From d4812f9c14c7b2acc1f2f64cff363533e4c77b41 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20Pysiak?= Date: Mon, 6 May 2024 11:33:55 +0200 Subject: [PATCH 01/14] Fix potential xss in admin panel --- .../Resources/private/js/sylius-lazy-choice-tree.js | 5 +++-- .../AdminBundle/Resources/private/js/sylius-sanitizer.js | 5 +++++ .../UiBundle/Resources/private/js/sylius-auto-complete.js | 7 ++++--- .../UiBundle/Resources/private/js/sylius-sanitizer.js | 5 +++++ 4 files changed, 17 insertions(+), 5 deletions(-) create mode 100644 src/Sylius/Bundle/AdminBundle/Resources/private/js/sylius-sanitizer.js create mode 100644 src/Sylius/Bundle/UiBundle/Resources/private/js/sylius-sanitizer.js diff --git a/src/Sylius/Bundle/AdminBundle/Resources/private/js/sylius-lazy-choice-tree.js b/src/Sylius/Bundle/AdminBundle/Resources/private/js/sylius-lazy-choice-tree.js index b1f4dd0d27d..cb34c7422bb 100644 --- a/src/Sylius/Bundle/AdminBundle/Resources/private/js/sylius-lazy-choice-tree.js +++ b/src/Sylius/Bundle/AdminBundle/Resources/private/js/sylius-lazy-choice-tree.js @@ -10,6 +10,7 @@ import 'semantic-ui-css/components/api'; import 'semantic-ui-css/components/checkbox'; import $ from 'jquery'; +import { sanitizeInput} from "./sylius-sanitizer"; const createRootContainer = function createRootContainer() { return $('
'); @@ -81,7 +82,7 @@ $.fn.extend({ onSuccess(response) { response.forEach((leafNode) => { leafContainerElement.append(( - createLeafFunc(leafNode.name, leafNode.code, leafNode.hasChildren, multiple, leafNode.level) + createLeafFunc(sanitizeInput(leafNode.name), sanitizeInput(leafNode.code), leafNode.hasChildren, multiple, leafNode.level) )); }); content.append(leafContainerElement); @@ -169,7 +170,7 @@ $.fn.extend({ const rootContainer = createRootContainer(); response.forEach((rootNode) => { rootContainer.append(( - createLeaf(rootNode.name, rootNode.code, rootNode.hasChildren, multiple, rootNode.level) + createLeaf(sanitizeInput(rootNode.name), sanitizeInput(rootNode.code), rootNode.hasChildren, multiple, rootNode.level) )); }); tree.append(rootContainer); diff --git a/src/Sylius/Bundle/AdminBundle/Resources/private/js/sylius-sanitizer.js b/src/Sylius/Bundle/AdminBundle/Resources/private/js/sylius-sanitizer.js new file mode 100644 index 00000000000..f3dd2cd4cfb --- /dev/null +++ b/src/Sylius/Bundle/AdminBundle/Resources/private/js/sylius-sanitizer.js @@ -0,0 +1,5 @@ +export function sanitizeInput(input) { + const div = document.createElement('div'); + div.textContent = input; + return div.innerHTML; // Converts text content to plain HTML, stripping any scripts +} diff --git a/src/Sylius/Bundle/UiBundle/Resources/private/js/sylius-auto-complete.js b/src/Sylius/Bundle/UiBundle/Resources/private/js/sylius-auto-complete.js index 737c47a55a2..e52a6f42dac 100644 --- a/src/Sylius/Bundle/UiBundle/Resources/private/js/sylius-auto-complete.js +++ b/src/Sylius/Bundle/UiBundle/Resources/private/js/sylius-auto-complete.js @@ -9,6 +9,7 @@ import 'semantic-ui-css/components/dropdown'; import $ from 'jquery'; +import { sanitizeInput } from "./sylius-sanitizer"; $.fn.extend({ autoComplete() { @@ -37,8 +38,8 @@ $.fn.extend({ }, onResponse(response) { let results = response.map(item => ({ - name: item[choiceName], - value: item[choiceValue], + name: sanitizeInput(item[choiceName]), + value: sanitizeInput(item[choiceValue]), })); if (!element.hasClass('multiple')) { @@ -72,7 +73,7 @@ $.fn.extend({ onSuccess(response) { response.forEach((item) => { menuElement.append(( - $(`
${item[choiceName]}
`) + $(`
${sanitizeInput(item[choiceName])}
`) )); }); diff --git a/src/Sylius/Bundle/UiBundle/Resources/private/js/sylius-sanitizer.js b/src/Sylius/Bundle/UiBundle/Resources/private/js/sylius-sanitizer.js new file mode 100644 index 00000000000..f3dd2cd4cfb --- /dev/null +++ b/src/Sylius/Bundle/UiBundle/Resources/private/js/sylius-sanitizer.js @@ -0,0 +1,5 @@ +export function sanitizeInput(input) { + const div = document.createElement('div'); + div.textContent = input; + return div.innerHTML; // Converts text content to plain HTML, stripping any scripts +} From 29d18a39935e4d6e3d59bac5ebca798bfff00fe2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20Pysiak?