Merged V3.0 to HEAD (fixes ALFCOM-2311 & ALFCOM-2332)

12718: Merged V2.2 to V3.0
      12706: Merged V2.1 to V2.2
         12693: Fixed regression where summary pages of WCM related wizards do not render correctly after XSS fixes, related to ETWOTWO-987

git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/alfresco/HEAD/root@12722 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261

source/java/org/alfresco/web/bean/wcm/CreateFormWizard.java

@@ -188,6 +188,14 @@ public class CreateFormWizard extends BaseWizardBean
          return this.renderingEngineDescriptionAttribute;
       }
       
+      public String getRenderingEngineLabelAttribute()
+      {
+         StringBuilder builder = new StringBuilder("<b>");
+         builder.append(Utils.encode(this.title));
+         builder.append("</b>");
+         return builder.toString();
+      }
+
       public String toString()
       {
          return (this.getClass().getName() + "{" +
@@ -539,6 +547,18 @@ public class CreateFormWizard extends BaseWizardBean
        return this.formDescriptionAttribute;
    }
    
+   /**
+    *
+    * @return HTML code for the form label
+    */
+   public String getFormLabelAttribute()
+   {
+      StringBuilder builder = new StringBuilder("<b>");
+      builder.append(Utils.encode(this.getFormTitle()));
+      builder.append("</b>");
+      return builder.toString();
+   }
+
    /**
     * 
     * @return Returns HTML code of the formDescriptionAttribute
@@ -554,6 +574,24 @@ public class CreateFormWizard extends BaseWizardBean
        return this.workflowDescriptionAttribute;
    }
    
+   /**
+    * 
+    * @return Returns HTML code of the workflow label
+    */
+   public String getWorkflowLabelAttribute()
+   {
+      StringBuilder builder = new StringBuilder("<b>");
+      
+      WorkflowDefinition wkDef = this.getDefaultWorkflowDefinition();
+      if (wkDef != null)
+      {
+         builder.append(Utils.encode(wkDef.getTitle()));
+      }
+      
+      builder.append("</b>");
+      return builder.toString();
+   }
+   
    /**
     * @return Returns the output path for the rendition.
     */

source/java/org/alfresco/web/bean/wcm/CreateWebContentWizard.java

@@ -895,6 +895,14 @@ public class CreateWebContentWizard extends CreateContentWizard
        return this.formDescriptionAttribute;
    }
    
+   public String getFormLabelAttribute()
+   {
+      StringBuilder builder = new StringBuilder("<b>");
+      builder.append(Utils.encode(this.getFormInstanceData().getName()));
+      builder.append("</b>");
+      return builder.toString();
+   }
+
    // ------------------------------------------------------------------------------
    // Action event handlers
 

source/java/org/alfresco/web/bean/wcm/CreateWebsiteWizard.java

@@ -1355,6 +1355,18 @@ public class CreateWebsiteWizard extends BaseWizardBean
        return this.websiteDescriptionAttribute;
    }
    
+   /**
+    * 
+    * @return Returns HTML for website label
+    */
+   public String getWebsiteLabelAttribute()
+   {
+      StringBuilder builder = new StringBuilder("<b>");
+      builder.append(Utils.encode(this.name));
+      builder.append("</b>");
+      return builder.toString();
+   }
+   
    /**
     * 
     * @return Returns a HTML code for "description" attribute
@@ -1456,6 +1468,14 @@ public class CreateWebsiteWizard extends BaseWizardBean
           return this.formDescriptionAttribute;
       }
       
+      public String getFormLabelAttribute()
+      {
+         StringBuilder builder = new StringBuilder("<b>");
+         builder.append(Utils.encode(this.getName()));
+         builder.append("</b>");
+         return builder.toString();
+      }
+
       /**
        * @return Returns the workflow.
        */
@@ -1744,6 +1764,18 @@ public class CreateWebsiteWizard extends BaseWizardBean
           return this.workflowDescriptionAttribute;
       }
 
+      /**
+       * 
+       * @return Returns HTML for the workflow label
+       */
+      public String getWorkflowLabelAttribute()
+      {
+         StringBuilder builder = new StringBuilder("<b>");
+         builder.append(Utils.encode(this.title));
+         builder.append("</b>");
+         return builder.toString();
+      }
+
       /**
        * 
        * @return Returns HTML representation of the "description" attribute
@@ -1799,6 +1831,14 @@ public class CreateWebsiteWizard extends BaseWizardBean
           return this.userDescriptionAttribute;
       }
       
