MC-13922: [Sec] XSS Injection in Admin For Map Location Attributes, Image Caption, Slide Name

davemacaulay · davemacaulay · commit 4e8b7b483446 · 2019-02-10T15:39:51.000+01:00
- Add map tests
- Refactor some action groups to correctly use &lt;see /&gt; instead of &lt;waitForElementVisible /&gt;
diff --git a/app/code/Magento/PageBuilder/Test/Mftf/ActionGroup/ContentTypeMapActionGroup.xml b/app/code/Magento/PageBuilder/Test/Mftf/ActionGroup/ContentTypeMapActionGroup.xml
@@ -96,14 +96,14 @@
         </arguments>
         <comment userInput="validateLocationGridData" stepKey="comment"/>
         <waitForElementVisible selector="{{PageBuilderDataGrid.gridBase}}" stepKey="waitForGrid"/>
-        <waitForElementVisible selector="{{PageBuilderDataGrid.gridCellByRowIndex(rowIndex, locationName.fieldName, locationName.value)}}" stepKey="waitForLocationName"/>
-        <waitForElementVisible selector="{{PageBuilderDataGrid.gridCellByRowIndex(rowIndex, phoneNumber.fieldName, phoneNumber.value)}}" stepKey="waitForPhoneNumber"/>
-        <waitForElementVisible selector="{{PageBuilderDataGrid.gridCellByRowIndex(rowIndex, address.fieldName, address.value)}}" stepKey="waitForAddress"/>
-        <waitForElementVisible selector="{{PageBuilderDataGrid.gridCellByRowIndex(rowIndex, city.fieldName, city.value)}}" stepKey="waitForCity"/>
-        <waitForElementVisible selector="{{PageBuilderDataGrid.gridCellByRowIndex(rowIndex, state.fieldName, state.value)}}" stepKey="waitForState"/>
-        <waitForElementVisible selector="{{PageBuilderDataGrid.gridCellByRowIndex(rowIndex, zip.fieldName, zip.value)}}" stepKey="waitForZip"/>
-        <waitForElementVisible selector="{{PageBuilderDataGrid.gridCellByRowIndex(rowIndex, country.fieldName, country.value)}}" stepKey="waitForCountry"/>
-        <waitForElementVisible selector="{{PageBuilderDataGrid.gridSelectButtonByIndex(rowIndex)}}" stepKey="waitForSelectButton"/>
+        <see selector="{{PageBuilderDataGrid.gridCellByRowIndex(rowIndex, locationName.fieldName)}}" userInput="{{locationName.value}}" stepKey="seeLocationName"/>
+        <see selector="{{PageBuilderDataGrid.gridCellByRowIndex(rowIndex, phoneNumber.fieldName)}}" userInput="{{phoneNumber.value}}" stepKey="seePhoneNumber"/>
+        <see selector="{{PageBuilderDataGrid.gridCellByRowIndex(rowIndex, address.fieldName)}}" userInput="{{address.value}}" stepKey="seeAddress"/>
+        <see selector="{{PageBuilderDataGrid.gridCellByRowIndex(rowIndex, city.fieldName)}}" userInput="{{city.value}}" stepKey="seeCity"/>
+        <see selector="{{PageBuilderDataGrid.gridCellByRowIndex(rowIndex, state.fieldName)}}" userInput="{{state.value}}" stepKey="seeState"/>
+        <see selector="{{PageBuilderDataGrid.gridCellByRowIndex(rowIndex, zip.fieldName)}}" userInput="{{zip.value}}" stepKey="setZip"/>
+        <see selector="{{PageBuilderDataGrid.gridCellByRowIndex(rowIndex, country.fieldName)}}" userInput="{{country.value}}" stepKey="seeCounty"/>
+        <seeElement selector="{{PageBuilderDataGrid.gridSelectButtonByIndex(rowIndex)}}" stepKey="seeSelectButton"/>
     </actionGroup>
     <actionGroup name="clickMapToAddOrMovePin">
         <arguments>
@@ -292,10 +292,10 @@
         <waitForElement selector="{{page.clickablePin(mapIndex, pinIndex)}}" stepKey="waitForPin"/>
         <click selector="{{page.clickablePin(mapIndex, pinIndex)}}" stepKey="clickPin"/>
         <waitForElementVisible selector="{{page.tooltipWindow(mapIndex)}}" stepKey="waitForPinTooltip"/>
-        <waitForElementVisible selector="{{page.locationName(mapIndex, locationName.value)}}" stepKey="waitForLocationName"/>
-        <waitForElementVisible selector="{{page.comment(mapIndex, comment.value)}}" stepKey="waitForComment"/>
-        <waitForElementVisible selector="{{page.phoneNumber(mapIndex, phoneNumber.value)}}" stepKey="waitForPhoneNumber"/>