= Date: Mon, 6 May 2024 13:42:01 +0200 Subject: [PATCH 02/14] Use function from UIBundle --- .../Resources/private/js/sylius-lazy-choice-tree.js | 2 +- .../AdminBundle/Resources/private/js/sylius-sanitizer.js | 5 ----- 2 files changed, 1 insertion(+), 6 deletions(-) delete mode 100644 src/Sylius/Bundle/AdminBundle/Resources/private/js/sylius-sanitizer.js diff --git a/src/Sylius/Bundle/AdminBundle/Resources/private/js/sylius-lazy-choice-tree.js b/src/Sylius/Bundle/AdminBundle/Resources/private/js/sylius-lazy-choice-tree.js index cb34c7422bb..18bb2d3a27e 100644 --- a/src/Sylius/Bundle/AdminBundle/Resources/private/js/sylius-lazy-choice-tree.js +++ b/src/Sylius/Bundle/AdminBundle/Resources/private/js/sylius-lazy-choice-tree.js @@ -10,7 +10,7 @@ import 'semantic-ui-css/components/api'; import 'semantic-ui-css/components/checkbox'; import $ from 'jquery'; -import { sanitizeInput} from "./sylius-sanitizer"; +import { sanitizeInput } from "sylius/ui/sylius-sanitizer"; const createRootContainer = function createRootContainer() { return $('
'); diff --git a/src/Sylius/Bundle/AdminBundle/Resources/private/js/sylius-sanitizer.js b/src/Sylius/Bundle/AdminBundle/Resources/private/js/sylius-sanitizer.js deleted file mode 100644 index f3dd2cd4cfb..00000000000 --- a/src/Sylius/Bundle/AdminBundle/Resources/private/js/sylius-sanitizer.js +++ /dev/null @@ -1,5 +0,0 @@ -export function sanitizeInput(input) { - const div = document.createElement('div'); - div.textContent = input; - return div.innerHTML; // Converts text content to plain HTML, stripping any scripts -} From c11c424c1cd4918a71831152f69bc9b1915d542d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20Pysiak?= Date: Tue, 7 May 2024 06:32:11 +0200 Subject: [PATCH 03/14] Fix product-auto-complete --- .../Resources/private/js/sylius-product-auto-complete.js | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/src/Sylius/Bundle/UiBundle/Resources/private/js/sylius-product-auto-complete.js b/src/Sylius/Bundle/UiBundle/Resources/private/js/sylius-product-auto-complete.js index acbe655ba32..64e34d9bfb3 100644 --- a/src/Sylius/Bundle/UiBundle/Resources/private/js/sylius-product-auto-complete.js +++ b/src/Sylius/Bundle/UiBundle/Resources/private/js/sylius-product-auto-complete.js @@ -9,6 +9,7 @@ import 'semantic-ui-css/components/dropdown'; import $ from 'jquery'; +import { sanitizeInput } from "./sylius-sanitizer"; $.fn.extend({ productAutoComplete() { @@ -38,8 +39,8 @@ $.fn.extend({ return { success: true, results: response._embedded.items.map(item => ({ - name: item.name, - value: item.code, + name: sanitizeInput(item.name), + value: sanitizeInput(item.code), })), }; }, From 0a7fe9ee4be074754bab08f04cf5ae2041bc6c73 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20Pysiak?= Date: Tue, 30 Apr 2024 11:24:25 +0200 Subject: [PATCH 04/14] Add js sanitizeInput function --- .../ShopBundle/Resources/private/js/sylius-province-field.js | 3 ++- .../ShopBundle/Resources/private/js/sylius-sanitizer.js | 5 +++++ 2 files changed, 7 insertions(+), 1 deletion(-) create mode 100644 src/Sylius/Bundle/ShopBundle/Resources/private/js/sylius-sanitizer.js diff --git a/src/Sylius/Bundle/ShopBundle/Resources/private/js/sylius-province-field.js b/src/Sylius/Bundle/ShopBundle/Resources/private/js/sylius-province-field.js index 17b3d350cf0..8a7084930f1 100644 --- a/src/Sylius/Bundle/ShopBundle/Resources/private/js/sylius-province-field.js +++ b/src/Sylius/Bundle/ShopBundle/Resources/private/js/sylius-province-field.js @@ -8,9 +8,10 @@ */ import $ from 'jquery'; +import { sanitizeInput } from './sylius-sanitizer'; const getProvinceInputValue = function getProvinceInputValue(valueSelector) { - return valueSelector == undefined ? '' : `value="${valueSelector}"`; + return valueSelector == undefined ? '' : `value="${sanitizeInput(valueSelector)}"`; }; $.fn.extend({ diff --git a/src/Sylius/Bundle/ShopBundle/Resources/private/js/sylius-sanitizer.js b/src/Sylius/Bundle/ShopBundle/Resources/private/js/sylius-sanitizer.js new file mode 100644 index 00000000000..f3dd2cd4cfb --- /dev/null +++ b/src/Sylius/Bundle/ShopBundle/Resources/private/js/sylius-sanitizer.js @@ -0,0 +1,5 @@ +export function sanitizeInput(input) { + const div = document.createElement('div'); + div.textContent = input; + return div.innerHTML; // Converts text content to plain HTML, stripping any scripts +} From 89880cd7b3beab15be845ebc58deb875da427a06 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20Pysiak?