Merge branch 'p720'

Application.cfc

@@ -457,13 +457,6 @@
 			<cfset healthcheckReady()>
 		</cfif>
 
-		<!--- block requests to /farcry paths with the exception of webtop --->
-		<cfif left(cgi.script_name, 7) eq "/farcry" AND NOT left(cgi.script_name, len(application.url.webtop)) eq application.url.webtop>
-			<cfset oError = createobject("component","farcry.core.packages.lib.error") />
-			<cfset oError.showErrorPage("404 Page missing",oError.create404Error("Bad request")) />
-			<cfabort />
-		</cfif>
-
 		<!--- If a session switch was requested, do that now --->
 		<cfif structKeyExists(url, "switchsession")>
 			<cfset application.fc.lib.session.switchSession(url.switchsession) />
@@ -489,6 +482,13 @@
 
 		<!--- Initialize the request as a farcry application --->
 		<cfset farcryRequestInit() />
+
+		<!--- block requests to /farcry paths with the exception of webtop --->
+		<cfif left(cgi.script_name, 8) eq "/farcry/" AND NOT left(cgi.script_name, len(application.url.webtop)) eq application.url.webtop>
+			<cfset oError = createobject("component","farcry.core.packages.lib.error") />
+			<cfset oError.showErrorPage("404 Page missing",oError.create404Error("Bad request")) />
+			<cfabort />
+		</cfif>
 
 
 		<!---

packages/cdn/ftp.cfc

@@ -91,6 +91,10 @@
 		<cfelse>
 			<cfset application.fapi.throw(message="no '{1}' value defined",type="cdnconfigerror",detail=serializeJSON(arguments.config),substituteValues=[ 'urlPathPrefix' ]) />
 		</cfif>
+
+		<cfif not structkeyexists(st,"bDebug")>
+			<cfset st["bDebug"] = false />
+		</cfif>
 
 		<cfreturn st />
 	</cffunction>

packages/cdn/local.cfc

@@ -27,6 +27,10 @@
 			<cfset st.urlpath = rereplacenocase(st.urlpath,"^https?:","") />
 		</cfif>
 
+		<cfif not structkeyexists(st,"bDebug")>
+			<cfset st["bDebug"] = false />
+		</cfif>
+
 		<cfreturn st />
 	</cffunction>
 

packages/forms/farPagination.cfc

@@ -160,7 +160,7 @@
 			</cfif>
 
 		<cfelse>
-			<skin:buildLink id="#arguments.id#" href="#stLink.href#" onclick="#stLink.onclick#;" class="#stLink.class# #arguments.class#" style="#arguments.style#" title="#arguments.title#" linktext="#arguments.linktext#" />
+			<skin:buildLink id="#arguments.id#" href="#stLink.href#" onclick="#stLink.onclick#;" class="#stLink.class# #arguments.class#" style="#arguments.style#" title="#arguments.title#"><cfoutput>#arguments.linktext#</cfoutput></skin:buildLink>
 		</cfif>	
 
 	</cfif>

packages/lib/cdn.cfc

@@ -657,7 +657,8 @@
 				<cfset application.fapi.throw(message="New file must have the same extension. Current extension is {1} and new extension is {2}.",type="uploaderror",substituteValues=[ listlast(arguments.destination,"."), listlast(cffile.serverFile,".") ]) />
 			</cfif>
 		<cfelse>
-			<cfset filename = normalizePath(arguments.destination & "/" & sanitizeFilename(cffile.ServerFile)) />
+			<!--- original filename in temp folder must stay as is. filename will be sanitised when it is moved to a CDN location --->
+			<cfset filename = normalizePath(arguments.destination) & "/" & cffile.ServerFile />
 		</cfif>
 