+      public String getUserLabelAttribute()
+      {
+         StringBuilder builder = new StringBuilder("<b>");
+         builder.append(Utils.encode(this.name));
+         builder.append("</b>");
+         return builder.toString();
+      }
+      
       private String buildUserDescriptionAttribute()
       {
           FacesContext fc = FacesContext.getCurrentInstance();

source/java/org/alfresco/web/bean/wcm/DescriptionAttributeHelper.java

@@ -3,6 +3,7 @@ package org.alfresco.web.bean.wcm;
 import javax.faces.context.FacesContext;
 
 import org.alfresco.web.app.Application;
+import org.alfresco.web.ui.common.Utils;
 import org.apache.commons.lang.StringUtils;
 
 /**
@@ -43,7 +44,8 @@ public class DescriptionAttributeHelper
     public static String getTableLine(FacesContext fc, String fieldName, String fieldValue)
     {
         StringBuilder line = new StringBuilder(128);
-        line.append(TRTD_BEGIN).append(Application.getMessage(fc, fieldName)).append(TD_TD).append(fieldValue).append(TDTR_END);
+        line.append(TRTD_BEGIN).append(Application.getMessage(fc, fieldName)).
+           append(TD_TD).append(Utils.encode(fieldValue)).append(TDTR_END);
         return line.toString();
     }
     

source/java/org/alfresco/web/forms/Rendition.java

@@ -67,6 +67,9 @@ public interface Rendition
    /** the output stream for the rendition */
    public OutputStream getOutputStream();
 
+   /** the HTML label attribute for UI */
+   public String getLabelAttribute();
+   
    /** the HTML description attribute for UI */
    public String getDescriptionAttribute();
 

source/java/org/alfresco/web/forms/RenditionImpl.java

@@ -42,6 +42,7 @@ import org.alfresco.util.Pair;
 import org.alfresco.web.app.servlet.FacesHelper;
 import org.alfresco.web.bean.repository.Repository;
 import org.alfresco.web.bean.wcm.AVMUtil;
+import org.alfresco.web.ui.common.Utils;
 import org.apache.commons.lang.StringUtils;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
@@ -279,6 +280,14 @@ import org.xml.sax.SAXException;
        return this.descriptionAttribute;
    }
    
+   public String getLabelAttribute()
+   {
+      StringBuilder builder = new StringBuilder("<b>");
+      builder.append(Utils.encode(this.getName()));
+      builder.append("</b>");
+      return builder.toString();
+   }
+
    private String buildDescriptionAttribute()
    {
        int hashCode = hashCode();

source/java/org/alfresco/web/ui/common/component/UISelectList.java

@@ -67,6 +67,8 @@ public class UISelectList extends UIInput implements NamingContainer
    private int rowIndex = -1;
    private int itemCount;
    private String onchange = null;
+   private Boolean escapeItemLabel;
+   private Boolean escapeItemDescription;
    
    // ------------------------------------------------------------------------------
    // Component Impl 
@@ -99,6 +101,8 @@ public class UISelectList extends UIInput implements NamingContainer
       this.activeSelect = (Boolean)values[2];
       this.itemCount = (Integer)values[3];
       this.onchange = (String)values[4];
+      this.escapeItemLabel = (Boolean)values[5];
+      this.escapeItemDescription = (Boolean)values[6];
    }
    
    /**
@@ -112,7 +116,9 @@ public class UISelectList extends UIInput implements NamingContainer
          this.multiSelect,
          this.activeSelect,
          this.itemCount,
-         this.onchange
+         this.onchange,
+         this.escapeItemLabel,
+         this.escapeItemDescription
       };
    }
    
@@ -326,6 +332,8 @@ public class UISelectList extends UIInput implements NamingContainer
       throws IOException
    {
       boolean activeSelect = isActiveSelect();
+      boolean escapeLabel = getEscapeItemLabel();
+      boolean escapeDescription = getEscapeItemDescription();
       
       // begin the row, add tooltip if present
       String tooltip = item.getTooltip();
@@ -394,17 +402,32 @@ public class UISelectList extends UIInput implements NamingContainer
       }
       
