Issue #2539246 by brandon.holtsclaw, cilefen, pwolanin: Search page local task...

Issue #2539246 by brandon.holtsclaw, cilefen, pwolanin: Search page local task label was an XSS vector—add tests

core/modules/search/src/Tests/SearchPageTextTest.php

@@ -30,6 +30,22 @@ protected function setUp() {
     $this->searchingUser = $this->drupalCreateUser(array('search content', 'access user profiles', 'use advanced search'));
   }
 
+  /**
+   * Tests for XSS in search module local task.
+   *
+   * This is a regression test for https://www.drupal.org/node/2338081
+   */
+  function testSearchLabelXSS() {
+    $this->drupalLogin($this->drupalCreateUser(array('administer search')));
+
+    $keys['label'] = '<script>alert("Dont Panic");</script>';
+    $this->drupalPostForm('admin/config/search/pages/manage/node_search', $keys, t('Save search page'));
+
+    $this->drupalLogin($this->searchingUser);
+    $this->drupalGet('search/node');
+    $this->assertEscaped($keys['label']);
+  }
+
   /**
    * Tests the failed search text, and various other text on the search page.
    */
@@ -135,6 +151,5 @@ function testSearchText() {
     $this->drupalPostForm('search/node', array('keys' => '.something'), t('Search'));
     $this->assertResponse(200, 'Searching for .something does not lead to a 403 error');
     $this->assertText('no results', 'Searching for .something gives you a no search results page');
-
   }
 }