MC-5835: [Sec] XSS in Page Builder

danmooney2 · danmooney2 · commit 24de90f965cf · 2019-01-07T10:24:15.000-06:00
Move category argument to addCategoryConditionToProductsBlock to its own data entity
diff --git a/app/code/Magento/PageBuilder/Test/Mftf/Data/CommonContentTypeData.xml b/app/code/Magento/PageBuilder/Test/Mftf/Data/CommonContentTypeData.xml
@@ -121,4 +121,8 @@
         <data key="fieldName">message</data>
         <data key="value">Magento1111111 Page11111111111</data>
     </entity>
+    <!-- XSS Payload -->
+    <entity name="PageBuilderXSSPayloadProperty" type="pagebuilder_xss_payload">
+        <data key="value">&gt;&lt;img src=x onerror=throw(1)&gt;</data>
+    </entity>
 </entities>
diff --git a/app/code/Magento/PageBuilder/Test/Mftf/Test/AdminPageBuilderProductsTest.xml b/app/code/Magento/PageBuilder/Test/Mftf/Test/AdminPageBuilderProductsTest.xml
@@ -1394,7 +1394,7 @@
         </actionGroup>
         <actionGroup ref="addCategoryConditionToProductsBlock" stepKey="addCategory">
             <argument name="page" value="ProductsContentTypeForm"/>
-            <argument name="category" value="&gt;&lt;img src=x onerror=throw(1)&gt;"/>
+            <argument name="category" value="{{PageBuilderXSSPayloadProperty.value}}"/>
         </actionGroup>
         <actionGroup ref="saveEditPanelSettings" stepKey="saveEditPanelSettings"/>
         <!-- Validate Stage -->