       // label and description text
+      String label = item.getLabel();
       String description = item.getDescription();
       out.write("<td width=100%");
       Utils.outputAttribute(out, getAttributes().get("itemStyle"), "style");
       Utils.outputAttribute(out, getAttributes().get("itemStyleClass"), "class");
       out.write("><div style='padding:2px'>");
-      out.write(Utils.encode(item.getLabel()));
+      if (escapeLabel)
+      {
+         out.write(Utils.encode(label));
+      }
+      else
+      {
+         out.write(label);
+      }
       out.write("</div>");
       if (description != null)
       {
          out.write("<div style='padding:2px'>");
+         if (escapeDescription)
+         {
             out.write(Utils.encode(description));
+         }
+         else
+         {
+            out.write(description);
+         }
          out.write("</div>");
       }
       out.write("</td>");
@@ -520,6 +543,57 @@ public class UISelectList extends UIInput implements NamingContainer
       this.activeSelect = activeSelect;
    }
    
+   /**
+    * Get the escape item label flag
+    *
+    * @return true if the items label should be escaped, false otherwise
+    */
+   public boolean getEscapeItemLabel()
+   {
+      ValueBinding vb = getValueBinding("escapeItemLabel");
+      if (vb != null)
+      {
+         this.escapeItemLabel = (Boolean)vb.getValue(getFacesContext());
+      }
+      
+      return this.escapeItemLabel != null ? this.escapeItemLabel.booleanValue() : true;
+   }
+
+   /**
+    * Set true to escape the items label, false otherwise
+    *
+    * @param escapeItemLabel true to escape the items label
+    */
+   public void setEscapeItemLabel(boolean escapeItemLabel)
+   {
+      this.escapeItemLabel = escapeItemLabel;
+   }
+   
+   /**
+    * Get the escape item description flag
+    *
+    * @return true if the items description should be escaped, false otherwise
+    */
+   public boolean getEscapeItemDescription()
+   {
+      ValueBinding vb = getValueBinding("escapeItemDescription");
+      if (vb != null)
+      {
+         this.escapeItemDescription = (Boolean)vb.getValue(getFacesContext());
+      }
+      
+      return this.escapeItemDescription != null ? this.escapeItemDescription.booleanValue() : true;
+   }
+
+   /**
+    * Set true to escape the items description, false otherwise
+    *
+    * @param escapeItemDescription true to escape the items description
+    */
+   public void setEscapeItemDescription(boolean escapeItemDescription)
+   {
+      this.escapeItemDescription = escapeItemDescription;
+   }
    
    /**
     * We use a hidden field name based on the parent form component Id and

source/java/org/alfresco/web/ui/common/tag/SelectListTag.java

@@ -60,6 +60,8 @@ public class SelectListTag extends HtmlComponentTag
       setStringProperty(component, "itemStyleClass", this.itemStyleClass);
       setStringProperty(component, "value", this.value);
       setStringProperty(component, "onchange", this.onchange);
+      setBooleanProperty(component, "escapeItemLabel", this.escapeItemLabel);
+      setBooleanProperty(component, "escapeItemDescription", this.escapeItemDescription);
    }
    
    /**
@@ -75,6 +77,8 @@ public class SelectListTag extends HtmlComponentTag
       this.itemStyleClass = null;
       this.value = null;
       this.onchange = null;
+      this.escapeItemLabel = null;
+      this.escapeItemDescription = null;
    }
 
    /**
@@ -147,6 +151,26 @@ public class SelectListTag extends HtmlComponentTag
       this.onchange = onchange;
    }
    
+   /**
+    * Set the escapeItemLabel flag
+    *
+    * @param escapeItemLabel true to escape the items labels
+    */
+   public void setEscapeItemLabel(String escapeItemLabel)
+   {
+      this.escapeItemLabel = escapeItemLabel;
+   }
+   
+   /**
+    * Set the escapeItemDescription flag
+    *
+    * @param escapeItemDescription true to escape the items descriptions
+    */
+   public void setEscapeItemDescription(String escapeItemDescription)
+   {
+      this.escapeItemDescription = escapeItemDescription;
+   }
+
    /** the selected value */
    private String value;
 