 		<!--- move the file if the destination location is different to the current temp location, or if the destination filename is different to the current temp filename --->

packages/lib/diff.cfc

@@ -93,17 +93,17 @@
 		<cfloop from="1" to="#arraylen(arguments.aDiff)#" index="i">
 			<cfif arguments.aDiff[i].diff neq leftStatus>
 				<cfif arguments.aDiff[i].diff eq "-"><!--- Moving into deleted text --->
-					<cfset stResult.leftHighlighted = stResult.leftHighlighted & "<span style='color:##CC2504;font-weight:bold;'>" />
+					<cfset stResult.leftHighlighted = stResult.leftHighlighted & "___DIFF_HIGHLIGHT_REMOVE___" />
 				<cfelseif leftStatus eq "-"><!--- Moving out of deleted text --->
-					<cfset stResult.leftHighlighted = stResult.leftHighlighted & "</span>" />
+					<cfset stResult.leftHighlighted = stResult.leftHighlighted & "___DIFF_HIGHLIGHT_END___" />
 				</cfif>
 				<cfset leftStatus = arguments.aDiff[i].diff />
 			</cfif>
 			<cfif arguments.aDiff[i].diff neq rightStatus>
 				<cfif arguments.aDiff[i].diff eq "+"><!--- Moving into added text --->
-					<cfset stResult.rightHighlighted = stResult.rightHighlighted & "<span style='color:##00BF0D;font-weight:bold;'>" />
+					<cfset stResult.rightHighlighted = stResult.rightHighlighted & "___DIFF_HIGHLIGHT_ADD___" />
 				<cfelseif rightStatus eq "+"><!--- Moving out of added text --->
-					<cfset stResult.rightHighlighted = stResult.rightHighlighted & "</span>" />
+					<cfset stResult.rightHighlighted = stResult.rightHighlighted & "___DIFF_HIGHLIGHT_END___" />
 				</cfif>
 				<cfset rightStatus = arguments.aDiff[i].diff />
 			</cfif>
@@ -116,11 +116,14 @@
 		</cfloop>
 
 		<cfif leftStatus eq "-"><!--- Moving out of deleted text --->
-			<cfset stResult.leftHighlighted = stResult.leftHighlighted & "</span>" />
+			<cfset stResult.leftHighlighted = stResult.leftHighlighted & "___DIFF_HIGHLIGHT_END___" />
 		</cfif>
 		<cfif rightStatus eq "+"><!--- Moving out of added text --->
-			<cfset stResult.rightHighlighted = stResult.rightHighlighted & "</span>" />
+			<cfset stResult.rightHighlighted = stResult.rightHighlighted & "___DIFF_HIGHLIGHT_END___" />
 		</cfif>
+
+		<cfset stResult.leftHighlighted = replaceList(application.fc.lib.esapi.encodeForHTML(stResult.leftHighlighted), "___DIFF_HIGHLIGHT_REMOVE___,___DIFF_HIGHLIGHT_END___", "<span style='color:##CC2504;font-weight:bold;'>,</span>")>
+		<cfset stResult.rightHighlighted = replaceList(application.fc.lib.esapi.encodeForHTML(stResult.rightHighlighted), "___DIFF_HIGHLIGHT_ADD___,___DIFF_HIGHLIGHT_END___", "<span style='color:##00BF0D;font-weight:bold;'>,</span>")>
 
 		<cfreturn stResult />
 	</cffunction>

packages/lib/objectBroker.cfc

@@ -859,7 +859,7 @@
 		<cfset var objectid = listgetat(arguments.key,3,"_") />
 		<cfset var oldobject = "" />
 		<cfset var i = "" />
-		<cfset var stCacheEntry = { value=arguments.data, key=arguments.key } />
+		<cfset var stCacheEntry = { value=duplicate(arguments.data), key=arguments.key } />
 
 		<cfset arguments.key = listDeleteAt(listDeleteAt(arguments.key,1,"_"),1,"_") />
 

packages/security/security.cfc

@@ -401,8 +401,6 @@
 		<cfset var i = 0 />
 		<cfset var oProfile = createObject("component", application.stcoapi["dmProfile"].packagePath) />
 		<cfset var stDefaultProfile = structnew() />
-
-		<cfset sessionRotate()>
 
