Merge pull request #5269 from magento-borg/borg-2.3.5

[CIA] Bug fixes

Author: nathanjosiah

app/code/Magento/Braintree/Test/Mftf/ActionGroup/AdminRoleActionGroup.xml

@@ -45,18 +45,32 @@
     <!--Delete role-->
     <actionGroup name="AdminDeleteRoleActionGroup">
         <annotations>
-            <description>Deletes a User Role that contains the text 'Role'. PLEASE NOTE: The Action Group values are Hardcoded.</description>
+            <description>Deletes a User Role.</description>
         </annotations>
         <arguments>
             <argument name="role" defaultValue=""/>
         </arguments>
 
-        <click stepKey="clickOnRole" selector="{{AdminDeleteRoleSection.theRole}}"/>
+        <click stepKey="clickResetFilterButtonBefore" selector="{{AdminRoleGridSection.resetButton}}"/>
+        <waitForPageLoad stepKey="waitForRolesGridFilterResetBefore" time="10"/>
+        <fillField stepKey="TypeRoleFilter" selector="{{AdminRoleGridSection.roleNameFilterTextField}}" userInput="{{role.name}}"/>
+        <waitForElementVisible stepKey="waitForFilterSearchButtonBefore" selector="{{AdminRoleGridSection.searchButton}}" time="10"/>
+        <click stepKey="clickFilterSearchButton" selector="{{AdminRoleGridSection.searchButton}}"/>
+        <waitForPageLoad stepKey="waitForUserRoleFilter" time="10"/>
+        <waitForElementVisible stepKey="waitForRoleInRoleGrid" selector="{{AdminDeleteRoleSection.role(role.name)}}" time="10"/>
+        <click stepKey="clickOnRole" selector="{{AdminDeleteRoleSection.role(role.name)}}"/>
+        <waitForPageLoad stepKey="waitForRolePageToLoad" time="10"/>
         <fillField stepKey="TypeCurrentPassword" selector="{{AdminDeleteRoleSection.current_pass}}" userInput="{{_ENV.MAGENTO_ADMIN_PASSWORD}}"/>
+        <waitForElementVisible stepKey="waitForDeleteRoleButton" selector="{{AdminDeleteRoleSection.delete}}" time="10"/>
         <click stepKey="clickToDeleteRole" selector="{{AdminDeleteRoleSection.delete}}"/>
-        <waitForAjaxLoad stepKey="waitForDeleteConfirmationPopup" time="5"/>
+        <waitForPageLoad stepKey="waitForDeleteConfirmationPopup" time="5"/>
+        <waitForElementVisible stepKey="waitForConfirmButton" selector="{{AdminDeleteRoleSection.confirm}}" time="10"/>
         <click stepKey="clickToConfirm" selector="{{AdminDeleteRoleSection.confirm}}"/>
         <waitForPageLoad stepKey="waitForPageLoad" time="10"/>
         <see stepKey="seeSuccessMessage" userInput="You deleted the role."/>
+        <waitForPageLoad stepKey="waitForRolesGridLoad" />
+        <waitForElementVisible stepKey="waitForResetFilterButtonAfter" selector="{{AdminRoleGridSection.resetButton}}" time="10"/>
+        <click stepKey="clickResetFilterButtonAfter" selector="{{AdminRoleGridSection.resetButton}}"/>
+        <waitForPageLoad stepKey="waitForRolesGridFilterResetAfter" time="10"/>
     </actionGroup>
 </actionGroups>

app/code/Magento/Security/view/base/requirejs-config.js

@@ -0,0 +1,12 @@
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+
+var config = {
+    map: {
+        '*': {
+            escaper: 'Magento_Security/js/escaper'
+        }
+    }
+};