@@ -167,4 +191,10 @@ public class SelectListTag extends HtmlComponentTag
 
    /** the event handler for a change in selection */
    private String onchange;
+   
+   /** the escape mode for item's labels */
+   private String escapeItemLabel;
+   
+   /** the escape mode for item's descriptions */
+   private String escapeItemDescription;
 }

source/web/WEB-INF/alfresco.tld

@@ -2012,6 +2012,18 @@
          <required>false</required>
          <rtexprvalue>true</rtexprvalue>
       </attribute>
+      
+      <attribute>
+         <name>escapeItemLabel</name>
+         <required>false</required>
+         <rtexprvalue>true</rtexprvalue>
+      </attribute>
+      
+      <attribute>
+         <name>escapeItemDescription</name>
+         <required>false</required>
+         <rtexprvalue>true</rtexprvalue>
+      </attribute>
    </tag>
 
    <!-- graphic_image -->

source/web/jsp/wcm/create-form-wizard/form-summary.jsp

@@ -41,8 +41,9 @@
                  multiSelect="false"
                  activeSelect="true" 
                  style="width:100%"
-                 itemStyle="vertical-align: top; margin-right: 5px; padding-right: 5px;">
+                 itemStyle="vertical-align: top; margin-right: 5px; padding-right: 5px;"
-      <a:listItem label="<b>${WizardManager.bean.formTitle}</b>" value="${WizardManager.bean.formName}" 
+                 escapeItemLabel="false" escapeItemDescription="false">
+      <a:listItem label="${WizardManager.bean.formLabelAttribute}" value="${WizardManager.bean.formName}" 
                   image="/images/icons/webform_large.gif"
                   description="${WizardManager.bean.formDescriptionAttribute}" />
    </a:selectList>

source/web/jsp/wcm/create-form-wizard/web-form-summary.jsp

@@ -42,8 +42,9 @@
                 multiSelect="false"
                 activeSelect="true" 
                 style="width:100%"
-                itemStyle="vertical-align: top; margin-right: 5px; padding-right: 5px;">
+                itemStyle="vertical-align: top; margin-right: 5px; padding-right: 5px;"
-    <a:listItem label="<b>${WizardManager.bean.formTitle}</b>" value="${WizardManager.bean.formName}" 
+                escapeItemLabel="false" escapeItemDescription="false">
+    <a:listItem label="${WizardManager.bean.formLabelAttribute}" value="${WizardManager.bean.formName}" 
                 image="/images/icons/webform_large.gif"
                 description="${WizardManager.bean.formDescriptionAttribute}" />
   </a:selectList>
@@ -62,9 +63,10 @@
                 multiSelect="false"
                 itemStyle="vertical-align: top; margin-right: 5px; padding-right: 5px;"
                 activeSelect="true" 
-                style="width:100%">
+                style="width:100%"
+                escapeItemLabel="false" escapeItemDescription="false">
     <c:forEach items="${WizardManager.bean.renderingEngineTemplates}" var="ret">
-      <a:listItem label="<b>${ret.title}</b>"
+      <a:listItem label="${ret.renderingEngineLabelAttribute}"
                   value="${ret.name}"
                   image="/images/icons/template_large.gif"
                   description="${ret.renderingEngineDescriptionAttribute}" />
@@ -85,8 +87,9 @@
                 multiSelect="false"
                 activeSelect="true" 
                 itemStyle="vertical-align: top; margin-right: 5px; padding-right: 5px;"
-                style="width:100%">
+                style="width:100%"
-    <a:listItem label="<b>${WizardManager.bean.defaultWorkflowDefinition.title}</b>"
+                escapeItemLabel="false" escapeItemDescription="false">
+    <a:listItem label="${WizardManager.bean.workflowLabelAttribute}"
                 value="${WizardManager.bean.defaultWorkflowDefinition.name}"
                 image="/images/icons/workflow_large.gif"
                 description="${WizardManager.bean.workflowDescriptionAttribute}" />