 		<!--- Get user groups and convert them to Farcry roles --->
 		<cfset aUserGroups = this.userdirectories[arguments.ud].getUserGroups(arguments.userid) />
@@ -469,7 +467,9 @@
 			<!--- DEPRECATED --->
 			<cfset session.firstLogin = false />
 		</cfif>
-
+
+		<cfset sessionRotate()>
+
 		<!--- Log the result --->
 		<cfif structKeyExists(session, "impersonator")>
 			<farcry:logevent type="security" event="impersonatedby" userid="#session.security.userid#" notes="#session.impersonator#" />

packages/types/dmCron.cfc

@@ -181,7 +181,7 @@ type properties
 	<cfset stAttributes.action = "list">
 	<cfif isDefined("application.sysinfo.engine.engine") and application.sysinfo.engine.engine eq "coldfusion">
 		<cfset stAttributes.result = "qJobs">
-	<cfelseif isDefined("application.sysinfo.engine.engine") and application.sysinfo.engine.engine eq "lucee">
+	<cfelseif isDefined("application.sysinfo.engine.engine") and application.sysinfo.engine.engine eq "lucee" and application.sysinfo.engine.productversion gte 5>
 		<cfset stAttributes.result = "qJobs">
 	<cfelse>
 		<cfset stAttributes.returnvariable = "qJobs">

packages/types/types.cfc

@@ -980,7 +980,7 @@ default handlers
 						<cfelse>
 							<i class="fa fa-file-o"></i>
 						</cfif>
-						#stobj.label#
+						#application.fc.lib.esapi.encodeForHTML(stobj.label)#
 					</h1>
 				</cfoutput>
 
@@ -1070,7 +1070,7 @@ default handlers
 						<cfelse>
 							<i class="fa fa-file-o"></i>
 						</cfif>
-						#stobj.label#
+						#application.fc.lib.esapi.encodeForHTML(stobj.label)#
 					</h1>
 				</cfoutput>
 

patch.version

@@ -1 +1 @@
-10
+11

tags/webskin/buildLink.cfm

@@ -52,7 +52,7 @@
 	<cfset href = application.fapi.getLink(argumentCollection="#attributes#") />
 
 	<cfif attributes.bModal>
-		<cfset attributes.onClick = listAppend( attributes.onClick , "$fc.openBootstrapModal({title: '#attributes.title#', url: '#href#'});return false;" , ";" )>
+		<cfset attributes.onClick = listAppend( attributes.onClick , "$fc.openBootstrapModal({title: '#application.fc.lib.esapi.encodeForJavaScript(application.fc.lib.esapi.encodeForHTML(attributes.title))#', url: '#href#'});return false;" , ";" )>
 		<cfset href = "##" />
 	</cfif>
 
@@ -80,7 +80,7 @@
 			<cfset tagoutput=tagoutput & ' style="#attributes.style#"'>
 		</cfif>
 		<cfif len(attributes.title)>
-			<cfset tagoutput=tagoutput & ' title="#attributes.title#"'>
+			<cfset tagoutput=tagoutput & ' title="#application.fc.lib.esapi.encodeForHTMLAttribute(attributes.title)#"'>
 		</cfif>
 		<cfif len(attributes.xCode)>
 			<cfset tagoutput=tagoutput & ' #attributes.xCode#'>
@@ -89,7 +89,7 @@
 			<cfset tagoutput=tagoutput & ' target="#attributes.target#"'>
 		</cfif>
 		<cfif len(attributes.onclick)>
-			<cfset tagoutput=tagoutput & ' onclick="#attributes.onclick#"'>
+			<cfset tagoutput=tagoutput & ' onclick="#application.fc.lib.esapi.encodeForHTMLAttribute(attributes.onclick)#"'>
 		</cfif>
 		<cfset tagoutput=tagoutput & '>'>
 	</cfif>
@@ -104,7 +104,7 @@
 
 			<!--- USE THE LINKTEXT AS GENERATED CONTENT IF AVAILABLE --->
 			<cfif len(attributes.linktext)>
-				<cfset thistag.GeneratedContent = attributes.linktext />
+				<cfset thistag.GeneratedContent = application.fc.lib.esapi.encodeForHTML(attributes.linktext) />
 			</cfif>
 
 			<!--- TRANSLATE THE TEXT --->

tags/wizard/wizard.cfm

@@ -242,11 +242,11 @@
 					<i class="fa #attributes.icon#"></i>
 				</cfif>
 				<cfif len(attributes.title)>
-					#attributes.title#
+					#application.fc.lib.esapi.encodeForHTML(attributes.title)#
 				<cfelse>
 
