From 1d32f189ccf593fc17440e31ef7b72af82c7471c Mon Sep 17 00:00:00 2001
From: Patrykb0802 <patrykbartyzel0@gmail.com>
Date: Tue, 19 Nov 2024 14:26:43 +0100
Subject: [PATCH 1/9] #3050 XSS in Reports names

Added report name escaping
---
 WebContent/WEB-INF/jsp/reports.jsp | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/WebContent/WEB-INF/jsp/reports.jsp b/WebContent/WEB-INF/jsp/reports.jsp
index 17608d0d0..bb036e2ca 100644
--- a/WebContent/WEB-INF/jsp/reports.jsp
+++ b/WebContent/WEB-INF/jsp/reports.jsp
@@ -41,7 +41,7 @@
             
             for (var i=0; i<response.data.reports.length; i++) {
                 appendReport(response.data.reports[i].id);
-                updateReport(response.data.reports[i].id, response.data.reports[i].name);
+                updateReport(response.data.reports[i].id, escapeHtml(response.data.reports[i].name));
             }
             
             <c:if test="${!empty param.wlid}">
@@ -301,7 +301,8 @@
     
     function saveReport() {
         startImageFader("saveImg");
-        ReportsDwr.saveReport(selectedReport.id, $get("name"), reportPointsContext.convertToSave(), $get("includeEvents"),
+        let name = escapeHtml($get("name"));
+        ReportsDwr.saveReport(selectedReport.id, name, reportPointsContext.convertToSave(), $get("includeEvents"),
                 $get("includeUserComments"), $get("dateRangeType"), $get("relativeType"), $get("prevPeriodCount"),
                 $get("prevPeriodType"), $get("pastPeriodCount"), $get("pastPeriodType"), $get("fromNone"),
                 $get("fromYear"), $get("fromMonth"), $get("fromDay"), $get("fromHour"), $get("fromMinute"),
@@ -325,7 +326,7 @@
                 }
                 else
                     showMessage("userMessage", "<spring:message code="reports.reportSaved"/>");
-                updateReport(selectedReport.id, $get("name"));
+                updateReport(selectedReport.id, name);
             }
         });
         startImageFader("saveImg");

From 527fd1f4529dfd033e5b1f8cb16c3f0f4a703d6e Mon Sep 17 00:00:00 2001
From: Patrykb0802 <patrykbartyzel0@gmail.com>
Date: Tue, 19 Nov 2024 16:43:10 +0100
Subject: [PATCH 2/9] #3050 XSS in Reports names

---
 WebContent/WEB-INF/jsp/reports.jsp | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/WebContent/WEB-INF/jsp/reports.jsp b/WebContent/WEB-INF/jsp/reports.jsp
index bb036e2ca..e3b976bb9 100644
--- a/WebContent/WEB-INF/jsp/reports.jsp
+++ b/WebContent/WEB-INF/jsp/reports.jsp
@@ -41,7 +41,7 @@
             
             for (var i=0; i<response.data.reports.length; i++) {
                 appendReport(response.data.reports[i].id);
-                updateReport(response.data.reports[i].id, escapeHtml(response.data.reports[i].name));
+                updateReport(response.data.reports[i].id, response.data.reports[i].name);
             }
             
             <c:if test="${!empty param.wlid}">
@@ -301,8 +301,7 @@
     
     function saveReport() {
         startImageFader("saveImg");
-        let name = escapeHtml($get("name"));
-        ReportsDwr.saveReport(selectedReport.id, name, reportPointsContext.convertToSave(), $get("includeEvents"),
+        ReportsDwr.saveReport(selectedReport.id, $get("name"), reportPointsContext.convertToSave(), $get("includeEvents"),
                 $get("includeUserComments"), $get("dateRangeType"), $get("relativeType"), $get("prevPeriodCount"),
                 $get("prevPeriodType"), $get("pastPeriodCount"), $get("pastPeriodType"), $get("fromNone"),
                 $get("fromYear"), $get("fromMonth"), $get("fromDay"), $get("fromHour"), $get("fromMinute"),
@@ -326,7 +325,7 @@
                 }
                 else
                     showMessage("userMessage", "<spring:message code="reports.reportSaved"/>");
-                updateReport(selectedReport.id, name);
+                updateReport(selectedReport.id, $get("name"));
             }
         });
         startImageFader("saveImg");
@@ -337,7 +336,8 @@
     }
     