-        <waitForElementVisible selector="{{page.addressCityStateZipCountry(mapIndex, address.value, city.value, state.tooltipValue, zip.value, country.tooltipValue)}}" stepKey="waitForAddress"/>
+        <see selector="{{page.locationNameElement(mapIndex)}}" userInput="{{locationName.value}}" stepKey="seeLocationName"/>
+        <see selector="{{page.commentElement(mapIndex)}}" userInput="{{comment.value}}" stepKey="seeComment"/>
+        <see selector="{{page.phoneNumberElement(mapIndex)}}" userInput="{{phoneNumber.value}}" stepKey="seePhoneNumber"/>
+        <see selector="{{page.addressCityStateZipCountryElement(mapIndex)}}" userInput="{{address.value}}\n{{city.value}}, {{state.tooltipValue}} {{zip.value}}\n{{country.tooltipValue}}" stepKey="seeAddress"/>
         <moveMouseOver selector="{{page.base(mapIndex)}}" x="-1" y="0" stepKey="moveMouseOutsideMap"/>
         <waitForPageLoad stepKey="waitForOptionMenuGone"/>
         <click selector="{{page.tooltipWindowClose(mapIndex)}}" stepKey="closePinTooltip"/>
diff --git a/app/code/Magento/PageBuilder/Test/Mftf/Data/MapData.xml b/app/code/Magento/PageBuilder/Test/Mftf/Data/MapData.xml
@@ -102,6 +102,12 @@
         <data key="fieldName">location_name</data>
         <data key="value">0</data>
     </entity>
+    <entity name="PageBuilderMapLocationName_HtmlCode" type="pagebuilder_map_location_name_property">
+        <data key="name">Location Name</data>
+        <data key="section">general</data>
+        <data key="fieldName">location_name</data>
+        <data key="value">&#x3C;img src=x onerror=&#x22;throw &#x27;error&#x27;;&#x22; /&#x3E;</data>
+    </entity>
     <!-- Latitude -->
     <entity name="PageBuilderMapLatitude_Default" type="pagebuilder_map_latitude_property">
         <data key="name">Coordinates</data>
@@ -435,6 +441,12 @@
         <data key="fieldName">phone</data>
         <data key="value">0</data>
     </entity>
+    <entity name="PageBuilderMapPhoneNumber_HtmlCode" type="pagebuilder_map_phone_number_property">
+        <data key="name">Phone Number</data>
+        <data key="section">general</data>
+        <data key="fieldName">phone</data>
+        <data key="value">&#x3C;img src=x onerror=&#x22;throw &#x27;error&#x27;;&#x22; /&#x3E;</data>
+    </entity>
     <!-- Street Address -->
     <entity name="PageBuilderMapStreetAddress_Default" type="pagebuilder_map_street_address_property">
         <data key="name">Street Address</data>
@@ -496,6 +508,12 @@
         <data key="fieldName">address</data>
         <data key="value">0</data>
     </entity>
+    <entity name="PageBuilderMapStreetAddress_HtmlCode" type="pagebuilder_map_street_address_property">
+        <data key="name">Street Address</data>
+        <data key="section">general</data>
+        <data key="fieldName">address</data>
+        <data key="value">&#x3C;img src=x onerror=&#x22;throw &#x27;error&#x27;;&#x22; /&#x3E;</data>
+    </entity>
     <!-- City -->
     <entity name="PageBuilderMapCity_Default" type="pagebuilder_map_city_property">
         <data key="name">City</data>
@@ -557,6 +575,12 @@
         <data key="fieldName">city</data>
         <data key="value">0</data>
     </entity>
+    <entity name="PageBuilderMapCity_HtmlCode" type="pagebuilder_map_city_property">
+        <data key="name">City</data>
+        <data key="section">general</data>
+        <data key="fieldName">city</data>
+        <data key="value">&#x3C;img src=x onerror=&#x22;throw &#x27;error&#x27;;&#x22; /&#x3E;</data>
+    </entity>
     <!-- State -->
     <entity name="PageBuilderMapState_Default" type="pagebuilder_map_state_property">
         <data key="name">State</data>
@@ -623,6 +647,13 @@
         <data key="fieldName">state</data>
         <data key="value">0</data>
     </entity>
+    <entity name="PageBuilderMapState_HtmlCode" type="pagebuilder_map_state_property">
+        <data key="name">State</data>
+        <data key="section">general</data>
+        <data key="fieldName">state</data>