source/web/jsp/wcm/create-web-content-wizard/summary.jsp

@@ -41,10 +41,11 @@
                   multiSelect="false"
                   activeSelect="true" 
                   style="width:100%" 
-		            itemStyle="vertical-align: top; margin-right: 5px; padding-right: 5px;">
+                  itemStyle="vertical-align: top; margin-right: 5px; padding-right: 5px;"
+                  escapeItemLabel="false" escapeItemDescription="false">
       <a:listItem value="${WizardManager.bean.formInstanceData.name}"
                   image="/images/filetypes32/xml.gif"
-                  label="<b>${WizardManager.bean.formInstanceData.name}</b>"
+                  label="${WizardManager.bean.formLabelAttribute}"
                   description="${WizardManager.bean.formDescriptionAttribute}" />
     </a:selectList>
   </h:panelGrid>
@@ -61,10 +62,11 @@
                   multiSelect="false"
                   activeSelect="true" 
                   style="width:100%" 
-		  itemStyle="vertical-align: top; margin-right: 5px; padding-right: 5px;">
+                  itemStyle="vertical-align: top; margin-right: 5px; padding-right: 5px;"
+                  escapeItemLabel="false" escapeItemDescription="false">
       <c:forEach items="${WizardManager.bean.renditions}" var="rendition" varStatus="status">
         <a:listItem id="listItem${status.index}" value="${rendition.name}" image="${rendition.fileTypeImage}"
-        			label="<b>${rendition.name}</b>"
+        			label="${rendition.labelAttribute}"
         			description="${rendition.descriptionAttribute}" /> 
       </c:forEach>
     </a:selectList>

source/web/jsp/wcm/create-website-wizard/summary.jsp

@@ -41,10 +41,11 @@
 
    <h:panelGrid columns="1" cellpadding="3" cellspacing="3" border="0" width="100%">
       <a:selectList id="webproject-list" multiSelect="false" activeSelect="true" style="width:100%;" 
-                    itemStyle="vertical-align: top; margin-right: 5px; padding-right: 5px;">
+                    itemStyle="vertical-align: top; margin-right: 5px; padding-right: 5px;"
+                    escapeItemLabel="false" escapeItemDescription="false">
          <a:listItem value="${WizardManager.bean.name}"
                      image="/images/icons/website_large.gif"
-                     label="<b>${WizardManager.bean.name}</b>"
+                     label="${WizardManager.bean.websiteLabelAttribute}"
                      description="${WizardManager.bean.websiteDescriptionAttribute}" /> 
       </a:selectList>
    </h:panelGrid>
@@ -57,11 +58,12 @@
    <h:panelGrid columns="2" cellpadding="3" cellspacing="3" border="0" width="100%">
       <h:outputText rendered="#{empty WizardManager.bean.forms}" value="#{msg.no_selected_items}"/>
       <a:selectList id="form-list" multiSelect="false" activeSelect="true" style="width:100%;" 
-                    itemStyle="vertical-align: top; margin-right: 5px; padding-right: 5px;">
+                    itemStyle="vertical-align: top; margin-right: 5px; padding-right: 5px;"
+                    escapeItemLabel="false" escapeItemDescription="false">
          <c:forEach items="${WizardManager.bean.forms}" var="form">
             <a:listItem value="${form.name}"
                         image="/images/icons/webform_large.gif"
-                        label="<b>${form.name}</b>"
+                        label="${form.formLabelAttribute}"
                         description="${form.formDescriptionAttribute}" />
          </c:forEach>
       </a:selectList>
@@ -75,11 +77,12 @@
    <h:panelGrid columns="1" cellpadding="3" cellspacing="3" border="0" width="100%">
       <h:outputText rendered="#{empty WizardManager.bean.workflows}" value="#{msg.no_selected_items}"/>
       <a:selectList id="workflow-list" multiSelect="false" activeSelect="true" style="width:100%;" 
-                    itemStyle="vertical-align: top; margin-right: 5px; padding-right: 5px;">
+                    itemStyle="vertical-align: top; margin-right: 5px; padding-right: 5px;"
+                    escapeItemLabel="false" escapeItemDescription="false">
          <c:forEach items="${WizardManager.bean.workflows}" var="workflow">
             <a:listItem value="${workflow.name}"
                         image="/images/icons/workflow_large.gif"
-                        label="<b>${workflow.title}</b>"
+                        label="${workflow.workflowLabelAttribute}"
                         description="${workflow.workflowDescriptionAttribute}" />
          </c:forEach>
       </a:selectList>
@@ -95,11 +98,12 @@
                   multiSelect="false"
                   activeSelect="true" 
                   style="width:100%;"
-                  itemStyle="vertical-align: top; margin-right: 5px;">
+                  itemStyle="vertical-align: top; margin-right: 5px;"
+                  escapeItemLabel="false" escapeItemDescription="false">
 		<c:forEach items="${WizardManager.bean.invitedUsers}" var="user">
 	        <a:listItem value="${user.name}"
                     	image="/images/icons/user_large.gif"
-                     label="<b>${user.name}</b>"
+          				label="${user.userLabelAttribute}"
           				description="${user.userDescriptionAttribute}" />
       </c:forEach>
     </a:selectList>