     function updateReport(id, name) {
-        $("r"+ id +"Name").innerHTML = name;
+        let escapedName = escapeHtml(name);
+        $("r"+ id +"Name").innerHTML = escapedName;
     }
     
     function clearMessages() {

From ef7dc3cf00ec6a9248fa79a0e3d0978f84994e31 Mon Sep 17 00:00:00 2001
From: Patrykb0802 <patrykbartyzel0@gmail.com>
Date: Fri, 22 Nov 2024 12:44:00 +0100
Subject: [PATCH 3/9] #3050 XSS in Reports names

---
 WebContent/WEB-INF/jsp/reports.jsp                  | 2 +-
 src/org/scada_lts/dao/report/ReportInstanceDAO.java | 4 +++-
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/WebContent/WEB-INF/jsp/reports.jsp b/WebContent/WEB-INF/jsp/reports.jsp
index e3b976bb9..fd92eb166 100644
--- a/WebContent/WEB-INF/jsp/reports.jsp
+++ b/WebContent/WEB-INF/jsp/reports.jsp
@@ -142,7 +142,7 @@
             hide("noReportInstances");
             dwr.util.addRows("reportInstancesList", instanceArray,
                 [
-                    function(ri) { return "<span>" + ri.name + "</span>"; },
+                    function(ri) { return "<span>" + escapeHtml(ri.name) + "</span>"; },
                     function(ri) { return ri.prettyRunStartTime; },
                     function(ri) { return ri.prettyRunDuration; },
                     function(ri) { return ri.prettyReportStartTime; },
diff --git a/src/org/scada_lts/dao/report/ReportInstanceDAO.java b/src/org/scada_lts/dao/report/ReportInstanceDAO.java
index 2f8a581bd..2ec51ccb4 100644
--- a/src/org/scada_lts/dao/report/ReportInstanceDAO.java
+++ b/src/org/scada_lts/dao/report/ReportInstanceDAO.java
@@ -44,6 +44,8 @@
 import com.serotonin.mango.rt.event.EventInstance;
 import com.serotonin.mango.vo.report.ReportInstance;
 
+import static org.directwebremoting.Security.escapeHtml;
+
 /**
  * DAO for ReportInstance
  *
@@ -154,7 +156,7 @@ public ReportInstance mapRow(ResultSet rs, int rowNum) throws SQLException {
 			ReportInstance reportInstance = new ReportInstance();
 			reportInstance.setId(rs.getInt(COLUMN_NAME_ID));
 			reportInstance.setUserId(rs.getInt(COLUMN_NAME_USER_ID));
-			reportInstance.setName(rs.getString(COLUMN_NAME_NAME));
+			reportInstance.setName(escapeHtml(rs.getString(COLUMN_NAME_NAME)));
 			reportInstance.setIncludeEvents(rs.getInt(COLUMN_NAME_INCLUDE_EVENTS));
 			reportInstance.setIncludeUserComments(DAO.charToBool(rs.getString(COLUMN_NAME_INCLUDE_USER_COMMENTS)));
 			reportInstance.setReportStartTime(rs.getLong(COLUMN_NAME_REPORT_START_TIME));

From 65ceac16fe2847bcb0aacfe6bfeb3b2f68e4db3a Mon Sep 17 00:00:00 2001
From: Patrykb0802 <patrykbartyzel0@gmail.com>
Date: Fri, 22 Nov 2024 19:16:20 +0100
Subject: [PATCH 4/9] #3050 XSS in Reports names

