From 5bb3de71950bcf20691e10fd56a0f1fc4c34fb28 Mon Sep 17 00:00:00 2001
From: Will Abson <will.abson@alfresco.com>
Date: Wed, 3 Sep 2014 16:44:52 +0000
Subject: [PATCH] Merged HEAD-BUG-FIX (5.0/Cloud) to HEAD (5.0/Cloud)    80729:
 Merged WAT1 (5.0/Cloud) to HEAD-BUG-FIX (5.0/Cloud)       78874: Added tests
 for facet config rest api (Cloud). Part of ACE-1582

git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/alfresco/HEAD/root@83027 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261
---
 .../scripts/solr/facet/FacetRestApiTest.java  | 29 +++++++++++++++++++
 1 file changed, 29 insertions(+)

diff --git a/source/test-java/org/alfresco/repo/web/scripts/solr/facet/FacetRestApiTest.java b/source/test-java/org/alfresco/repo/web/scripts/solr/facet/FacetRestApiTest.java
index bd1f8b6ed9..1bee16da2e 100644
--- a/source/test-java/org/alfresco/repo/web/scripts/solr/facet/FacetRestApiTest.java
+++ b/source/test-java/org/alfresco/repo/web/scripts/solr/facet/FacetRestApiTest.java
@@ -472,6 +472,35 @@ public class FacetRestApiTest extends BaseWebScriptTest
             }
         }, SEARCH_ADMIN_USER);
 
+        // Admin tries to create a filter with a malicious FilterID
+        AuthenticationUtil.runAs(new RunAsWork<Void>()
+        {
+            @Override
+            public Void doWork() throws Exception
+            {
+                Response response = sendRequest(new GetRequest(GET_FACETS_URL), 200);
+                JSONObject jsonRsp = new JSONObject(new JSONTokener(response.getContentAsString()));
+                JSONArray facetsArray = (JSONArray) jsonRsp.get(FACETS);
+                assertNotNull("JSON 'facets' array was null", facetsArray);
+                final List<String> facets = getListFromJsonArray(facetsArray);
+
+                filter.put("filterID", "<script>alert('Maliciouse-FilterID')</script>");
+                // Post the filter
+                sendRequest(new PostRequest(POST_FACETS_URL, filter.toString(), "application/json"), 500);
+
+                // Retrieve all filters
+                response = sendRequest(new GetRequest(GET_FACETS_URL), 200);
+                jsonRsp = new JSONObject(new JSONTokener(response.getContentAsString()));
+                facetsArray = (JSONArray) jsonRsp.get(FACETS);
+
+                assertNotNull("JSON 'facets' array was null", facetsArray);
+                final List<String> newFacets = getListFromJsonArray(facetsArray);
+                assertEquals(facets, newFacets);
+
+                return null;
+            }
+        }, SEARCH_ADMIN_USER);
+
     }
 
     public void testUpdateSingleValue() throws Exception