= Date: Mon, 6 May 2024 13:38:23 +0200 Subject: [PATCH 05/14] Add sanitizer function to UIBundle --- .../Resources/private/js/sylius-sanitizer.js | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename src/Sylius/Bundle/{ShopBundle => UiBundle}/Resources/private/js/sylius-sanitizer.js (100%) diff --git a/src/Sylius/Bundle/ShopBundle/Resources/private/js/sylius-sanitizer.js b/src/Sylius/Bundle/UiBundle/Resources/private/js/sylius-sanitizer.js similarity index 100% rename from src/Sylius/Bundle/ShopBundle/Resources/private/js/sylius-sanitizer.js rename to src/Sylius/Bundle/UiBundle/Resources/private/js/sylius-sanitizer.js From 19cea9aa1bd13765e677943aaae5199da9db0908 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20Pysiak?= Date: Mon, 6 May 2024 13:38:49 +0200 Subject: [PATCH 06/14] Use function from UIBundle --- .../ShopBundle/Resources/private/js/sylius-province-field.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/Sylius/Bundle/ShopBundle/Resources/private/js/sylius-province-field.js b/src/Sylius/Bundle/ShopBundle/Resources/private/js/sylius-province-field.js index 8a7084930f1..60983648ab1 100644 --- a/src/Sylius/Bundle/ShopBundle/Resources/private/js/sylius-province-field.js +++ b/src/Sylius/Bundle/ShopBundle/Resources/private/js/sylius-province-field.js @@ -8,7 +8,7 @@ */ import $ from 'jquery'; -import { sanitizeInput } from './sylius-sanitizer'; +import { sanitizeInput } from 'sylius/ui/sylius-sanitizer'; const getProvinceInputValue = function getProvinceInputValue(valueSelector) { return valueSelector == undefined ? '' : `value="${sanitizeInput(valueSelector)}"`; From 3d66fb067253160ef40b3b300d9fc7fb0cd81fd8 Mon Sep 17 00:00:00 2001 From: Grzegorz Sadowski Date: Thu, 9 May 2024 15:20:39 +0200 Subject: [PATCH 07/14] [AddressBook] Add scenario for preventing from a potential XSS attack --- ...om_xss_attack_during_updating_address.feature | 16 ++++++++++++++++ .../Behat/Context/Setup/AddressContext.php | 13 +++++++++++++ .../Behat/Context/Ui/Shop/AddressBookContext.php | 11 ++++++++++- .../Page/Shop/Account/AddressBook/UpdatePage.php | 5 +++++ .../Account/AddressBook/UpdatePageInterface.php | 2 ++ 5 files changed, 46 insertions(+), 1 deletion(-) create mode 100644 features/account/customer_account/address_book/preventing_from_xss_attack_during_updating_address.feature diff --git a/features/account/customer_account/address_book/preventing_from_xss_attack_during_updating_address.feature b/features/account/customer_account/address_book/preventing_from_xss_attack_during_updating_address.feature new file mode 100644 index 00000000000..4800bc5ccf5 --- /dev/null +++ b/features/account/customer_account/address_book/preventing_from_xss_attack_during_updating_address.feature @@ -0,0 +1,16 @@ +@address_book +Feature: Preventing from a potential XSS attack during updating the address + In order to keep my information safe + As a Customer + I want to be protected against the potential XSS attacks + + Background: + Given the store operates on a single channel in "United States" + And I am a logged in customer + And I have an address "Lucifer Morningstar", "Seaside Fwy", "90802", "Los Angeles", "United States", "Arkansas" in my address book + And this address has province '">' + + @ui @javascript @no-api + Scenario: Preventing from a potential XSS attack during updating the address + When I want to edit the address of "Lucifer Morningstar" + Then I should be able to update it without unexpected alert diff --git a/src/Sylius/Behat/Context/Setup/AddressContext.php b/src/Sylius/Behat/Context/Setup/AddressContext.php index f810565fff7..82c762964d7 100644 --- a/src/Sylius/Behat/Context/Setup/AddressContext.php +++ b/src/Sylius/Behat/Context/Setup/AddressContext.php @@ -66,6 +66,19 @@ public function iHaveAnAddressInAddressBook(ShopUserInterface $user, AddressInte $customer = $user->getCustomer(); $this->addAddressToCustomer($customer, $address); + + $this->sharedStorage->set('address', $address); + } + + /** + * @Given this address has province :province + */ + public function thisAddressHasProvince(string $provinceName): void + { + $address = $this->sharedStorage->get('address'); + $address->setProvinceName($provinceName); + + $this->customerManager->flush(); } /** diff --git a/src/Sylius/Behat/Context/Ui/Shop/AddressBookContext.php b/src/Sylius/Behat/Context/Ui/Shop/AddressBookContext.php index dd223762044..2b538eead96 100644 --- a/src/Sylius/Behat/Context/Ui/Shop/AddressBookContext.php +++ b/src/Sylius/Behat/Context/Ui/Shop/AddressBookContext.php @@ -41,8 +41,9 @@ public function __construct( /** * @Given I am editing the address of :fullName + * @When I want to edit the