 					<cfif structKeyExists(stWizard.data, stWizard.primaryObjectID) and structKeyExists(stWizard.data[stWizard.primaryObjectID], "label")>
-						#stWizard.data['#stWizard.primaryObjectID#'].label#
+						#application.fc.lib.esapi.encodeForHTML(stWizard.data['#stWizard.primaryObjectID#'].label)#
 					<cfelse>
 						#ListGetAt(stwizard.Steps,stwizard.CurrentStep)#
 					</cfif>

webskin/dmInclude/webtopOverviewSummary.cfm

@@ -52,9 +52,9 @@ START WEBSKIN
 					<skin:buildLink href="#application.url.webtop#/edittabOverview.cfm" urlParameters="typename=dmNavigation&objectID=#qAncestors.objectid#" linktext="#qAncestors.objectName#" />
 					<cfoutput>&nbsp;&raquo;&nbsp;</cfoutput>
 				</cfloop>
-				<cfoutput>#stobj.label#</cfoutput>
+				<cfoutput>#application.fc.lib.esapi.encodeForHTML(stobj.label)#</cfoutput>
 			<cfelse>
-				<cfoutput>#stobj.label#</cfoutput>
+				<cfoutput>#application.fc.lib.esapi.encodeForHTML(stobj.label)#</cfoutput>
 			</cfif>
 		</cfif>
 

webskin/dmNavigation/edit.cfm

@@ -85,7 +85,7 @@
 		<cfelse>
 			<i class="fa fa-file-o"></i>
 		</cfif> 
-		#stobj.label#
+		#application.fc.lib.esapi.encodeForHTML(stobj.label)#
 	</h1>
 </cfoutput>
 

webskin/dmNavigation/webtopOverviewSummary.cfm

@@ -58,9 +58,9 @@
 					<skin:buildLink href="#application.url.webtop#/edittabOverview.cfm" urlParameters="typename=dmNavigation&objectID=#qAncestors.objectid#" linktext="#qAncestors.objectName#" />
 					<cfoutput>&nbsp;&raquo;&nbsp;</cfoutput>
 				</cfloop>
-				<cfoutput>#stobj.label#</cfoutput>
+				<cfoutput>#application.fc.lib.esapi.encodeForHTML(stobj.label)#</cfoutput>
 			<cfelse>
-				<cfoutput>#stobj.label#</cfoutput>
+				<cfoutput>#application.fc.lib.esapi.encodeForHTML(stobj.label)#</cfoutput>
 			</cfif>
 		</cfif>
 
@@ -90,7 +90,8 @@
 								<cfelse>
 									<i class="fa fa-file-o fa-fw"></i>
 								</cfif>
-								<skin:view typename="#contentTypename#" objectid="#stobj.externalLink#" webskin="displayLabel" />
+								<skin:view typename="#contentTypename#" objectid="#stobj.externalLink#" webskin="displayLabel" r_html="labelHTML" />
+								#application.fc.lib.esapi.encodeForHTML(trim(labelHTML))#
 							</cfif>
 						</td>	
 					</tr>	
@@ -123,7 +124,8 @@
 								<cfelse>
 									<i class="fa fa-file-o fa-fw"></i>
 								</cfif>
-								<skin:view typename="#contentTypename#" objectid="#stobj.aObjectIDs[i]#" webskin="displayLabel" />
+								<skin:view typename="#contentTypename#" objectid="#stobj.aObjectIDs[i]#" webskin="displayLabel" r_html="labelHTML" />
+								#application.fc.lib.esapi.encodeForHTML(trim(labelHTML))#
 							</td>	
 						</tr>
 
@@ -180,7 +182,8 @@
 								<cfelse>
 									<i class="fa fa-file-o fa-fw"></i>
 								</cfif>
-								<skin:view typename="#contentTypename#" objectid="#stobj.internalRedirectID#" webskin="displayLabel" />
+								<skin:view typename="#contentTypename#" objectid="#stobj.internalRedirectID#" webskin="displayLabel" r_html="labelHTML" />
+								#application.fc.lib.esapi.encodeForHTML(trim(labelHTML))#
 							</cfif>
 						</td>	
 					</tr>	
@@ -191,15 +194,15 @@
 	<cfelseif stObj.navType eq "externalRedirectURL">
 