---
 WebContent/WEB-INF/ftl/report/reportChart.ftl             | 2 +-
 src/com/serotonin/mango/vo/report/ReportChartCreator.java | 2 ++
 src/org/scada_lts/dao/report/ReportInstanceDAO.java       | 4 +---
 3 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/WebContent/WEB-INF/ftl/report/reportChart.ftl b/WebContent/WEB-INF/ftl/report/reportChart.ftl
index b11fa2091..58bd21258 100644
--- a/WebContent/WEB-INF/ftl/report/reportChart.ftl
+++ b/WebContent/WEB-INF/ftl/report/reportChart.ftl
@@ -87,7 +87,7 @@
       <td>
         <table>
           <tr>
-            <td colspan="2"><h1>${instance.name}</h1></td>
+            <td colspan="2"><h1>${escapeHtml.escapeHtml(instance.name)}</h1></td>
           </tr>
           <tr>
             <td class="label"><@fmt key="reports.runTimeStart"/></td>
diff --git a/src/com/serotonin/mango/vo/report/ReportChartCreator.java b/src/com/serotonin/mango/vo/report/ReportChartCreator.java
index d56997c41..742059e7c 100644
--- a/src/com/serotonin/mango/vo/report/ReportChartCreator.java
+++ b/src/com/serotonin/mango/vo/report/ReportChartCreator.java
@@ -35,6 +35,7 @@
 import freemarker.template.Template;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
+import org.directwebremoting.Security;
 import org.jfree.data.time.TimeSeries;
 import org.scada_lts.mango.service.SystemSettingsService;
 import org.scada_lts.utils.ColorUtils;
@@ -123,6 +124,7 @@ public void createContent(ReportInstance reportInstance, ReportDao reportDao, St
         model.put("instance", reportInstance);
         model.put("points", pointStatistics);
         model.put("inline", inlinePrefix == null ? "" : "cid:");
+        model.put("escapeHtml", new Security());
 
         model.put("ALPHANUMERIC", DataTypes.ALPHANUMERIC);
         model.put("BINARY", DataTypes.BINARY);
diff --git a/src/org/scada_lts/dao/report/ReportInstanceDAO.java b/src/org/scada_lts/dao/report/ReportInstanceDAO.java
index 2ec51ccb4..2f8a581bd 100644
--- a/src/org/scada_lts/dao/report/ReportInstanceDAO.java
+++ b/src/org/scada_lts/dao/report/ReportInstanceDAO.java
@@ -44,8 +44,6 @@
 import com.serotonin.mango.rt.event.EventInstance;
 import com.serotonin.mango.vo.report.ReportInstance;
 
-import static org.directwebremoting.Security.escapeHtml;
-
 /**
  * DAO for ReportInstance
  *
@@ -156,7 +154,7 @@ public ReportInstance mapRow(ResultSet rs, int rowNum) throws SQLException {
 			ReportInstance reportInstance = new ReportInstance();
 			reportInstance.setId(rs.getInt(COLUMN_NAME_ID));
 			reportInstance.setUserId(rs.getInt(COLUMN_NAME_USER_ID));
-			reportInstance.setName(escapeHtml(rs.getString(COLUMN_NAME_NAME)));
+			reportInstance.setName(rs.getString(COLUMN_NAME_NAME));
 			reportInstance.setIncludeEvents(rs.getInt(COLUMN_NAME_INCLUDE_EVENTS));
 			reportInstance.setIncludeUserComments(DAO.charToBool(rs.getString(COLUMN_NAME_INCLUDE_USER_COMMENTS)));
 			reportInstance.setReportStartTime(rs.getLong(COLUMN_NAME_REPORT_START_TIME));

From eb20baac0ba4990c3b9dfbc4c7dc1aff33881795 Mon Sep 17 00:00:00 2001
From: Kamil Jarmusik <kamil.jarmusik@gmail.com>
Date: Mon, 25 Nov 2024 07:30:48 +0100
Subject: [PATCH 5/9] #3050 XSS in Reports names: - Fixed Legend report;

---
 WebContent/WEB-INF/ftl/report/reportChart.ftl             | 4 ++--
 src/com/serotonin/mango/vo/report/ReportChartCreator.java | 2 +-
 src/com/serotonin/mango/vo/report/SeriesIdentifier.java   | 2 +-
 3 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/WebContent/WEB-INF/ftl/report/reportChart.ftl b/WebContent/WEB-INF/ftl/report/reportChart.ftl
index 58bd21258..12f2a182e 100644
--- a/WebContent/WEB-INF/ftl/report/reportChart.ftl
+++ b/WebContent/WEB-INF/ftl/report/reportChart.ftl
@@ -87,7 +87,7 @@
       <td>
         <table>
           <tr>
-            <td colspan="2"><h1>${escapeHtml.escapeHtml(instance.name)}</h1></td>
+            <td colspan="2"><h1>${security.escapeHtml(instance.name)}</h1></td>
           </tr>
           <tr>
             <td class="label"><@fmt key="reports.runTimeStart"/></td>
@@ -121,7 +121,7 @@
       