app/code/Magento/Security/view/base/web/js/escaper.js

@@ -0,0 +1,174 @@
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+
+/**
+ * A loose JavaScript version of Magento\Framework\Escaper
+ *
+ * Due to differences in how XML/HTML is processed in PHP vs JS there are a couple of minor differences in behavior
+ * from the PHP counterpart.
+ *
+ * The first difference is that the default invocation of escapeHtml without allowedTags will double-escape existing
+ * entities as the intention of such an invocation is that the input isn't supposed to contain any HTML.
+ *
+ * The second difference is that escapeHtml will not escape quotes. Since the input is actually being processed by the
+ * DOM there is no chance of quotes being mixed with HTML syntax. And, since escapeHtml is not
+ * intended to be used with raw injection into a HTML attribute, this is acceptable.
+ *
+ * @api
+ */
+define([], function () {
+    'use strict';
+
+    return {
+        neverAllowedElements: ['script', 'img', 'embed', 'iframe', 'video', 'source', 'object', 'audio'],
+        generallyAllowedAttributes: ['id', 'class', 'href', 'title', 'style'],
+        forbiddenAttributesByElement: {
+            a: ['style']
+        },
+
+        /**
+         * Escape a string for safe injection into HTML
+         *
+         * @param {String} data
+         * @param {Array|null} allowedTags
+         * @returns {String}
+         */
+        escapeHtml: function (data, allowedTags) {
+            var domParser = new DOMParser(),
+                fragment = domParser.parseFromString('<div></div>', 'text/html');
+
+            fragment = fragment.body.childNodes[0];
+            allowedTags = typeof allowedTags === 'object' && allowedTags.length ? allowedTags : null;
+
+            if (allowedTags) {
+                fragment.innerHTML = data || '';
+                allowedTags = this._filterProhibitedTags(allowedTags);
+
+                this._removeComments(fragment);
+                this._removeNotAllowedElements(fragment, allowedTags);
+                this._removeNotAllowedAttributes(fragment);
+
+                return fragment.innerHTML;
+            }
+
+            fragment.textContent = data || '';
+
+            return fragment.innerHTML;
+        },
+
+        /**
+         * Remove the always forbidden tags from a list of provided tags
+         *
+         * @param {Array} tags
+         * @returns {Array}
+         * @private
+         */
+        _filterProhibitedTags: function (tags) {
+            return tags.filter(function (n) {
+                return this.neverAllowedElements.indexOf(n) === -1;
+            }.bind(this));
+        },
+
+        /**
+         * Remove comment nodes from the given node
+         *
+         * @param {Node} node
+         * @private
+         */
+        _removeComments: function (node) {
+            var treeWalker = node.ownerDocument.createTreeWalker(
+                    node,
+                    NodeFilter.SHOW_COMMENT,
+                    function () {
+                        return NodeFilter.FILTER_ACCEPT;
+                    },
+                    false
+                ),
+                nodesToRemove = [];
+
+            while (treeWalker.nextNode()) {
+                nodesToRemove.push(treeWalker.currentNode);
+            }
+
+            nodesToRemove.forEach(function (nodeToRemove) {
+                nodeToRemove.parentNode.removeChild(nodeToRemove);
+            });
+        },
+
+        /**
+         * Strip the given node of all disallowed tags while permitting any nested text nodes
+         *
+         * @param {Node} node
+         * @param {Array|null} allowedTags
+         * @private
+         */
+        _removeNotAllowedElements: function (node, allowedTags) {
+            var treeWalker = node.ownerDocument.createTreeWalker(
+                    node,
+                    NodeFilter.SHOW_ELEMENT,
+                    function (currentNode) {
+                        return allowedTags.indexOf(currentNode.nodeName.toLowerCase()) === -1 ?
+                            NodeFilter.FILTER_ACCEPT
+                            // SKIP instead of REJECT because REJECT also rejects child nodes
+                            : NodeFilter.FILTER_SKIP;
+                    },
+                false
+                ),
+                nodesToRemove = [];
+
+            while (treeWalker.nextNode()) {
+                if (allowedTags.indexOf(treeWalker.currentNode.nodeName.toLowerCase()) === -1) {
+                    nodesToRemove.push(treeWalker.currentNode);
+                }
+            }
+
+            nodesToRemove.forEach(function (nodeToRemove) {
+                nodeToRemove.parentNode.replaceChild(
+                    node.ownerDocument.createTextNode(nodeToRemove.textContent),
+                    nodeToRemove
+                );
+            });
+        },
+
+        /**
+         * Remove any invalid attributes from the given node
+         *
+         * @param {Node} node
+         * @private
+         */
+        _removeNotAllowedAttributes: function (node) {
+            var treeWalker = node.ownerDocument.createTreeWalker(
+                    node,
+                    NodeFilter.SHOW_ELEMENT,
+                    function () {
+                        return NodeFilter.FILTER_ACCEPT;
+                    },
+                false
+                ),
+                i,
+                attribute,
+                nodeName,
+                attributesToRemove = [];
+
+            while (treeWalker.nextNode()) {
+                for (i = 0; i < treeWalker.currentNode.attributes.length; i++) {
+                    attribute = treeWalker.currentNode.attributes[i];
+                    nodeName = treeWalker.currentNode.nodeName.toLowerCase();
+
+                    if (this.generallyAllowedAttributes.indexOf(attribute.name) === -1 || // eslint-disable-line max-depth,max-len
+                        this.forbiddenAttributesByElement[nodeName] &&
+                        this.forbiddenAttributesByElement[nodeName].indexOf(attribute.name) !== -1
+                    ) {
+                        attributesToRemove.push(attribute);
+                    }
+                }
+            }
+
+            attributesToRemove.forEach(function (attributeToRemove) {
+                attributeToRemove.ownerElement.removeAttribute(attributeToRemove.name);
+            });
+        }
+    };
+});