 		<ft:field label="External Redirect" bMultiField="true" hint="This navigation item redirects to a page on another website.">
-			<cfoutput><a href="#stObj.externalRedirectURL#" target="_blank">#stObj.externalRedirectURL#</a></cfoutput>
+			<cfoutput><a href="#application.fc.lib.esapi.encodeForHTMLAttribute(stObj.externalRedirectURL)#" target="_blank">#application.fc.lib.esapi.encodeForHTML(stObj.externalRedirectURL)#</a></cfoutput>
 		</ft:field>
 
 	</cfif>
 
 
 	<ft:field label="Alias" hint="The alias is used by the programmers to refer to this navigation item in their code.">
 		<cfif len(stobj.lNavIDAlias)>
-			<cfoutput>#stobj.lNavIDAlias#</cfoutput>
+			<cfoutput>#application.fc.lib.esapi.encodeForHTML(stobj.lNavIDAlias)#</cfoutput>
 		<cfelse>
 			<cfoutput>-- No Alias Provided --</cfoutput>
 		</cfif>

webskin/dmNavigation/webtopTreeChildRows.cfm

@@ -256,7 +256,7 @@
 		<cfset stFolderRow["nodetype"] = "folder">
 		<cfset stFolderRow["protectednode"] = bProtectedNode>
 		<cfset stFolderRow["parentid"] = qTree.parentid>
-		<cfset stFolderRow["label"] = stNav.label>
+		<cfset stFolderRow["label"] = application.fc.lib.esapi.encodeForHTML(stNav.label)>
 		<cfset stFolderRow["datetimelastupdated"] = "#dateFormat(stNav.datetimelastupdated, "yyyy-mm-dd")# #timeFormat(stNav.datetimelastupdated, "HH:mm:ss")#">
 		<cfset stFolderRow["prettydatetimelastupdated"] = application.fapi.prettyDate(stNav.datetimelastupdated)>
 		<cfset stFolderRow["expandable"] = expandable>
@@ -374,7 +374,7 @@
 			<cfset stLeafRow["nodetype"] = "leaf">
 			<cfset stLeafRow["parentid"] = stNav.objectid>
 			<cfset stLeafRow["versionobjectid"] = stLeafNode.versionObjectid>
-			<cfset stLeafRow["label"] = stLeafNode.label>
+			<cfset stLeafRow["label"] = application.fc.lib.esapi.encodeForHTML(stLeafNode.label)>
 			<cfset stLeafRow["datetimelastupdated"] = "#dateFormat(lastupdated, "yyyy-mm-dd")# #timeFormat(lastupdated, "HH:mm:ss")#">
 			<cfset stLeafRow["prettydatetimelastupdated"] = application.fapi.prettyDate(stLeafNode.datetimelastupdated)>
 			<cfset stLeafRow["expandable"] = 0>

webskin/dmProfile/webtopDashboardRecentActivity.cfm

@@ -38,7 +38,7 @@
 				<cfset eventTypename=application.fapi.findType(qActivity.object) />
 				<cfif len(eventTypename) AND eventTypename neq "container">
 					<cfset stObj = application.fapi.getContentObject(qActivity.object) />
-					<cfif stObj.label NEQ "(incomplete)">
+					<cfif structKeyExists(stObj, "label") AND stObj.label NEQ "(incomplete)">
 					<cfset stProfile = oProfile.getProfile(qActivity.userid)>
 					<tr>
 						<td nowrap="true"><i class="fa #application.fapi.getContentTypeMetadata(typename="#stObj.Typename#", md="icon", default="fa-file-text")# fa-lg" title="#application.fapi.getContentTypeMetadata(typename="#stObj.Typename#", md="displayname", default="Unknown")#"></i> #stObj.Typename#</td>

webskin/farConfig/webtopBody.cfm

@@ -70,7 +70,7 @@ VIEW
 	title="Manage Configuration" 
 	columnList="configkey,datetimelastupdated" 
 	sqlorderby="label asc" 
-	sortableColumns=""
+	sortableColumns="label"
 	aCustomColumns="#aCustomColumns#" 
 	bSelectCol="true" 
 	bShowActionList="false"

webskin/farRole/webtopOverviewSummary.cfm

@@ -38,14 +38,14 @@ START WEBSKIN
 <ft:fieldset legend="#application.fapi.getContentTypeMetadata(stobj.typename,'displayname',stobj.typename)# Information">
 
