Merge remote-tracking branch 'origin/release/2.8.0' into fix/#2985_Pr…

…event_XSS_for_REST_API_by_escape_String_content2

# Conflicts:
#	src/com/serotonin/mango/vo/report/SeriesIdentifier.java

WebContent/WEB-INF/ftl/report/reportChart.ftl

@@ -87,7 +87,7 @@
       <td>
         <table>
           <tr>
-            <td colspan="2"><h1>${instance.name}</h1></td>
+            <td colspan="2"><h1>${security.escapeHtml(instance.name)}</h1></td>
           </tr>
           <tr>
             <td class="label"><@fmt key="reports.runTimeStart"/></td>
@@ -121,7 +121,7 @@
 
       <td class="stats">
         <table>
-          <tr><td colspan="2" class="pointName">${point.name}</td></tr>
+          <tr><td colspan="2" class="pointName">${security.escapeHtml(point.name)}</td></tr>
           <tr>
             <td class="label"><@fmt key="reports.dataType"/></td>
             <td>${point.dataTypeDescription}</td>

WebContent/WEB-INF/jsp/reports.jsp

@@ -142,7 +142,7 @@
             hide("noReportInstances");
             dwr.util.addRows("reportInstancesList", instanceArray,
                 [
-                    function(ri) { return "<span>" + ri.name + "</span>"; },
+                    function(ri) { return "<span>" + escapeHtml(ri.name) + "</span>"; },
                     function(ri) { return ri.prettyRunStartTime; },
                     function(ri) { return ri.prettyRunDuration; },
                     function(ri) { return ri.prettyReportStartTime; },
@@ -336,7 +336,8 @@
     }
     
     function updateReport(id, name) {
-        $("r"+ id +"Name").innerHTML = name;
+        let escapedName = escapeHtml(name);
+        $("r"+ id +"Name").innerHTML = escapedName;
     }
     
     function clearMessages() {

scadalts-ui/src/views/Alarms/EventList.vue

@@ -327,7 +327,7 @@
 						{{ $t(`eventList.sourceType${item.typeId}`) }}
 					</template>
 					<template v-slot:item.message="{ item }">
-						<a :title="(item.message) | clearHtml"><span v-html="item.message"></span></a>
+						<a><span v-html="item.message"></span></a>
 					</template>
 
 					<template v-slot:item.status="{ item }">
@@ -619,9 +619,6 @@ export default {
 				return input.substring(0, 45) + '...';
 			}
 			return input;
-		},
-		clearHtml(str) {
-			return str.replace(/<[^>]*>?/gm, '').replaceAll('&nbsp;', ' ').replaceAll('&#39;', ' ').replaceAll('&quot;', ' ')
 		}
 	},
 	

src/com/serotonin/mango/Common.java

@@ -20,6 +20,7 @@
 
 import java.io.File;
 import java.nio.charset.Charset;
+import java.nio.file.Files;
 import java.security.MessageDigest;
 import java.security.NoSuchAlgorithmException;
 import java.text.ParseException;
@@ -355,7 +356,7 @@ public static String getFiledataPath() {
 				name = ctx.getServletContext().getRealPath(name.substring(1));
 
 			File file = new File(name);
-			if (!file.exists())
+			if (Files.notExists(file.toPath()))
 				file.mkdirs();
 
 			lazyFiledataPath = name;

src/com/serotonin/mango/vo/report/ReportChartCreator.java

@@ -35,6 +35,7 @@
 import freemarker.template.Template;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
+import org.directwebremoting.Security;
 import org.jfree.data.time.TimeSeries;
 import org.scada_lts.mango.service.SystemSettingsService;
 import org.scada_lts.utils.ColorUtils;
@@ -123,6 +124,7 @@ public void createContent(ReportInstance reportInstance, ReportDao reportDao, St
         model.put("instance", reportInstance);
         model.put("points", pointStatistics);
         model.put("inline", inlinePrefix == null ? "" : "cid:");
+        model.put("security", new Security());
 
         model.put("ALPHANUMERIC", DataTypes.ALPHANUMERIC);
         model.put("BINARY", DataTypes.BINARY);