Add tests to cover XSS strings being passed into both config and entity override meta tag values.
Comment | File | Size | Author |
---|---|---|---|
#22 | metatag-n2796701-22.interdiff.txt | 3.12 KB | DamienMcKenna |
#22 | metatag-n2796701-22.patch | 6.14 KB | DamienMcKenna |
| |||
#8 | metatag-n2796701-8.patch | 3.72 KB | DamienMcKenna |
| |||
#4 | metatag-n2796701-4.patch | 4.98 KB | DamienMcKenna |
|
Comments
Comment #2
jlandfried CreditAttribution: jlandfried at Last Call Media commentedHello! I wanted to take a stab at this since I don't have a ton of experience writing tests, so any and all feedback is welcome.
In order to verify that the tests do indeed fail if xss was is not being filtered I temporarily set \Drupal\Component\Utility\Html::escape() and Drupal\Component\Render\PlainTextOutput::renderFromHtml() to both have a method body of
return (string) $text;
Thanks! Hopefully this at least a decent start and is not too far off base.
Comment #3
jlandfried CreditAttribution: jlandfried at Last Call Media commentedComment #4
DamienMcKennaThanks for putting this together. I tweaked the image meta tag handling a little bit, and the output slightly.
Comment #6
DamienMcKennaCommitted.
Comment #7
DamienMcKennaNeeds to be ported to the D7 branch.
Comment #8
DamienMcKennaSome tests for the page title.
Comment #9
DamienMcKennaOf course it'd help if I set it to test against the correct branch X-)
Comment #12
DamienMcKennaThe tests work against the 8.x-1.x branch :) Committed.
Comment #13
DamienMcKennaBack to needing to be ported.
Comment #14
DamienMcKennaComment #15
mariodan CreditAttribution: mariodan at Last Call Media commentedHere is an attempt at making this xss test ported to the D7 branch. To verify the tests would fail if input was not sanitized, I disabled check_plain temporarily.
Please let me know if I should make any changes.
Thank you!
Comment #16
mariodan CreditAttribution: mariodan at Last Call Media commentedComment #18
mariodan CreditAttribution: mariodan at Last Call Media commentedHere is that xss test ported to the D7 branch again. It think it was failing before because I created the patch wrong and a new file was not being created when the patch was applied in the test.
Comment #19
mariodan CreditAttribution: mariodan at Last Call Media commentedComment #20
DamienMcKennaBumping this to beta12.
Comment #21
DamienMcKennaDuh, it was already committed to beta11.
Comment #22
DamienMcKennaMinor tweaks.
Comment #24
DamienMcKennaCommitted. Thanks for the backport, @DrupalDano!