 	<ft:field label="Title">
-		<cfoutput>#stobj.title#</cfoutput>
+		<cfoutput>#application.fc.lib.esapi.encodeForHTML(stobj.title)#</cfoutput>
 	</ft:field>	
 	<ft:field label="Groups" bMultiField="true">
 		<cfif arrayLen(stobj.aGroups)>
 			<cfoutput>
 			<ul>
 			<cfloop from="1" to="#arrayLen(stobj.aGroups)#" index="i">
-				<li>#stobj.aGroups[i]#</li>
+				<li>#application.fc.lib.esapi.encodeForHTML(stobj.aGroups[i])#</li>
 			</cfloop>
 			</ul>
 			</cfoutput>

webskin/types/trayContainer.cfm

@@ -278,6 +278,9 @@
 			<div class="farcryTrayBodyMenu">
 				<ul>
 					<li><a href="#application.fc.lib.esapi.encodeForHTMLAttribute(application.fapi.fixURL(url='#application.url.webtop#'))#"><span class="ui-icon ui-icon-calculator"></span><admin:resource key='tray.button.webtop@label'>Webtop</admin:resource></a></li>
+					<cfif application.fapi.getContentTypeMetadata(stObj.typename, "bUseInTree", false)>
+						<li><a id="farcryTray-sitetree" href="#application.url.webtop#/index.cfm?id=site&rootobjectid=#request.navid#" target="_blank"><span class="ui-icon ui-icon-zoomin"></span><admin:resource key='tray.button.sitetree@label'>Site Tree</admin:resource></a></li>
+					</cfif>
 					<li><a href="#application.fc.lib.esapi.encodeForHTMLAttribute(application.fapi.fixURL(url='#form.refererURL#', addvalues='logout=1'))#"><span class="ui-icon ui-icon-power"></span><admin:resource key='tray.button.logout@label'>Logout</admin:resource></a></li>
 					<li class="farcryTrayPageSpeed"><a title="<admin:resource key='tray.information.renderingspeed@hint'>Page rendering speed</admin:resource>"><span class="ui-icon ui-icon-clock" style="background-position:-81px -112px;"></span> <admin:resource key='tray.information.renderingspeed@label' var1="#application.fc.lib.esapi.encodeForHTML(url.totalTickCount)#">{1} ms</admin:resource></a></li>
 				</ul>

webskin/types/webtopOverviewSummary.cfm

@@ -33,7 +33,7 @@
 	</cfif>
 
 	<ft:field label="Label" bMultiField="true">
-		<cfoutput>#stobj.label#</cfoutput>
+		<cfoutput>#application.fc.lib.esapi.encodeForHTML(stobj.label)#</cfoutput>
 	</ft:field>	
 
 
@@ -57,9 +57,9 @@
 								<skin:buildLink href="#application.url.webtop#/edittabOverview.cfm" urlParameters="typename=dmNavigation&objectID=#qAncestors.objectid#" linktext="#qAncestors.objectName#" />
 							<cfoutput>&nbsp;&raquo;&nbsp;</cfoutput>
 						</cfloop>
-						<cfoutput>#stobj.label#</cfoutput>
+						<cfoutput>#application.fc.lib.esapi.encodeForHTML(stobj.label)#</cfoutput>
 					<cfelse>
-						<cfoutput>#stobj.label#</cfoutput>
+						<cfoutput>#application.fc.lib.esapi.encodeForHTML(stobj.label)#</cfoutput>
 					</cfif>
 				</cfif>
 
@@ -90,7 +90,7 @@
 	<!--- show common properties --->
 	<cfif structKeyExists(stobj, "teaser")>
 		<ft:field label="Teaser" bMultiField="true">
-			<cfoutput><cfif len(stobj.teaser)>#stobj.teaser#<cfelse>-- none --</cfif></cfoutput>
+			<cfoutput><cfif len(stobj.teaser)>#application.fc.lib.esapi.encodeForHTML(stobj.teaser)#<cfelse>-- none --</cfif></cfoutput>
 		</ft:field>
 	</cfif>
 	<cfif structKeyExists(stobj, "displayMethod")>