address of :fullName */ - public function iEditAddressOf($fullName) + public function iEditAddressOf(string $fullName): void { $this->sharedStorage->set('full_name', $fullName); @@ -350,6 +351,14 @@ public function addressShouldBeMarkedAsMyDefaultAddress(AddressInterface $addres Assert::same($actualFullName, $expectedFullName); } + /** + * @Then I should be able to update it without unexpected alert + */ + public function iShouldBeAbleToUpdateItWithoutUnexpectedAlert(): void + { + $this->addressBookUpdatePage->waitForFormToStopLoading(); + } + /** * @param string $fullName * diff --git a/src/Sylius/Behat/Page/Shop/Account/AddressBook/UpdatePage.php b/src/Sylius/Behat/Page/Shop/Account/AddressBook/UpdatePage.php index 5cda3d3606f..5308a0f4278 100644 --- a/src/Sylius/Behat/Page/Shop/Account/AddressBook/UpdatePage.php +++ b/src/Sylius/Behat/Page/Shop/Account/AddressBook/UpdatePage.php @@ -71,6 +71,11 @@ public function selectCountry(string $name): void JQueryHelper::waitForFormToStopLoading($this->getDocument()); } + public function waitForFormToStopLoading(): void + { + JQueryHelper::waitForFormToStopLoading($this->getDocument()); + } + public function saveChanges(): void { JQueryHelper::waitForFormToStopLoading($this->getDocument()); diff --git a/src/Sylius/Behat/Page/Shop/Account/AddressBook/UpdatePageInterface.php b/src/Sylius/Behat/Page/Shop/Account/AddressBook/UpdatePageInterface.php index 336354eca79..5988a1da23f 100644 --- a/src/Sylius/Behat/Page/Shop/Account/AddressBook/UpdatePageInterface.php +++ b/src/Sylius/Behat/Page/Shop/Account/AddressBook/UpdatePageInterface.php @@ -29,5 +29,7 @@ public function selectProvince(string $name): void; public function selectCountry(string $name): void; + public function waitForFormToStopLoading(): void; + public function saveChanges(): void; } From 925554057badcc1fb0397f5f64714e871a483c9d Mon Sep 17 00:00:00 2001 From: Grzegorz Sadowski Date: Fri, 10 May 2024 07:13:15 +0200 Subject: [PATCH 08/14] [Checkout] Add scenario for preventing from a potential XSS attack --- ...ng_from_xss_attack_during_checkout.feature | 21 +++++++++++++++++++ .../Checkout/CheckoutAddressingContext.php | 8 +++++++ .../Behat/Page/Shop/Checkout/AddressPage.php | 5 +++++ .../Shop/Checkout/AddressPageInterface.php | 2 ++ 4 files changed, 36 insertions(+) create mode 100644 features/checkout/addressing_order/preventing_from_xss_attack_during_checkout.feature diff --git a/features/checkout/addressing_order/preventing_from_xss_attack_during_checkout.feature b/features/checkout/addressing_order/preventing_from_xss_attack_during_checkout.feature new file mode 100644 index 00000000000..848f166dce3 --- /dev/null +++ b/features/checkout/addressing_order/preventing_from_xss_attack_during_checkout.feature @@ -0,0 +1,21 @@ +@checkout +Feature: Preventing from a potential XSS attack during updating the address in the checkout + In order to keep my information safe + As a Visitor + I want to be protected against the potential XSS attacks + + Background: + Given the store operates on a single channel in "United States" + And the store has a product "PHP T-Shirt" priced at "$19.99" + And the store ships everywhere for Free + And I have product "PHP T-Shirt" in the cart + And I am at the checkout addressing step + + @ui @javascript @no-api + Scenario: Preventing from a potential XSS attack during updating the address in the checkout + When I specify the email as "john.doe@example.com" + And I specify the billing address as "Ankh Morpork", "Frost Alley", "90210", "United States" for "Jon Doe" + And I specify the province name manually as '">' for billing address + And I complete the addressing step + And I decide to change my address + Then I should be able to update the address without unexpected alert diff --git a/src/Sylius/Behat/Context/Ui/Shop/Checkout/CheckoutAddressingContext.php b/src/Sylius/Behat/Context/Ui/Shop/Checkout/CheckoutAddressingContext.php index 05763b94ac0..ee2d9d9f574 100644 --- a/src/Sylius/Behat/Context/Ui/Shop/Checkout/CheckoutAddressingContext.php +++ b/src/Sylius/Behat/Context/Ui/Shop/Checkout/CheckoutAddressingContext.php @@ -484,6 +484,14 @@ public function shouldHaveCountriesToChooseFrom(string ...