From c993293931d25d96d762045fbe04e1a46332c58e Mon Sep 17 00:00:00 2001
From: Alan Davis <alan.davis@alfresco.com>
Date: Sat, 31 Jan 2015 15:22:44 +0000
Subject: [PATCH] Merged HEAD-BUG-FIX (5.1/Cloud) to HEAD (5.1/Cloud)    93834:
 Merged 5.0.N (5.0.1) to HEAD-BUG-FIX (5.1/Cloud)       93734: Merged
 V4.2-BUG-FIX (4.2.5) to 5.0.N (5.0.1)          -
 SOURCE/root/projects/remote-api/config/alfresco/templates/webscripts/org/alfresco/collaboration/calendar.get.html.ftl
            was removed from 5.0 as part of an EOL activity          93559:
 Merged V4.2.4 (4.2.4) to V4.2-BUG-FIX (4.2.5)             93544: Merged DEV
 to V4.2.4 (4.2.4)                93482: MNT-13174:
 /share/service/components/form {htmlid} unsanitized: XSS vulnerability       
          - Add html escape to avoid XSS vulnerability             93545:
 Merged DEV to V4.2.4 (4.2.4)                93508 : MNT-13177 :
 /alfresco/wcservice/search/keyword {l} unsanitized: XSS vulnerability        
           - Escape search.localeId property             93549: Merged DEV to
 V4.2.4 (4.2.4)                93540 : MNT-13173 :
 /share/service/components/form {destination} unsanitized: XSS vulnerability  
                 - Add html escape to avoid XSS vulnerability            
 93555: Merged DEV to V4.2.4 (4.2.4)                93476: MNT-13178:
 /alfresco/wcservice/api/search/person {l} unsanitized: XSS vulnerability     
              - Add url escape to avoid XSS vulnerability             93556:
 Merged DEV to V4.2.4 (4.2.4)                93477: MNT-13176 :
 /alfresco/wcservice/collaboration/calendar {nodeRef} unsanitized: XSS
 vulnerability                   - Added ?html built-in processing for nodeRef
 argument.          93718: Merged V4.2.4 (4.2.4) to V4.2-BUG-FIX (4.2.5)      
       93671: Merged DEV to PATCHES/V4.2.4 (4.2.4)                93661:
 MNT-13180: go through all API URI and confirm all parameters are sanitized   
                - Add unit test that checks all webscripts for sanitized
 parameters             93672: MNT-13190:
 /alfresco/wcservice/sample/blog/search {q} unsanitized: XSS vulnerability    
            Add html escape to fix XSS vulnerability             93691:
 MNT-13190: /alfresco/wcservice/sample/blog/search {q} unsanitized: XSS
 vulnerability                Patch imported blogsearch template

git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/alfresco/HEAD/root@94995 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261
---
 .../webscripts/blogsearch.get.atom.ftl        |   2 +-
 .../webscripts/blogsearch.get.html.ftl        |   2 +-
 .../messages/patch-service.properties         |   4 +
 .../alfresco/patch/patch-services-context.xml |  23 ++++
 config/alfresco/version.properties            |   2 +-
 .../admin/patch/impl/FixTemplatePatch.java    | 108 ++++++++++++++++++
 6 files changed, 138 insertions(+), 3 deletions(-)
 create mode 100755 source/java/org/alfresco/repo/admin/patch/impl/FixTemplatePatch.java

diff --git a/config/alfresco/bootstrap/webscripts/blogsearch.get.atom.ftl b/config/alfresco/bootstrap/webscripts/blogsearch.get.atom.ftl
index a8a3149cb4..5c32f0864e 100644
--- a/config/alfresco/bootstrap/webscripts/blogsearch.get.atom.ftl
+++ b/config/alfresco/bootstrap/webscripts/blogsearch.get.atom.ftl
@@ -1,7 +1,7 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <feed xmlns="http://www.w3.org/2005/Atom">
   <generator version="${server.version}">Alfresco (${server.edition})</generator>
-  <title>Blog query: ${args.q}</title> 
+  <title>Blog query: ${args.q?html}</title> 
   <updated>${xmldate(date)}</updated>
   <icon>${absurl(url.context)}/images/logo/AlfrescoLogo16.ico</icon>
 <#list resultset as node>
diff --git a/config/alfresco/bootstrap/webscripts/blogsearch.get.html.ftl b/config/alfresco/bootstrap/webscripts/blogsearch.get.html.ftl
index 912a9d4983..18909d903c 100644
--- a/config/alfresco/bootstrap/webscripts/blogsearch.get.html.ftl
+++ b/config/alfresco/bootstrap/webscripts/blogsearch.get.html.ftl
@@ -1,7 +1,7 @@
 <html>
   <body>
     <img src="${url.context}/images/logo/AlfrescoLogo32.png" alt="Alfresco" />
-    Blog query: ${args.q}
+    Blog query: ${args.q?html}
     <br>
     <table>
 <#list resultset as node>
diff --git a/config/alfresco/messages/patch-service.properties b/config/alfresco/messages/patch-service.properties
index 8e8e11507c..82909c03e7 100644
--- a/config/alfresco/messages/patch-service.properties
+++ b/config/alfresco/messages/patch-service.properties
@@ -149,6 +149,10 @@ patch.tagRootCategory.description=Adds 'Tags' as new top-level category root.
 
 patch.sitesFolder.description=Adds 'Sites' folder to Company Home.
 