       <td class="stats">
         <table>
-          <tr><td colspan="2" class="pointName">${point.name}</td></tr>
+          <tr><td colspan="2" class="pointName">${security.escapeHtml(point.name)}</td></tr>
           <tr>
             <td class="label"><@fmt key="reports.dataType"/></td>
             <td>${point.dataTypeDescription}</td>
diff --git a/src/com/serotonin/mango/vo/report/ReportChartCreator.java b/src/com/serotonin/mango/vo/report/ReportChartCreator.java
index 742059e7c..025b8262a 100644
--- a/src/com/serotonin/mango/vo/report/ReportChartCreator.java
+++ b/src/com/serotonin/mango/vo/report/ReportChartCreator.java
@@ -124,7 +124,7 @@ public void createContent(ReportInstance reportInstance, ReportDao reportDao, St
         model.put("instance", reportInstance);
         model.put("points", pointStatistics);
         model.put("inline", inlinePrefix == null ? "" : "cid:");
-        model.put("escapeHtml", new Security());
+        model.put("security", new Security());
 
         model.put("ALPHANUMERIC", DataTypes.ALPHANUMERIC);
         model.put("BINARY", DataTypes.BINARY);
diff --git a/src/com/serotonin/mango/vo/report/SeriesIdentifier.java b/src/com/serotonin/mango/vo/report/SeriesIdentifier.java
index 6a5dda966..ae28bf260 100644
--- a/src/com/serotonin/mango/vo/report/SeriesIdentifier.java
+++ b/src/com/serotonin/mango/vo/report/SeriesIdentifier.java
@@ -38,6 +38,6 @@ public int hashCode() {
 
     @Override
     public String toString() {
-        return XssProtectHtmlEscapeUtils.escape(name);
+        return name;
     }
 }

From 47ec4e2c9865b67654d28550d5f7709fc541b07e Mon Sep 17 00:00:00 2001
From: Kamil Jarmusik <kamil.jarmusik@gmail.com>
Date: Mon, 25 Nov 2024 08:38:00 +0100
Subject: [PATCH 6/9] #3050 XSS in Reports names: - revert Legend report;

---
 WebContent/WEB-INF/ftl/report/reportChart.ftl           | 2 +-
 src/com/serotonin/mango/vo/report/SeriesIdentifier.java | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/WebContent/WEB-INF/ftl/report/reportChart.ftl b/WebContent/WEB-INF/ftl/report/reportChart.ftl
index 12f2a182e..b5b565ff3 100644
--- a/WebContent/WEB-INF/ftl/report/reportChart.ftl
+++ b/WebContent/WEB-INF/ftl/report/reportChart.ftl
@@ -121,7 +121,7 @@
       
       <td class="stats">
         <table>
-          <tr><td colspan="2" class="pointName">${security.escapeHtml(point.name)}</td></tr>
+          <tr><td colspan="2" class="pointName">${point.name}</td></tr>
           <tr>
             <td class="label"><@fmt key="reports.dataType"/></td>
             <td>${point.dataTypeDescription}</td>
diff --git a/src/com/serotonin/mango/vo/report/SeriesIdentifier.java b/src/com/serotonin/mango/vo/report/SeriesIdentifier.java
index ae28bf260..6a5dda966 100644
--- a/src/com/serotonin/mango/vo/report/SeriesIdentifier.java
+++ b/src/com/serotonin/mango/vo/report/SeriesIdentifier.java
@@ -38,6 +38,6 @@ public int hashCode() {
 
     @Override
     public String toString() {
-        return name;
+        return XssProtectHtmlEscapeUtils.escape(name);
     }
 }

From 155e663a44b581067bf118c1c52c0f79ea810996 Mon Sep 17 00:00:00 2001
From: Kamil Jarmusik <kamil.jarmusik@gmail.com>
Date: Mon, 25 Nov 2024 08:44:08 +0100
Subject: [PATCH 7/9] #3049 Fixed visible point name in legend report for
 escape characters: - Fixed Legend report;