$countries): void Assert::same($availableBillingCountries, $countries); } + /** + * @Then I should be able to update the address without unexpected alert + */ + public function iShouldBeAbleToUpdateTheAddressWithoutUnexpectedAlert(): void + { + $this->addressPage->waitForFormToStopLoading(); + } + /** * @return AddressInterface */ diff --git a/src/Sylius/Behat/Page/Shop/Checkout/AddressPage.php b/src/Sylius/Behat/Page/Shop/Checkout/AddressPage.php index 89fea14f9f5..26aea7708ed 100644 --- a/src/Sylius/Behat/Page/Shop/Checkout/AddressPage.php +++ b/src/Sylius/Behat/Page/Shop/Checkout/AddressPage.php @@ -281,6 +281,11 @@ public function getAvailableBillingCountries(): array return $this->getOptionsFromSelect($this->getElement('billing_country')); } + public function waitForFormToStopLoading(): void + { + JQueryHelper::waitForFormToStopLoading($this->getDocument()); + } + protected function getDefinedElements(): array { return array_merge(parent::getDefinedElements(), [ diff --git a/src/Sylius/Behat/Page/Shop/Checkout/AddressPageInterface.php b/src/Sylius/Behat/Page/Shop/Checkout/AddressPageInterface.php index de0fa8ad7a6..2a787df6f16 100644 --- a/src/Sylius/Behat/Page/Shop/Checkout/AddressPageInterface.php +++ b/src/Sylius/Behat/Page/Shop/Checkout/AddressPageInterface.php @@ -81,4 +81,6 @@ public function getAvailableBillingCountries(): array; public function isDifferentShippingAddressChecked(): bool; public function isShippingAddressVisible(): bool; + + public function waitForFormToStopLoading(): void; } From 30de6ff277a0617d16a9f8b64541a46622752cb7 Mon Sep 17 00:00:00 2001 From: Grzegorz Sadowski Date: Fri, 10 May 2024 07:22:38 +0200 Subject: [PATCH 09/14] [Behat] Minor scenarios improvements after code review --- ... => preventing_xss_attack_during_updating_address.feature} | 4 ++-- ....feature => preventing_xss_attack_during_checkout.feature} | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) rename features/account/customer_account/address_book/{preventing_from_xss_attack_during_updating_address.feature => preventing_xss_attack_during_updating_address.feature} (81%) rename features/checkout/addressing_order/{preventing_from_xss_attack_during_checkout.feature => preventing_xss_attack_during_checkout.feature} (85%) diff --git a/features/account/customer_account/address_book/preventing_from_xss_attack_during_updating_address.feature b/features/account/customer_account/address_book/preventing_xss_attack_during_updating_address.feature similarity index 81% rename from features/account/customer_account/address_book/preventing_from_xss_attack_during_updating_address.feature rename to features/account/customer_account/address_book/preventing_xss_attack_during_updating_address.feature index 4800bc5ccf5..db2cc2adc7f 100644 --- a/features/account/customer_account/address_book/preventing_from_xss_attack_during_updating_address.feature +++ b/features/account/customer_account/address_book/preventing_xss_attack_during_updating_address.feature @@ -1,5 +1,5 @@ @address_book -Feature: Preventing from a potential XSS attack during updating the address +Feature: Preventing a potential XSS attack during updating the address In order to keep my information safe As a Customer I want to be protected against the potential XSS attacks @@ -11,6 +11,6 @@ Feature: Preventing from a potential XSS attack during updating the address And this address has province '">' @ui @javascript @no-api - Scenario: Preventing from a potential XSS attack during updating the address + Scenario: Preventing a potential XSS attack during updating the address When I want to edit the address of "Lucifer Morningstar" Then I should be able to update it without unexpected alert diff --git a/features/checkout/addressing_order/preventing_from_xss_attack_during_checkout.feature b/features/checkout/addressing_order/preventing_xss_attack_during_checkout.feature similarity index 85% rename from features/checkout/addressing_order/preventing_from_xss_attack_during_checkout.feature rename to features/checkout/addressing_order/preventing_xss_attack_during_checkout.feature index 848f166dce3..f8c11316fd4 100644 --- a/features/checkout/addressing_order/preventing_from_xss_attack_during_checkout.feature +++ b/features/checkout/addressing_order/preventing_xss_attack_during_checkout.feature @@ -1,5 +1,5 @@ @checkout -Feature: Preventing from a potential XSS attack during updating the address in the checkout +Feature: Preventing a potential XSS attack during updating the address in the checkout In order to keep my information safe As a Visitor I want to be protected against the potential XSS attacks @@ -12,7 +12,7 @@ Feature: Preventing from a potential XSS attack during updating the address in t And I am at the checkout addressing step @ui @javascript @no-api - Scenario: Preventing from a potential XSS attack during updating the address in the checkout + Scenario: Preventing a potential XSS attack during updating the address in the checkout When I specify the email as "john.doe@example.com" And I specify the billing address as "Ankh Morpork", "Frost Alley", "90210", "United States" for "Jon Doe" And I specify the province name manually as '">' for billing address From a17de6d1ed47155277732bcfab61fb491cac8cb6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20Pysiak?