Merged V3.0 to HEAD

12310: Merged V2.2 to V3.0
    12306: Merged V2.1 to V2.2
      12212: Final set of XSS and HTML encoding fixes for ETWOONE-90
  12312: Merged V2.2 to V3.0
    12311: Merged V2.1 to V2.2
      11667: Fix for ETWOONE-389 - Current page number not always visible on the browse screen.
  12316: Fix for merge issue
  12317: Merged 2.1 to 3.0
    12313: Fix for regression introduced when fixing ETWOONE-91. Also fixes ETHREEOH-1043
  12319: Final set of XSS fixes specific to 3.0 codeline see ETWOONE-90
  12321: Missing file from previous checkin
  12324: Merged 2.2 to 3.0
    12320: Merged 2.1 to 2.2
      11682: Fix for ETWOONE-87: Behavior of delete cascade
  12326: Merge 2.1 to 3.0
    11615: Fix for ETWOONE-188: After session has timed out, expanding a space in the Navigator results in unfriendly error


git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/alfresco/HEAD/root@12531 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261

source/java/org/alfresco/web/ui/repo/component/AbstractItemSelector.java

@@ -301,7 +301,7 @@ public abstract class AbstractItemSelector extends UIInput
                {
                   // build a comma separated list of node names
                   List nodes = (List)val;
-                  StringBuilder buffer = new StringBuilder();
+                  StringBuilder buffer = new StringBuilder(64);
                   for (Object obj : nodes)
                   {
                      if (buffer.length() != 0)
@@ -311,7 +311,7 @@ public abstract class AbstractItemSelector extends UIInput
                      
                      if (obj instanceof NodeRef)
                      {
-                        buffer.append(Repository.getNameForNode(service, (NodeRef)obj));
+                        buffer.append(Utils.encode(Repository.getNameForNode(service, (NodeRef)obj)));
                      }
                      else
                      {
@@ -327,7 +327,7 @@ public abstract class AbstractItemSelector extends UIInput
             // if there is a value show it's name
             if (nodeRef != null)
             {
-               out.write(Repository.getNameForNode(service, nodeRef));
+               out.write(Utils.encode(Repository.getNameForNode(service, nodeRef)));
             }
          }
          else
@@ -447,7 +447,7 @@ public abstract class AbstractItemSelector extends UIInput
                         .append(attrs.get("nodeStyleClass"));
                   }
                   buf.append(">")
-                     .append(label)
+                     .append(Utils.encode(label))
                      .append("</a></span>");
                      
                   break;

source/java/org/alfresco/web/ui/repo/component/UIContentSelector.java

@@ -329,9 +329,9 @@ public class UIContentSelector extends UIInput
             out.write("<option value='");
             out.write(item.toString());
             out.write("'>");
-            out.write(Repository.getDisplayPath(nodeService.getPath(item)));
+            out.write(Utils.encode(Repository.getDisplayPath(nodeService.getPath(item))));
             out.write("/");
-            out.write(Repository.getNameForNode(nodeService, item));
+            out.write(Utils.encode(Repository.getNameForNode(nodeService, item)));
             out.write("</option>");
          }
       }

source/java/org/alfresco/web/ui/repo/component/UINavigator.java

@@ -292,7 +292,7 @@ public class UINavigator extends SelfRenderingComponent
       out.write("<a class='sidebarButtonSelectedLink' onclick=\"");
       out.write(Utils.generateFormSubmit(context, this, getClientId(context), PANEL_ACTION + area));
       out.write("\" href=\"#\">");
-      out.write(areaTitle);
+      out.write(Utils.encode(areaTitle));
       out.write("</a></div>");
       
       // generate the javascript method to capture the tree node click events

source/java/org/alfresco/web/ui/repo/component/UINodeWorkflowInfo.java

@@ -245,7 +245,7 @@ public class UINodeWorkflowInfo extends SelfRenderingComponent
             actionPattern = Application.getMessage(FacesContext.getCurrentInstance(), "space_action");
          }
          Object[] params = new Object[] {action, approveFolderName, Utils.encode(approveStepName)};
-         out.write(MessageFormat.format(actionPattern, params));
+         out.write(Utils.encode(MessageFormat.format(actionPattern, params)));
          
