Merged HEAD-BUG-FIX (5.0/Cloud) to HEAD (5.0/Cloud)

80729: Merged WAT1 (5.0/Cloud) to HEAD-BUG-FIX (5.0/Cloud)
      78874: Added tests for facet config rest api (Cloud). Part of ACE-1582


git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/alfresco/HEAD/root@83027 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261

source/test-java/org/alfresco/repo/web/scripts/solr/facet/FacetRestApiTest.java

@@ -472,6 +472,35 @@ public class FacetRestApiTest extends BaseWebScriptTest
             }
         }, SEARCH_ADMIN_USER);
 
+        // Admin tries to create a filter with a malicious FilterID
+        AuthenticationUtil.runAs(new RunAsWork<Void>()
+        {
+            @Override
+            public Void doWork() throws Exception
+            {
+                Response response = sendRequest(new GetRequest(GET_FACETS_URL), 200);
+                JSONObject jsonRsp = new JSONObject(new JSONTokener(response.getContentAsString()));
+                JSONArray facetsArray = (JSONArray) jsonRsp.get(FACETS);
+                assertNotNull("JSON 'facets' array was null", facetsArray);
+                final List<String> facets = getListFromJsonArray(facetsArray);
+
+                filter.put("filterID", "<script>alert('Maliciouse-FilterID')</script>");
+                // Post the filter
+                sendRequest(new PostRequest(POST_FACETS_URL, filter.toString(), "application/json"), 500);
+
+                // Retrieve all filters
+                response = sendRequest(new GetRequest(GET_FACETS_URL), 200);
+                jsonRsp = new JSONObject(new JSONTokener(response.getContentAsString()));
+                facetsArray = (JSONArray) jsonRsp.get(FACETS);
+
+                assertNotNull("JSON 'facets' array was null", facetsArray);
+                final List<String> newFacets = getListFromJsonArray(facetsArray);
+                assertEquals(facets, newFacets);
+
+                return null;
+            }
+        }, SEARCH_ADMIN_USER);
+
     }
 
     public void testUpdateSingleValue() throws Exception