= Date: Fri, 10 May 2024 06:23:32 +0200 Subject: [PATCH 10/14] Test adding new taxon --- ...g_xss_attack_while_adding_a_new_taxon.feature | 16 ++++++++++++++++ .../Context/Ui/Admin/ManagingTaxonsContext.php | 1 + 2 files changed, 17 insertions(+) create mode 100644 features/taxonomy/managing_taxons/preventing_xss_attack_while_adding_a_new_taxon.feature diff --git a/features/taxonomy/managing_taxons/preventing_xss_attack_while_adding_a_new_taxon.feature b/features/taxonomy/managing_taxons/preventing_xss_attack_while_adding_a_new_taxon.feature new file mode 100644 index 00000000000..f3327f47328 --- /dev/null +++ b/features/taxonomy/managing_taxons/preventing_xss_attack_while_adding_a_new_taxon.feature @@ -0,0 +1,16 @@ +@managing_taxons +Feature: Preventing a potential XSS attack while adding new taxon + In order to keep my information safe + As an Administrator + I want to be protected against the potential XSS attacks + + Background: + Given the store operates on a single channel in "United States" + And the store has "Category" taxonomy + And the store has "" taxonomy + And I am logged in as an administrator + + @ui @javascript @no-api + Scenario: Preventing a potential XSS attack while adding new taxon + When I want to create a new taxon + Then I should be able to change its parent taxon to "Category" diff --git a/src/Sylius/Behat/Context/Ui/Admin/ManagingTaxonsContext.php b/src/Sylius/Behat/Context/Ui/Admin/ManagingTaxonsContext.php index 3a193a15730..5ae3bb21100 100644 --- a/src/Sylius/Behat/Context/Ui/Admin/ManagingTaxonsContext.php +++ b/src/Sylius/Behat/Context/Ui/Admin/ManagingTaxonsContext.php @@ -136,6 +136,7 @@ public function iDescribeItAs($description, $language) /** * @Given /^I set its (parent taxon to "[^"]+")$/ * @Given /^I change its (parent taxon to "[^"]+")$/ + * @Given /^I should be able to change its (parent taxon to "[^"]+")$/ */ public function iChangeItsParentTaxonTo(TaxonInterface $taxon) { From d25edf3ff097dbb704ecf4dc35b766526008516a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20Pysiak?= Date: Fri, 10 May 2024 07:03:27 +0200 Subject: [PATCH 11/14] Test adding new simple product --- ..._xss_attack_while_adding_a_new_product.feature | 15 +++++++++++++++ .../Context/Ui/Admin/ManagingProductsContext.php | 1 + 2 files changed, 16 insertions(+) create mode 100644 features/product/managing_products/preventing_xss_attack_while_adding_a_new_product.feature diff --git a/features/product/managing_products/preventing_xss_attack_while_adding_a_new_product.feature b/features/product/managing_products/preventing_xss_attack_while_adding_a_new_product.feature new file mode 100644 index 00000000000..ba056c0e90b --- /dev/null +++ b/features/product/managing_products/preventing_xss_attack_while_adding_a_new_product.feature @@ -0,0 +1,15 @@ +@managing_products +Feature: Preventing a potential XSS attack while adding new product + In order to keep my information safe + As an Administrator + I want to be protected against the potential XSS attacks + + Background: + Given the store operates on a single channel in "United States" + And the store has "" taxonomy + And I am logged in as an administrator + + @ui @javascript @no-api + Scenario: Preventing a potential XSS attack while adding new product + When I want to create a new simple product + Then I should be able to name it "No XSS" in "English (United States)" diff --git a/src/Sylius/Behat/Context/Ui/Admin/ManagingProductsContext.php b/src/Sylius/Behat/Context/Ui/Admin/ManagingProductsContext.php index 0c17a02ced6..c490fe20794 100644 --- a/src/Sylius/Behat/Context/Ui/Admin/ManagingProductsContext.php +++ b/src/Sylius/Behat/Context/Ui/Admin/ManagingProductsContext.php @@ -88,6 +88,7 @@ public function iSpecifyItsCodeAs($code = null) * @When I do not name it * @When I name it :name in :language * @When I rename it to :name in :language + * @When I should be able to name it :name in :language */ public function iRenameItToIn(?string $name = null, ?string $language = null): void { From 63c3cf7a12ff7e1471ef3af2e2141c474e42aa03 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20Pysiak?