---
 WebContent/WEB-INF/ftl/report/reportChart.ftl           | 2 +-
 src/com/serotonin/mango/vo/report/SeriesIdentifier.java | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/WebContent/WEB-INF/ftl/report/reportChart.ftl b/WebContent/WEB-INF/ftl/report/reportChart.ftl
index b5b565ff3..12f2a182e 100644
--- a/WebContent/WEB-INF/ftl/report/reportChart.ftl
+++ b/WebContent/WEB-INF/ftl/report/reportChart.ftl
@@ -121,7 +121,7 @@
       
       <td class="stats">
         <table>
-          <tr><td colspan="2" class="pointName">${point.name}</td></tr>
+          <tr><td colspan="2" class="pointName">${security.escapeHtml(point.name)}</td></tr>
           <tr>
             <td class="label"><@fmt key="reports.dataType"/></td>
             <td>${point.dataTypeDescription}</td>
diff --git a/src/com/serotonin/mango/vo/report/SeriesIdentifier.java b/src/com/serotonin/mango/vo/report/SeriesIdentifier.java
index 6a5dda966..ae28bf260 100644
--- a/src/com/serotonin/mango/vo/report/SeriesIdentifier.java
+++ b/src/com/serotonin/mango/vo/report/SeriesIdentifier.java
@@ -38,6 +38,6 @@ public int hashCode() {
 
     @Override
     public String toString() {
-        return XssProtectHtmlEscapeUtils.escape(name);
+        return name;
     }
 }

From 43364f39fe4098fbb2ecc6b90f99caa90b5fe439 Mon Sep 17 00:00:00 2001
From: Kamil Jarmusik <kamil.jarmusik@gmail.com>
Date: Mon, 25 Nov 2024 21:17:57 +0100
Subject: [PATCH 8/9] #2985 Prevent XSS for REST API by escape String content:
 - Fixed EventList.vue;

---
 scadalts-ui/src/views/Alarms/EventList.vue | 5 +----
 1 file changed, 1 insertion(+), 4 deletions(-)

diff --git a/scadalts-ui/src/views/Alarms/EventList.vue b/scadalts-ui/src/views/Alarms/EventList.vue
index 40d137b21..0f57f9a46 100644
--- a/scadalts-ui/src/views/Alarms/EventList.vue
+++ b/scadalts-ui/src/views/Alarms/EventList.vue
@@ -327,7 +327,7 @@
 						{{ $t(`eventList.sourceType${item.typeId}`) }}
 					</template>
 					<template v-slot:item.message="{ item }">
-						<a :title="(item.message) | clearHtml"><span v-html="item.message"></span></a>
+						<a><span v-html="item.message"></span></a>
 					</template>
 
 					<template v-slot:item.status="{ item }">
@@ -619,9 +619,6 @@ export default {
 				return input.substring(0, 45) + '...';
 			}
 			return input;
-		},
-		clearHtml(str) {
-			return str.replace(/<[^>]*>?/gm, '').replaceAll('&nbsp;', ' ').replaceAll('&#39;', ' ').replaceAll('&quot;', ' ')
 		}
 	},
 	

From a0030c1181626ac462185cfda249024ce09503b6 Mon Sep 17 00:00:00 2001
From: Kamil Jarmusik <kamil.jarmusik@gmail.com>
Date: Mon, 25 Nov 2024 22:06:29 +0100
Subject: [PATCH 9/9] #2930 fixed high pool priority and database termination
 sequence: corrected Common.java;

---
 src/com/serotonin/mango/Common.java | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/com/serotonin/mango/Common.java b/src/com/serotonin/mango/Common.java
index f9a8d1abc..f07c3b0dd 100644
--- a/src/com/serotonin/mango/Common.java
+++ b/src/com/serotonin/mango/Common.java
@@ -20,6 +20,7 @@
 
 import java.io.File;
 import java.nio.charset.Charset;
+import java.nio.file.Files;
 import java.security.MessageDigest;
 import java.security.NoSuchAlgorithmException;
 import java.text.ParseException;
@@ -355,7 +356,7 @@ public static String getFiledataPath() {
 				name = ctx.getServletContext().getRealPath(name.substring(1));
 
 			File file = new File(name);
-			if (!file.exists())
+			if (Files.notExists(file.toPath()))
 				file.mkdirs();
 
 			lazyFiledataPath = name;