+        <data key="value">&#x3C;img src=x onerror=&#x22;throw &#x27;error&#x27;;&#x22; /&#x3E;</data>
+        <data key="tooltipValue">&#x3C;img src=x onerror=&#x22;throw &#x27;error&#x27;;&#x22; /&#x3E;</data>
+    </entity>
     <!-- Zip Code -->
     <entity name="PageBuilderMapZipCode_Default" type="pagebuilder_map_zip_code_property">
         <data key="name">Zip/Postal Code</data>
@@ -684,6 +715,12 @@
         <data key="fieldName">zipcode</data>
         <data key="value">0</data>
     </entity>
+    <entity name="PageBuilderMapZipCode_HtmlCode" type="pagebuilder_map_zip_code_property">
+        <data key="name">Zip/Postal Code</data>
+        <data key="section">general</data>
+        <data key="fieldName">zipcode</data>
+        <data key="value">&#x3C;img src=x onerror=&#x22;throw &#x27;error&#x27;;&#x22; /&#x3E;</data>
+    </entity>
     <!-- Country -->
     <entity name="PageBuilderMapCountry_Default" type="pagebuilder_map_country_property">
         <data key="name">Country</data>
@@ -761,6 +798,12 @@
         <data key="fieldName">comment</data>
         <data key="value"/>
     </entity>
+    <entity name="PageBuilderMapComment_HtmlCode" type="pagebuilder_map_comment_property">
+        <data key="name">Comment</data>
+        <data key="section">general</data>
+        <data key="fieldName">comment</data>
+        <data key="value">&#x3C;img src=x onerror=&#x22;throw &#x27;error&#x27;;&#x22; /&#x3E;</data>
+    </entity>
     <!-- Height -->
     <entity name="PageBuilderMapHeightDefaultProperty" type="pagebuilder_map_height_property">
         <data key="name">Map Height</data>
diff --git a/app/code/Magento/PageBuilder/Test/Mftf/Section/PageBuilderDataGridSection.xml b/app/code/Magento/PageBuilder/Test/Mftf/Section/PageBuilderDataGridSection.xml
@@ -21,7 +21,7 @@
         <element name="gridRow" type="text" selector="//table[@data-role='grid']//tbody//tr[descendant::span[@data-index='{{arg1}}' and .='{{arg2}}']]" parameterized="true"/>
         <element name="gridRowByIndex" type="text" selector="//table[@data-role='grid']//tbody//tr[{{arg1}}][descendant::span[@data-index='{{arg2}}' and .='{{arg3}}']]" parameterized="true"/>
         <element name="gridCell" type="text" selector="//table[@data-role='grid']//tbody//span[@data-index='{{arg1}}' and .='{{arg2}}']" parameterized="true"/>
-        <element name="gridCellByRowIndex" type="text" selector="//table[@data-role='grid']//tbody//tr[{{arg1}}]//span[@data-index='{{arg2}}' and .='{{arg3}}']" parameterized="true"/>
+        <element name="gridCellByRowIndex" type="text" selector="//table[@data-role='grid']//tbody//tr[{{arg1}}]//span[@data-index='{{arg2}}']" parameterized="true"/>
         <element name="gridSelectButton" type="button" selector="//table[@data-role='grid']//tbody//tr[descendant::span[@data-index='{{arg1}}' and .='{{arg2}}']]//td[@data-index='actions']//button[@class='action-select' and .='Select']" parameterized="true"/>
         <element name="gridSelectButtonByIndex" type="button" selector="//table[@data-role='grid']//tbody//tr[{{arg1}}]//td[@data-index='actions']//button[@class='action-select' and .='Select']" parameterized="true"/>
         <element name="gridSelectEditButton" type="button" selector="//table[@data-role='grid']//tbody//tr[descendant::span[@data-index='{{arg1}}' and .='{{arg2}}']]//td[@data-index='actions']//span[@class='action-menu-item' and .='Edit']" parameterized="true"/>
diff --git a/app/code/Magento/PageBuilder/Test/Mftf/Section/PageBuilderMapSection.xml b/app/code/Magento/PageBuilder/Test/Mftf/Section/PageBuilderMapSection.xml
@@ -26,6 +26,10 @@
         <element name="phoneNumber" type="text" selector="(//div[contains(@class,'pagebuilder-map')])[{{arg1}}]//div[@class='gm-style-iw']//p[.='Phone: {{arg2}}']" parameterized="true"/>
         <element name="noPhoneNumber" type="text" selector="(//div[contains(@class,'pagebuilder-map')])[{{arg1}}]//div[@class='gm-style-iw']//p[.='{{arg2}}']" parameterized="true"/>