app/code/Magento/Theme/view/frontend/templates/messages.phtml

@@ -11,17 +11,18 @@
             class: 'message-' + message.type + ' ' + message.type + ' message',
             'data-ui-id': 'message-' + message.type
         }">
-            <div data-bind="html: message.text"></div>
+            <div data-bind="html: $parent.prepareMessageForHtml(message.text)"></div>
         </div>
     </div>
     <!-- /ko -->
+
     <!-- ko if: messages().messages && messages().messages.length > 0 -->
     <div role="alert" data-bind="foreach: { data: messages().messages, as: 'message' }" class="messages">
         <div data-bind="attr: {
             class: 'message-' + message.type + ' ' + message.type + ' message',
             'data-ui-id': 'message-' + message.type
         }">
-            <div data-bind="html: message.text"></div>
+            <div data-bind="html: $parent.prepareMessageForHtml(message.text)"></div>
         </div>
     </div>
     <!-- /ko -->

app/code/Magento/Theme/view/frontend/web/js/view/messages.js

@@ -11,14 +11,16 @@ define([
     'uiComponent',
     'Magento_Customer/js/customer-data',
     'underscore',
+    'escaper',
     'jquery/jquery-storageapi'
-], function ($, Component, customerData, _) {
+], function ($, Component, customerData, _, escaper) {
     'use strict';
 
     return Component.extend({
         defaults: {
             cookieMessages: [],
-            messages: []
+            messages: [],
+            allowedTags: ['div', 'span', 'b', 'strong', 'i', 'em', 'u', 'a']
         },
 
         /**
@@ -38,6 +40,16 @@ define([
             }
 
             $.cookieStorage.set('mage-messages', '');
+        },
+
+        /**
+         * Prepare the given message to be rendered as HTML
+         *
+         * @param {String} message
+         * @return {String}
+         */
+        prepareMessageForHtml: function (message) {
+            return escaper.escapeHtml(message, this.allowedTags);
         }
     });
 });

app/code/Magento/User/Test/Mftf/ActionGroup/AdminCreateUserActionGroup.xml

@@ -29,9 +29,10 @@
         <fillField selector="{{AdminEditUserSection.currentPasswordField}}" userInput="{{_ENV.MAGENTO_ADMIN_PASSWORD}}" stepKey="enterCurrentPassword"/>
         <scrollToTopOfPage stepKey="scrollToTopOfPage"/>
         <click selector="{{AdminEditUserSection.userRoleTab}}" stepKey="clickUserRole"/>
+        <waitForPageLoad stepKey="waitForAdminUserRoleTabLoad"/>
         <fillField selector="{{AdminEditUserSection.roleNameFilterTextField}}" userInput="{{role.name}}" stepKey="filterRole"/>
         <click selector="{{AdminEditUserSection.searchButton}}" stepKey="clickSearch"/>
-        <waitForLoadingMaskToDisappear stepKey="waitForLoadingMaskToDisappear1"/>
+        <waitForPageLoad stepKey="waitForLoadingMaskToDisappear1"/>
         <click selector="{{AdminEditUserSection.searchResultFirstRow}}" stepKey="selectRole"/>
         <click selector="{{AdminEditUserSection.saveButton}}" stepKey="clickSaveUser"/>
         <waitForPageLoad stepKey="waitForPageLoad2"/>

app/code/Magento/User/Test/Mftf/Section/AdminDeleteRoleSection.xml

@@ -10,10 +10,9 @@
           xsi:noNamespaceSchemaLocation="urn:magento:mftf:Page/etc/SectionObject.xsd">
     <section name="AdminDeleteRoleSection">
         <element name="theRole" selector="//td[contains(text(), 'Role')]" type="button"/>
-        <element name="salesRole" selector="//td[contains(text(), 'Sales')]" type="button"/>
+        <element name="role" parameterized="true" selector="//td[contains(@class,'col-role_name') and contains(text(), '{{roleName}}')]" type="button"/>
         <element name="current_pass" type="button" selector="#current_password"/>
         <element name="delete" selector="//button/span[contains(text(), 'Delete Role')]" type="button"/>
         <element name="confirm" selector="//*[@class='action-primary action-accept']" type="button"/>
     </section>
 </sections>
-

app/code/Magento/User/Test/Mftf/Section/AdminRoleGridSection.xml

@@ -14,12 +14,4 @@
         <element name="roleNameInFirstRow" type="text" selector=".col-role_name"/>
         <element name="searchResultFirstRow" type="text" selector=".data-grid>tbody>tr"/>
     </section>
-
-    <section name="AdminDeleteRoleSection">
-        <element name="theRole" selector="//td[contains(text(), 'Role')]" type="button"/>
-        <element name="role" parameterized="true" selector="//td[contains(text(), '{{args}}')]" type="button"/>
-        <element name="current_pass" type="button" selector="#current_password"/>
-        <element name="delete" selector="//button/span[contains(text(), 'Delete Role')]" type="button"/>
-        <element name="confirm" selector="//*[@class='action-primary action-accept']" type="button"/>
-    </section>
 </sections>