[Checkout] Add scenario for preventing from a potential XSS attack

GSadee · May 10, 2024 · 9255540 · 9255540
1 parent 3d66fb0
commit 9255540
Show file tree

Hide file tree

Showing 4 changed files with 36 additions and 0 deletions.
diff --git a/features/checkout/addressing_order/preventing_from_xss_attack_during_checkout.feature b/features/checkout/addressing_order/preventing_from_xss_attack_during_checkout.feature
@@ -0,0 +1,21 @@
+@checkout
+Feature: Preventing from a potential XSS attack during updating the address in the checkout
+    In order to keep my information safe
+    As a Visitor
+    I want to be protected against the potential XSS attacks
+
+    Background:
+        Given the store operates on a single channel in "United States"
+        And the store has a product "PHP T-Shirt" priced at "$19.99"
+        And the store ships everywhere for Free
+        And I have product "PHP T-Shirt" in the cart
+        And I am at the checkout addressing step
+
+    @ui @javascript @no-api
+    Scenario: Preventing from a potential XSS attack during updating the address in the checkout
+        When I specify the email as "john.doe@example.com"
+        And I specify the billing address as "Ankh Morpork", "Frost Alley", "90210", "United States" for "Jon Doe"
+        And I specify the province name manually as '<img """><script>alert("XSS")</script>">' for billing address
+        And I complete the addressing step
+        And I decide to change my address
+        Then I should be able to update the address without unexpected alert
diff --git a/src/Sylius/Behat/Context/Ui/Shop/Checkout/CheckoutAddressingContext.php b/src/Sylius/Behat/Context/Ui/Shop/Checkout/CheckoutAddressingContext.php
@@ -484,6 +484,14 @@ public function shouldHaveCountriesToChooseFrom(string ...$countries): void
         Assert::same($availableBillingCountries, $countries);
     }
 
+    /**
+     * @Then I should be able to update the address without unexpected alert
+     */
+    public function iShouldBeAbleToUpdateTheAddressWithoutUnexpectedAlert(): void
+    {
+        $this->addressPage->waitForFormToStopLoading();
+    }
+
     /**
      * @return AddressInterface
      */

diff --git a/src/Sylius/Behat/Page/Shop/Checkout/AddressPage.php b/src/Sylius/Behat/Page/Shop/Checkout/AddressPage.php
@@ -281,6 +281,11 @@ public function getAvailableBillingCountries(): array
         return $this->getOptionsFromSelect($this->getElement('billing_country'));
     }
 
+    public function waitForFormToStopLoading(): void
+    {
+        JQueryHelper::waitForFormToStopLoading($this->getDocument());
+    }
+
     protected function getDefinedElements(): array
     {
         return array_merge(parent::getDefinedElements(), [

diff --git a/src/Sylius/Behat/Page/Shop/Checkout/AddressPageInterface.php b/src/Sylius/Behat/Page/Shop/Checkout/AddressPageInterface.php
@@ -81,4 +81,6 @@ public function getAvailableBillingCountries(): array;
     public function isDifferentShippingAddressChecked(): bool;
 
     public function isShippingAddressVisible(): bool;
+
+    public function waitForFormToStopLoading(): void;
 }