MC-11438: There is no XSS vulnerability if Create Order with sample email

Author: mkovdrysh

app/code/Magento/Catalog/Test/Mftf/ActionGroup/OpenStoreFrontProductPageActionGroup.xml

@@ -0,0 +1,17 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ /**
+  * Copyright © Magento, Inc. All rights reserved.
+  * See COPYING.txt for license details.
+  */
+-->
+<actionGroups xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+              xsi:noNamespaceSchemaLocation="urn:magento:mftf:Test/etc/actionGroupSchema.xsd">
+    <actionGroup name="OpenStoreFrontProductPageActionGroup">
+        <arguments>
+            <argument name="productUrlKey" type="string"/>
+        </arguments>
+        <amOnPage url="{{StorefrontProductPage.url(productUrlKey)}}" stepKey="amOnProductPage"/>
+        <waitForPageLoad stepKey="waitForProductPageLoad"/>
+    </actionGroup>
+</actionGroups>

app/code/Magento/Checkout/Test/Mftf/ActionGroup/AssertAdminEmailValidationMessageOnCheckoutActionGroup.xml

@@ -0,0 +1,18 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ /**
+  * Copyright © Magento, Inc. All rights reserved.
+  * See COPYING.txt for license details.
+  */
+-->
+
+<actionGroups xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+              xsi:noNamespaceSchemaLocation="urn:magento:mftf:Test/etc/actionGroupSchema.xsd">
+    <actionGroup name="AssertAdminEmailValidationMessageOnCheckoutActionGroup">
+        <arguments>
+            <argument name="message" type="string" defaultValue="Please enter a valid email address (Ex: [email protected])."/>
+        </arguments>
+        <waitForElementVisible selector="{{AdminOrderFormAccountSection.emailErrorMessage}}" stepKey="waitForFormValidation"/>
+        <see selector="{{AdminOrderFormAccountSection.emailErrorMessage}}" userInput="{{message}}" stepKey="seeTheErrorMessageIsDisplayed"/>
+    </actionGroup>
+</actionGroups>

app/code/Magento/Customer/Test/Mftf/Data/CustomerData.xml

@@ -271,4 +271,17 @@
         <requiredEntity type="address">US_Address_TX</requiredEntity>
         <requiredEntity type="address">US_Address_NY_Not_Default_Address</requiredEntity>
     </entity>
+    <entity name="Simple_US_Customer_Incorrect_Email" type="customer">
+        <data key="group_id">0</data>
+        <data key="default_billing">true</data>
+        <data key="default_shipping">true</data>
+        <data key="email">&gt;&lt;script&gt;alert(1);&lt;/script&gt;@example.com</data>
+        <data key="firstname">John</data>
+        <data key="lastname">Doe</data>
+        <data key="fullname">John Doe</data>
+        <data key="password">pwdTest123!</data>
+        <data key="store_id">0</data>
+        <data key="website_id">0</data>
+        <requiredEntity type="address">US_Address_CA</requiredEntity>
+    </entity>
 </entities>

app/code/Magento/Sales/Test/Mftf/Section/AdminOrderFormAccountSection.xml

@@ -14,5 +14,6 @@
         <element name="requiredGroup" type="text" selector=".admin__field.required[data-ui-id='billing-address-fieldset-element-form-field-group-id']"/>
         <element name="requiredEmail" type="text" selector=".admin__field.required[data-ui-id='billing-address-fieldset-element-form-field-email']"/>
         <element name="defaultGeneral" type="text" selector="//*[contains(text(),'General')]" time="15"/>
+        <element name="emailErrorMessage" type="text" selector="#email-error"/>
     </section>
 </sections>

app/code/Magento/Sales/Test/Mftf/Test/CheckXSSVulnerabilityDuringOrderCreationTest.xml

@@ -0,0 +1,62 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ /**
+  * Copyright © Magento, Inc. All rights reserved.
+  * See COPYING.txt for license details.
+  */
+-->
+
+<tests xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+       xsi:noNamespaceSchemaLocation="urn:magento:mftf:Test/etc/testSchema.xsd">
+    <test name="CheckXSSVulnerabilityDuringOrderCreationTest">
+        <annotations>
+            <features value="Sales"/>
+            <stories value="Create order"/>
+            <title value="Check XSS vulnerability during order creation test"/>
+            <description value="Order should not be created with XSS vulnerability in email address"/>
+            <severity value="CRITICAL"/>
+            <testCaseId value="MC-11438"/>
+            <group value="sales"/>
+        </annotations>
+        <before>
+            <!-- Create product -->
+            <createData entity="SimpleProduct2" stepKey="createProduct"/>
+        </before>
+        <after>
+            <!-- Delete product -->
+            <deleteData createDataKey="createProduct" stepKey="deleteProduct"/>
+
+            <!-- Log out -->
+            <actionGroup ref="logout" stepKey="logout"/>
+        </after>
+
+        <!-- Add product to the shopping cart -->
+        <actionGroup ref="OpenStoreFrontProductPageActionGroup" stepKey="openProductPage">
+            <argument name="productUrlKey" value="$$createProduct.custom_attributes[url_key]$$"/>
+        </actionGroup>
+        <actionGroup ref="StorefrontAddProductToCartActionGroup" stepKey="addProductToCart">
+            <argument name="product" value="$$createProduct$$"/>
+            <argument name="productCount" value="1"/>
+        </actionGroup>
+
+        <!-- Try to create order on Storefront with provided email  -->
+        <actionGroup ref="GoToCheckoutFromMinicartActionGroup" stepKey="goToCheckoutFromMinicart"/>
+        <actionGroup ref="StorefrontFillEmailFieldOnCheckoutActionGroup" stepKey="fillIncorrectEmailStorefront">
+            <argument name="email" value="{{Simple_US_Customer_Incorrect_Email.email}}"/>
+        </actionGroup>
+
+        <!-- Order can not be created -->
+        <actionGroup ref="AssertStorefrontEmailValidationMessageOnCheckoutActionGroup" stepKey="assertErrorMessageStorefront"/>
+
+        <!-- Login as admin -->
+        <actionGroup ref="LoginAsAdmin" stepKey="loginAsAdmin"/>
+
+        <!-- Try to create order in admin with provided email -->
+        <actionGroup ref="navigateToNewOrderPageNewCustomerSingleStore" stepKey="navigateToNewOrderPage"/>
+        <fillField selector="{{AdminOrderFormAccountSection.email}}" userInput="{{Simple_US_Customer_Incorrect_Email.email}}" stepKey="fillEmailAddressAdminPanel"/>
+        <click selector="{{AdminOrderFormActionSection.submitOrder}}" stepKey="clickSubmitOrder"/>
+
+        <!-- Order can not be created -->
+        <actionGroup ref="AssertAdminEmailValidationMessageOnCheckoutActionGroup" stepKey="assertErrorMessageAdminPanel"/>
+    </test>
+</tests>