         <element name="addressCityStateZipCountry" type="text" selector="(//div[contains(@class,'pagebuilder-map')])[{{arg1}}]//div[@class='gm-style-iw']//span[.='{{arg2}}{{arg3}}{{arg4}}{{arg5}}{{arg6}}']" parameterized="true"/>
+        <element name="locationNameElement" type="text" selector="(//div[contains(@class,'pagebuilder-map')])[{{arg1}}]//div[@class='gm-style-iw']//h3/b" parameterized="true"/>
+        <element name="commentElement" type="text" selector="(//div[contains(@class,'pagebuilder-map')])[{{arg1}}]//div[@class='gm-style-iw']//p" parameterized="true"/>
+        <element name="phoneNumberElement" type="text" selector="(//div[contains(@class,'pagebuilder-map')])[{{arg1}}]//div[@class='gm-style-iw']//p" parameterized="true"/>
+        <element name="addressCityStateZipCountryElement" type="text" selector="(//div[contains(@class,'pagebuilder-map')])[{{arg1}}]//div[@class='gm-style-iw']//span" parameterized="true"/>
         <!-- Map Settings Configuration -->
         <element name="height" type="button" selector="(//div[contains(@class,'pagebuilder-map')])[{{arg1}}]//div[contains(@data-bind,'renderMap') and contains(@style,'height: {{arg2}}px;')]" parameterized="true"/>
         <element name="noHeight" type="button" selector="(//div[contains(@class,'pagebuilder-map')])[{{arg1}}]//div[contains(@data-bind,'renderMap') and not(contains(@style,'height:'))]" parameterized="true"/>
@@ -71,6 +75,10 @@
         <element name="phoneNumber" type="text" selector="(//div[@data-role='map'])[{{arg1}}]//div[@class='gm-style-iw']//p[.='Phone: {{arg2}}']" parameterized="true"/>
         <element name="noPhoneNumber" type="text" selector="(//div[@data-role='map'])[{{arg1}}]//div[@class='gm-style-iw']//p[.='{{arg2}}']" parameterized="true"/>
         <element name="addressCityStateZipCountry" type="text" selector="(//div[@data-role='map'])[{{arg1}}]//div[@class='gm-style-iw']//span[.='{{arg2}}{{arg3}}{{arg4}}{{arg5}}{{arg6}}']" parameterized="true"/>
+        <element name="locationNameElement" type="text" selector="(//div[@data-role='map'])[{{arg1}}]//div[@class='gm-style-iw']//h3/b" parameterized="true"/>
+        <element name="commentElement" type="text" selector="(//div[@data-role='map'])[{{arg1}}]//div[@class='gm-style-iw']//p" parameterized="true"/>
+        <element name="phoneNumberElement" type="text" selector="(//div[@data-role='map'])[{{arg1}}]//div[@class='gm-style-iw']//p" parameterized="true"/>
+        <element name="addressCityStateZipCountryElement" type="text" selector="(//div[@data-role='map'])[{{arg1}}]//div[@class='gm-style-iw']//span" parameterized="true"/>
         <!-- Map Settings Configuration -->
         <element name="height" type="button" selector="(//div[@data-role='map'])[{{arg1}}][contains(@style,'height: {{arg2}}px;')]" parameterized="true"/>
         <element name="noHeight" type="button" selector="(//div[@data-role='map'])[{{arg1}}][not(contains(@style,'height:'))]" parameterized="true"/>
diff --git a/app/code/Magento/PageBuilder/Test/Mftf/Test/AdminPageBuilderImageTest.xml b/app/code/Magento/PageBuilder/Test/Mftf/Test/AdminPageBuilderImageTest.xml
@@ -1416,8 +1416,8 @@
         <actionGroup ref="navigateToCreatedCMSPage" stepKey="navigateToCreatedCMSPage">
             <argument name="CMSPage" value="$$createCMSPage$$"/>
         </actionGroup>
-        <!-- Add Image to Tab -->
-        <comment userInput="Add Image to Tab" stepKey="commentAddImageToTab"/>
+        <!-- Add Image to Stage -->
+        <comment userInput="Add Image to Stage" stepKey="commentAddImageToStage"/>
         <actionGroup ref="expandPageBuilderPanelGroup" stepKey="expandPageBuilderPanelGroup">
             <argument name="group" value="PageBuilderImageContentType"/>
         </actionGroup>
diff --git a/app/code/Magento/PageBuilder/Test/Mftf/Test/AdminPageBuilderMapLocationAttributeTests.xml b/app/code/Magento/PageBuilder/Test/Mftf/Test/AdminPageBuilderMapLocationAttributeTests.xml
