $edit, t('Save'));
- $this->assertRaw(t('Role %label has been added.', array('%label' => 123)));
- $role = Role::load($role_name);
+ $this->assertRaw(t('Role %label has been added.', array('%label' => $role_name)));
+ $role = Role::load('123');
$this->assertTrue(is_object($role), 'The role was successfully retrieved from the database.');
+ // Assert escaped correctly.
+ $this->assertEscaped('123 & more');
+
+ // Test that the corresponding actions have been created and have the
+ // expected label.
+ $action = Action::load('user_add_role_action.' . $role->id());
+ $this->assertIdentical('Add the 123 & more role to the selected users', $action->label());
+ $action = Action::load('user_remove_role_action.' . $role->id());
+ $this->assertIdentical('Remove the 123 & more role from the selected users', $action->label());
// Check that the role was created in site default language.
$this->assertEqual($role->language()->getId(), $default_langcode);
@@ -80,6 +90,12 @@ function testRoleAdministration() {
\Drupal::entityManager()->getStorage('user_role')->resetCache(array($role->id()));
$new_role = Role::load($role->id());
$this->assertEqual($new_role->label(), $role_name, 'The role name has been successfully changed.');
+ // Test that the corresponding actions still exist and have the
+ // expected label.
+ $action = Action::load('user_add_role_action.' . $role->id());
+ $this->assertIdentical("Add the 456 role to the selected users", $action->label());
+ $action = Action::load('user_remove_role_action.' . $role->id());
+ $this->assertIdentical("Remove the 456 role from the selected users", $action->label());
// Test deleting a role.
$this->drupalGet("admin/people/roles/manage/{$role->id()}");
@@ -89,6 +105,12 @@ function testRoleAdministration() {
$this->assertNoLinkByHref("admin/people/roles/manage/{$role->id()}", 'Role edit link removed.');
\Drupal::entityManager()->getStorage('user_role')->resetCache(array($role->id()));
$this->assertFalse(Role::load($role->id()), 'A deleted role can no longer be loaded.');
+ // Test that the corresponding actions still exist and have the
+ // expected label.
+ $action = Action::load('user_add_role_action.' . $role->id());
+ $this->assertNull($action, 'Add role action deleted.');
+ $action = Action::load('user_remove_role_action.' . $role->id());
+ $this->assertNull($action, 'Remove role action deleted.');
// Make sure that the system-defined roles can be edited via the user
// interface.