+patch.fixWebscriptTemplate.description=Reimport fixed sample template.
+patch.fixWebscriptTemplate.skip=Template not found. Skipping.
+patch.fixWebscriptTemplate.result=Fixed template was updated.
+
 patch.updateDmPermissions.description=Update ACLs on all DM node objects to the new 3.0 permission model
 
 patch.db-V3.0-0-CreateActivitiesExtras.description=Replaced by 'patch.db-V3.0-ActivityTables', which must run first.
diff --git a/config/alfresco/patch/patch-services-context.xml b/config/alfresco/patch/patch-services-context.xml
index 8f85fbd4ed..330300d4ca 100644
--- a/config/alfresco/patch/patch-services-context.xml
+++ b/config/alfresco/patch/patch-services-context.xml
@@ -1096,4 +1096,27 @@
         </property>
     </bean>
 
+   <bean id="patch.fixWebscriptTemplate" class="org.alfresco.repo.admin.patch.impl.FixTemplatePatch"
+      parent="basePatch">
+      <property name="id" value="patch.fixWebscriptTemplate" />
+      <property name="description" value="patch.fixWebscriptTemplate.description" />
+      <property name="fixesFromSchema">
+         <value>0</value>
+      </property>
+      <property name="fixesToSchema">
+         <value>9000</value>
+      </property>
+      <property name="targetSchema">
+         <value>9001</value>
+      </property>
+      <property name="contentService" ref="ContentService"/>
+      <property name="repository" ref="repositoryHelper"/>
+      <property name="target">
+          <value>/app:company_home/app:dictionary/cm:webscripts/cm:org/cm:alfresco/cm:sample/cm:blogsearch.get.html.ftl</value>
+      </property>
+      <property name="source">
+          <value>alfresco/bootstrap/webscripts/blogsearch.get.html.ftl</value>
+      </property>
+   </bean>
+
 </beans>
diff --git a/config/alfresco/version.properties b/config/alfresco/version.properties
index f44ac30a94..b1ae0d1b6f 100644
--- a/config/alfresco/version.properties
+++ b/config/alfresco/version.properties
@@ -23,4 +23,4 @@ version.build=r@scm-revision@-b@build-number@
 
 # Schema number
 
-version.schema=9000
+version.schema=9001
diff --git a/source/java/org/alfresco/repo/admin/patch/impl/FixTemplatePatch.java b/source/java/org/alfresco/repo/admin/patch/impl/FixTemplatePatch.java
new file mode 100755
index 0000000000..da2d07c498
--- /dev/null
+++ b/source/java/org/alfresco/repo/admin/patch/impl/FixTemplatePatch.java
@@ -0,0 +1,108 @@
+/*
+ * Copyright (C) 2005-2015 Alfresco Software Limited.
+ *
+ * This file is part of Alfresco
+ *
+ * Alfresco is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Lesser General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * Alfresco is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with Alfresco. If not, see <http://www.gnu.org/licenses/>.
+ */
+package org.alfresco.repo.admin.patch.impl;
+
+import java.io.InputStream;
+import java.util.List;
+
+import org.alfresco.model.ContentModel;
+import org.alfresco.repo.admin.patch.AbstractPatch;
+import org.alfresco.repo.content.MimetypeMap;
+import org.alfresco.repo.model.Repository;
+import org.alfresco.service.cmr.repository.ContentService;
+import org.alfresco.service.cmr.repository.ContentWriter;
+import org.alfresco.service.cmr.repository.NodeRef;
+import org.springframework.extensions.surf.util.I18NUtil;
+
+/**
+ * MNT-13190: Fix template
+ * 
+ * @author Viachaslau Tsikhanovich
+ *
+ */
+public class FixTemplatePatch extends AbstractPatch
+{
+    private static final String MSG_SUCCESS = "patch.fixWebscriptTemplate.result";
+    private static final String MSG_SKIP = "patch.fixWebscriptTemplate.skip";
+    
+    private Repository repository;
+    protected ContentService contentService;
+    private String target;
+    private String source;
+
+    public void setRepository(Repository repository)
+    {
+        this.repository = repository;
+    }
+    
+    public void setContentService(ContentService contentService)
+    {
+        this.contentService = contentService;
+    }
+    
+    public void setTarget(String target)
+    {
+        this.target = target;
+    }
+
+    public void setSource(String source)
+    {
+        this.source = source;
+    }
+
+
+    @Override
+    protected String applyInternal() throws Exception
+    {
+        List<NodeRef> refs = searchService.selectNodes(
+                repository.getRootHome(), 
+                target, 
+                null, 
+                namespaceService, 
+                false);
+        if (refs.size() < 1)
+        {
+            // skip as it can be deleted
+            return I18NUtil.getMessage(MSG_SKIP);
+        }
+        else
+        {
+            updateContent(refs.get(0));
+        }
+
+        return I18NUtil.getMessage(MSG_SUCCESS);
+    }
+
+    private void updateContent(NodeRef nodeRef)
+    {
+        // Make versionable
+        nodeService.addAspect(nodeRef, ContentModel.ASPECT_VERSIONABLE, null);
+        
+        // Update content
+        InputStream is = this.getClass().getClassLoader().getResourceAsStream(source);
+        if (is != null)
+        {
+            ContentWriter contentWriter = contentService.getWriter(nodeRef, ContentModel.PROP_CONTENT, true);
+            contentWriter.setMimetype(MimetypeMap.MIMETYPE_TEXT_PLAIN);
+            contentWriter.setEncoding("UTF-8");
+            contentWriter.putContent(is);
+        }
+    }
+
+}