Magento 2 Documentation  2.3
Documentation for Magento 2 CMS v2.3 (December 2018)
XssPhtmlTemplateTest.php
Go to the documentation of this file.
1 <?php
7 namespace Magento\Test\Php;
8 
10 use Magento\TestFramework\Utility\XssOutputValidator;
12 
16 class XssPhtmlTemplateTest extends \PHPUnit\Framework\TestCase
17 {
21  public function testXssSensitiveOutput()
22  {
23  $invoker = new \Magento\Framework\App\Utility\AggregateInvoker($this);
24  $xssOutputValidator = new XssOutputValidator();
25  $invoker(
41  function ($file) use ($xssOutputValidator) {
42  $lines = $xssOutputValidator->getLinesWithXssSensitiveOutput($file);
43  $this->assertEmpty(
44  $lines,
45  "Potentially XSS vulnerability. " .
46  "Please verify that output is escaped at lines " . $lines
47  );
48  },
49  Files::init()->getPhtmlFiles()
50  );
51  }
52 
57  {
59  $exemptModules = [];
60  foreach (array_diff(scandir(__DIR__ . '/_files/whitelist/exempt_modules'), ['..', '.']) as $file) {
61  $exemptModules = array_merge(
62  $exemptModules,
63  include(__DIR__ . '/_files/whitelist/exempt_modules/' . $file)
64  );
65  }
66 
67  $result = "";
68  foreach ($componentRegistrar->getPaths(ComponentRegistrar::MODULE) as $moduleName => $modulePath) {
69  if (in_array($moduleName, $exemptModules)) {
70  continue;
71  }
72  foreach (Files::init()->getFiles([$modulePath], '*.phtml') as $file) {
73  $fileContents = file_get_contents($file);
74  $pattern = "/\\/* @escapeNotVerified \\*\\/ echo (?!__).+/";
75  $instances = preg_grep($pattern, explode("\n", $fileContents));
76  if (!empty($instances)) {
77  foreach (array_keys($instances) as $line) {
78  $result .= $file . ':' . ($line + 1) . "\n";
79  }
80  }
81  }
82  }
83  $this->assertEmpty(
84  $result,
85  "@escapeNotVerified annotation detected.\n" .
86  "Please use the correct escape strategy and remove annotation at:\n" . $result
87  );
88  }
89 }
$componentRegistrar
Definition: bootstrap.php:23
$pattern
Definition: website.php:22
defined('TESTS_BP')||define('TESTS_BP' __DIR__
Definition: _bootstrap.php:60