          // add details of the reject step if there is one
          if (rejectStepName != null && rejectMove != null && rejectFolderName != null)
@@ -261,7 +261,7 @@ public class UINodeWorkflowInfo extends SelfRenderingComponent
             
             out.write(" ");
             params = new Object[] {action, rejectFolderName, Utils.encode(rejectStepName)};
-            out.write(MessageFormat.format(actionPattern, params));
+            out.write(Utils.encode(MessageFormat.format(actionPattern, params)));
          }
       }
       else

source/java/org/alfresco/web/ui/repo/component/UIOpenSearch.java

@@ -39,6 +39,7 @@ import org.alfresco.repo.web.scripts.bean.SearchProxy;
 import org.alfresco.repo.web.scripts.config.OpenSearchConfigElement;
 import org.alfresco.repo.web.scripts.config.OpenSearchConfigElement.EngineConfig;
 import org.alfresco.web.app.Application;
+import org.alfresco.web.ui.common.Utils;
 import org.alfresco.web.ui.common.component.SelfRenderingComponent;
 import org.springframework.web.jsf.FacesContextUtils;
 
@@ -239,7 +240,7 @@ public class UIOpenSearch extends SelfRenderingComponent
          out.write(engine.getId());
          out.write("-engine-enabled' type='checkbox' checked='checked' />");
          out.write("</td><td>");
-         out.write(engine.getLabel());
+         out.write(Utils.encode(engine.getLabel()));
          out.write("</td></tr>");
       }
       out.write("</table></div></div>\n");

source/java/org/alfresco/web/ui/repo/component/UIWorkflowHistory.java

@@ -192,7 +192,7 @@ public class UIWorkflowHistory extends SelfRenderingComponent
                out.write("<tr><td>");
                out.write(desc == null ? "" : Utils.encode(desc));
                out.write("</td><td>");
-               out.write(task.title);
+               out.write(Utils.encode(task.title));
                out.write("</td><td>");
                out.write(id.toString());
                out.write("</td><td>");

source/java/org/alfresco/web/ui/repo/component/property/BaseAssociationEditor.java

@@ -733,9 +733,9 @@ public abstract class BaseAssociationEditor extends UIInput
       }
       else
       {
-         out.write(Repository.getDisplayPath(nodeService.getPath(targetRef)));
+         out.write(Utils.encode(Repository.getDisplayPath(nodeService.getPath(targetRef))));
          out.write("/");
-         out.write(Repository.getNameForNode(nodeService, targetRef));
+         out.write(Utils.encode(Repository.getNameForNode(nodeService, targetRef)));
       }
       
       out.write("</td><td class='");
@@ -882,9 +882,9 @@ public abstract class BaseAssociationEditor extends UIInput
                   out.write("<option value='");
                   out.write(item.toString());
                   out.write("'>");
-                  out.write(Repository.getDisplayPath(nodeService.getPath(item)));
+                  out.write(Utils.encode(Repository.getDisplayPath(nodeService.getPath(item))));
                   out.write("/");
-                  out.write(Repository.getNameForNode(nodeService, item));
+                  out.write(Utils.encode(Repository.getNameForNode(nodeService, item)));
                   out.write("</option>");
                }
             }

source/java/org/alfresco/web/ui/repo/component/property/UIAssociationEditor.java

@@ -196,7 +196,7 @@ public class UIAssociationEditor extends BaseAssociationEditor
             	   displayString = Application.getMessage(context, MSG_WARN_CANNOT_VIEW_TARGET_DETAILS);
                }
             
-               out.write(displayString);
+               out.write(Utils.encode(displayString));
             }
             out.write("</td></tr>");
          }