1<?php 2 3namespace Drupal\Tests\locale\Kernel; 4 5use Drupal\KernelTests\KernelTestBase; 6 7/** 8 * Tests locale translation safe string handling. 9 * 10 * @group locale 11 */ 12class LocaleStringIsSafeTest extends KernelTestBase { 13 14 /** 15 * Modules to enable. 16 * 17 * @var array 18 */ 19 public static $modules = ['locale', 'locale_test']; 20 21 /** 22 * Tests for locale_string_is_safe(). 23 */ 24 public function testLocaleStringIsSafe() { 25 // Check a translatable string without HTML. 26 $string = 'Hello world!'; 27 $result = locale_string_is_safe($string); 28 $this->assertTrue($result); 29 30 // Check a translatable string which includes trustable HTML. 31 $string = 'Hello <strong>world</strong>!'; 32 $result = locale_string_is_safe($string); 33 $this->assertTrue($result); 34 35 // Check an untranslatable string which includes untrustable HTML (according 36 // to the locale_string_is_safe() function definition). 37 $string = 'Hello <img src="world.png" alt="world" />!'; 38 $result = locale_string_is_safe($string); 39 $this->assertFalse($result); 40 41 // Check a translatable string which includes a token in an href attribute. 42 $string = 'Hi <a href="[current-user:url]">user</a>'; 43 $result = locale_string_is_safe($string); 44 $this->assertTrue($result); 45 } 46 47 /** 48 * Tests if a translated and tokenized string is properly escaped by Twig. 49 * 50 * In each assert* call we add a new line at the expected result to match the 51 * newline at the end of the template file. 52 */ 53 public function testLocalizedTokenizedString() { 54 $tests_to_do = [ 55 1 => [ 56 'original' => 'Go to the <a href="[locale_test:security_test1]">frontpage</a>', 57 'replaced' => 'Go to the <a href="javascript:alert(&#039;Mooooh!&#039;);">frontpage</a>', 58 ], 59 2 => [ 60 'original' => 'Hello <strong>[locale_test:security_test2]</strong>!', 61 'replaced' => 'Hello <strong>&lt;script&gt;alert(&#039;Mooooh!&#039;);&lt;/script&gt;</strong>!', 62 ], 63 ]; 64 65 foreach ($tests_to_do as $i => $test) { 66 $original_string = $test['original']; 67 $rendered_original_string = \Drupal::theme()->render('locale_test_tokenized', ['content' => $original_string]); 68 // Twig assumes that strings are unsafe so it escapes them, and so the 69 // original and the rendered version should be different. 70 $this->assertNotEqual( 71 $rendered_original_string, 72 $original_string . "\n", 73 'Security test ' . $i . ' before translation' 74 ); 75 76 // Pass the original string to the t() function to get it marked as safe. 77 $safe_string = t($original_string); 78 $rendered_safe_string = \Drupal::theme()->render('locale_test_tokenized', ['content' => $safe_string]); 79 // t() function always marks the string as safe so it won't be escaped, 80 // and should be the same as the original. 81 $this->assertEqual( 82 $rendered_safe_string, 83 $original_string . "\n", 84 'Security test ' . $i . ' after translation before token replacement' 85 ); 86 87 // Replace tokens in the safe string to inject it with dangerous content. 88 // @see locale_test_tokens(). 89 $unsafe_string = \Drupal::token()->replace($safe_string); 90 $rendered_unsafe_string = \Drupal::theme()->render('locale_test_tokenized', ['content' => $unsafe_string]); 91 // Token replacement changes the string so it is not marked as safe 92 // anymore. Check it is escaped the way we expect. 93 $this->assertEqual( 94 $rendered_unsafe_string, 95 $test['replaced'] . "\n", 96 'Security test ' . $i . ' after translation after token replacement' 97 ); 98 } 99 } 100 101} 102