Merge remote-tracking branch 'origin/MC-13104' into 2.3-develop-pr75

Author: StasKozar

app/code/Magento/Catalog/Test/Mftf/Data/ProductData.xml

@@ -512,6 +512,11 @@
         <requiredEntity type="product_option">ProductOptionArea</requiredEntity>
         <requiredEntity type="product_option">ProductOptionFile</requiredEntity>
     </entity>
+    <entity name="ProductFileOptionWithScriptTag" type="product">
+        <var key="sku" entityType="product" entityKey="sku"/>
+        <data key="file">&lt;img src=x onerror='alert("XSS without &lt;script&gt;&lt;:script&gt; tags...")'&gt;.png</data>
+        <requiredEntity type="product_option">ProductOptionFile</requiredEntity>
+    </entity>
     <entity name="ApiVirtualProductWithDescription" type="product">
         <data key="sku" unique="suffix">api-virtual-product</data>
         <data key="type_id">virtual</data>

app/code/Magento/Catalog/Test/Mftf/Test/StorefrontVerifyCannotLoadFileWithIncorrectNameThroughCustomOptionsTest.xml

@@ -0,0 +1,71 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ /**
+  * Copyright © Magento, Inc. All rights reserved.
+  * See COPYING.txt for license details.
+  */
+-->
+
+<tests xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+       xsi:noNamespaceSchemaLocation="urn:magento:mftf:Test/etc/testSchema.xsd">
+    <test name="StorefrontVerifyCannotLoadFileWithIncorrectNameThroughCustomOptionsTest">
+        <annotations>
+            <features value="Catalog"/>
+            <stories value="Custom options"/>
+            <title value="Verify cannot load file with incorrect name through Custom options"/>
+            <description value="Verify cannot load file with incorrect name through Custom options"/>
+            <severity value="CRITICAL"/>
+            <testCaseId value="MC-13104"/>
+            <group value="catalog"/>
+        </annotations>
+        <before>
+            <!-- Create customer -->
+            <createData entity="Simple_US_Customer" stepKey="createCustomer"/>
+            <!-- Create category -->
+            <createData entity="_defaultCategory" stepKey="createCategory"/>
+            <!-- Create simple product -->
+            <createData entity="_defaultProduct" stepKey="createProduct">
+                <requiredEntity createDataKey="createCategory"/>
+            </createData>
+            <!-- Add file upload custom option to the product -->
+            <updateData createDataKey="createProduct" entity="ProductFileOptionWithScriptTag" stepKey="updateProductWithOption"/>
+            <actionGroup ref="StorefrontCustomerLogoutActionGroup" stepKey="logoutCustomer"/>
+        </before>
+        <after>
+            <!-- Delete product -->
+            <deleteData createDataKey="createProduct" stepKey="deleteSimpleProduct"/>
+            <!-- Delete category -->
+            <deleteData createDataKey="createCategory" stepKey="deleteCategory"/>
+            <!-- Delete customer -->
+            <deleteData createDataKey="createCustomer" stepKey="deleteCustomer"/>
+            <actionGroup ref="StorefrontCustomerLogoutActionGroup" stepKey="logoutCustomer"/>
+        </after>
+
+        <!-- Login to storefront -->
+        <actionGroup ref="LoginToStorefrontActionGroup" stepKey="loginAsCustomer">
+            <argument name="Customer" value="$$createCustomer$$"/>
+        </actionGroup>
+
+        <!-- Open product page -->
+        <actionGroup ref="OpenStoreFrontProductPageActionGroup" stepKey="openProductPage">
+            <argument name="productUrlKey" value="$$createProduct.custom_attributes[url_key]$$"/>
+        </actionGroup>
+
+        <!-- Upload file -->
+        <actionGroup ref="StorefrontAttachOptionFileActionGroup" stepKey="selectAndAttachFile">
+            <argument name="optionTitle" value="ProductOptionFile"/>
+            <argument name="file" value="ProductFileOptionWithScriptTag.file"/>
+        </actionGroup>
+
+        <!-- Add product to cart -->
+        <click selector="{{StorefrontProductInfoMainSection.AddToCart}}" stepKey="clickAddToCartButton"/>
+        <waitForPageLoad stepKey="waitForProductAddToCart"/>
+
+        <!-- Assert alert message -->
+        <waitForElementVisible selector="{{StorefrontProductPageSection.alertMessage}}" stepKey="waitForElementVisible"/>
+        <see selector="{{StorefrontProductPageSection.alertMessage}}" userInput="The file is empty. Select another file and try again." stepKey="seeAlertMessage"/>
+
+        <!-- Assert cart is empty -->
+        <actionGroup ref="assertMiniCartEmpty" stepKey="assertMiniCartEmpty"/>
+    </test>
+</tests>