= Date: Fri, 10 May 2024 07:23:18 +0200 Subject: [PATCH 12/14] Test adding similar products --- ...xss_attack_while_adding_a_new_product.feature | 7 +++++++ ...ting_xss_attack_while_editing_product.feature | 16 ++++++++++++++++ .../Context/Ui/Admin/ManagingProductsContext.php | 2 ++ 3 files changed, 25 insertions(+) create mode 100644 features/product/managing_products/preventing_xss_attack_while_editing_product.feature diff --git a/features/product/managing_products/preventing_xss_attack_while_adding_a_new_product.feature b/features/product/managing_products/preventing_xss_attack_while_adding_a_new_product.feature index ba056c0e90b..7820b56c223 100644 --- a/features/product/managing_products/preventing_xss_attack_while_adding_a_new_product.feature +++ b/features/product/managing_products/preventing_xss_attack_while_adding_a_new_product.feature @@ -7,9 +7,16 @@ Feature: Preventing a potential XSS attack while adding new product Background: Given the store operates on a single channel in "United States" And the store has "" taxonomy + And the store has "No XSS" taxonomy And I am logged in as an administrator @ui @javascript @no-api Scenario: Preventing a potential XSS attack while adding new product When I want to create a new simple product Then I should be able to name it "No XSS" in "English (United States)" + + @ui @javascript @no-api + Scenario: Preventing a potential XSS attack while choosing main taxon for a new product + When I want to create a new simple product + Then I should be able to choose main taxon "No XSS" + diff --git a/features/product/managing_products/preventing_xss_attack_while_editing_product.feature b/features/product/managing_products/preventing_xss_attack_while_editing_product.feature new file mode 100644 index 00000000000..2b058d1544e --- /dev/null +++ b/features/product/managing_products/preventing_xss_attack_while_editing_product.feature @@ -0,0 +1,16 @@ +@managing_products +Feature: Preventing a potential XSS attack while selecting similar product + In order to keep my information safe + As an Administrator + I want to be protected against the potential XSS attacks + + Background: + Given the store operates on a single channel in "United States" + And the store has a product association type "Accessories" + And the store has "" and "LG headphones" products + And I am logged in as an administrator + + @ui @javascript @no-api + Scenario: Preventing a potential XSS attack while editing product + When I want to create a new simple product + Then I should be able to associate as "Accessories" the "LG headphones" product diff --git a/src/Sylius/Behat/Context/Ui/Admin/ManagingProductsContext.php b/src/Sylius/Behat/Context/Ui/Admin/ManagingProductsContext.php index c490fe20794..4d78fa877e5 100644 --- a/src/Sylius/Behat/Context/Ui/Admin/ManagingProductsContext.php +++ b/src/Sylius/Behat/Context/Ui/Admin/ManagingProductsContext.php @@ -748,6 +748,7 @@ public function theOptionFieldShouldBeDisabled() /** * @When /^I choose main (taxon "[^"]+")$/ + * @When /^I should be able to choose main taxon "([^"]+)"$/ */ public function iChooseMainTaxon(TaxonInterface $taxon) { @@ -820,6 +821,7 @@ public function iAttachImageWithType($path, $type = null) /** * @When I associate as :productAssociationType the :productName product + * @When I should be able to associate as :productAssociationType the :productName product * @When I associate as :productAssociationType the :firstProductName and :secondProductName products */ public function iAssociateProductsAsProductAssociation( From 679e79352156f19e1747ab1d735070187b3788d7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20Pysiak?= Date: Fri, 10 May 2024 08:02:15 +0200 Subject: [PATCH 13/14] Fixes after CR --- src/Sylius/Behat/Context/Ui/Admin/ManagingProductsContext.php | 4 ++-- src/Sylius/Behat/Context/Ui/Admin/ManagingTaxonsContext.php | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/src/Sylius/Behat/Context/Ui/Admin/ManagingProductsContext.php b/src/Sylius/Behat/Context/Ui/Admin/ManagingProductsContext.php index 4d78fa877e5..5a32b027072 100644 --- a/src/Sylius/Behat/Context/Ui/Admin/ManagingProductsContext.php +++ b/src/Sylius/Behat/Context/Ui/Admin/ManagingProductsContext.php @@ -748,7 +748,7 @@ public function theOptionFieldShouldBeDisabled() /** * @When /^I choose main (taxon "[^"]+")$/ - * @When /^I should be able to choose main taxon "([^"]+)"$/ + * @Then /^I should be able to choose main (taxon "[^"]+")$/ */ public function iChooseMainTaxon(TaxonInterface $taxon) { @@ -821,8 +821,8 @@ public function iAttachImageWithType($path, $type = null) /** * @When I associate as :productAssociationType the :productName product - * @When I should be able to associate as :productAssociationType the :productName product * @When I associate as :productAssociationType the :firstProductName and :secondProductName products + * @Then I should be able to associate as :productAssociationType the :productName product */ public function iAssociateProductsAsProductAssociation( ProductAssociationTypeInterface $productAssociationType, diff --git a/src/Sylius/Behat/Context/Ui/Admin/ManagingTaxonsContext.php b/src/Sylius/Behat/Context/Ui/Admin/ManagingTaxonsContext.php index 5ae3bb21100..3a31e7fda2e 100644 --- a/src/Sylius/Behat/Context/Ui/Admin/ManagingTaxonsContext.php +++ b/src/Sylius/Behat/Context/Ui/Admin/ManagingTaxonsContext.php @@ -136,7 +136,7 @@ public function iDescribeItAs($description, $language) /** * @Given /^I set its (parent taxon to "[^"]+")$/ * @Given /^I change its (parent taxon to "[^"]+")$/ - * @Given /^I should be able to change its (parent taxon to "[^"]+")$/ + * @Then /^I should be able to change its (parent taxon to "[^"]+")$/ */ public function iChangeItsParentTaxonTo(TaxonInterface $taxon) { From 3b82e93256911f6d908c736d4b747f737d3a0c92 Mon Sep 17 00:00:00 2001 From: Grzegorz Sadowski Date: Fri, 10 May 2024 09:45:26 +0200 Subject: [PATCH 14/14] [Behat] Minor scenarios improvements --- ... => preventing_xss_attack_while_adding_new_product.feature} | 3 +-- ...re => preventing_xss_attack_while_adding_new_taxon.feature} | 2 +- 2 files changed, 2 insertions(+), 3 deletions(-) rename features/product/managing_products/{preventing_xss_attack_while_adding_a_new_product.feature => preventing_xss_attack_while_adding_new_product.feature} (92%) rename features/taxonomy/managing_taxons/{preventing_xss_attack_while_adding_a_new_taxon.feature => preventing_xss_attack_while_adding_new_taxon.feature} (89%) diff --git a/features/product/managing_products/preventing_xss_attack_while_adding_a_new_product.feature b/features/product/managing_products/preventing_xss_attack_while_adding_new_product.feature similarity index 92% rename from features/product/managing_products/preventing_xss_attack_while_adding_a_new_product.feature rename to features/product/managing_products/preventing_xss_attack_while_adding_new_product.feature index 7820b56c223..8ab868842a6 100644 --- a/features/product/managing_products/preventing_xss_attack_while_adding_a_new_product.feature +++ b/features/product/managing_products/preventing_xss_attack_while_adding_new_product.feature @@ -1,5 +1,5 @@ @managing_products -Feature: Preventing a potential XSS attack while adding new product +Feature: Preventing a potential XSS attack while adding a new product In order to keep my information safe As an Administrator I want to be protected against the potential XSS attacks @@ -19,4 +19,3 @@ Feature: Preventing a potential XSS attack while adding new product Scenario: Preventing a potential XSS attack while choosing main taxon for a new product When I want to create a new simple product Then I should be able to choose main taxon "No XSS" - diff --git a/features/taxonomy/managing_taxons/preventing_xss_attack_while_adding_a_new_taxon.feature b/features/taxonomy/managing_taxons/preventing_xss_attack_while_adding_new_taxon.feature similarity index 89% rename from features/taxonomy/managing_taxons/preventing_xss_attack_while_adding_a_new_taxon.feature rename to features/taxonomy/managing_taxons/preventing_xss_attack_while_adding_new_taxon.feature index f3327f47328..72f507aad82 100644 --- a/features/taxonomy/managing_taxons/preventing_xss_attack_while_adding_a_new_taxon.feature +++ b/features/taxonomy/managing_taxons/preventing_xss_attack_while_adding_new_taxon.feature @@ -1,5 +1,5 @@ @managing_taxons -Feature: Preventing a potential XSS attack while adding new taxon +Feature: Preventing a potential XSS attack while adding a new taxon In order to keep my information safe As an Administrator I want to be protected against the potential XSS attacks