Merge branch 'release/15.2' into v15/dev

Author: Zeegaan

Directory.Build.props

@@ -14,7 +14,7 @@
     <NeutralLanguage>en-US</NeutralLanguage>
     <Nullable>enable</Nullable>
     <WarningsAsErrors>nullable</WarningsAsErrors>
-    <TreatWarningsAsErrors>true</TreatWarningsAsErrors>
+    <TreatWarningsAsErrors>false</TreatWarningsAsErrors>
     <ImplicitUsings>enable</ImplicitUsings>
     <GenerateDocumentationFile>true</GenerateDocumentationFile>
     <WarnOnPackingNonPackableProject>false</WarnOnPackingNonPackableProject>

src/Umbraco.Cms.Api.Management/Controllers/Security/BackOfficeGraphicsController.cs

@@ -5,6 +5,7 @@
 using Microsoft.AspNetCore.Http;
 using Microsoft.AspNetCore.Mvc;
 using Microsoft.AspNetCore.StaticFiles;
+using Microsoft.Extensions.FileProviders;
 using Microsoft.Extensions.Options;
 using Umbraco.Cms.Api.Management.Routing;
 using Umbraco.Cms.Core;
@@ -55,8 +56,8 @@ public BackOfficeGraphicsController(IOptions<ContentSettings> contentSettings, I
 
     private IActionResult HandleFileRequest(string virtualPath)
     {
-        var filePath = Path.Combine(Constants.SystemDirectories.Umbraco, virtualPath).TrimStart(Constants.CharArrays.Tilde);
-        var fileInfo = _webHostEnvironment.WebRootFileProvider.GetFileInfo(filePath);
+        var filePath = $"{Constants.SystemDirectories.Umbraco}/{virtualPath}".TrimStart(Constants.CharArrays.Tilde);
+        IFileInfo fileInfo = _webHostEnvironment.WebRootFileProvider.GetFileInfo(filePath);
 
         if (fileInfo.PhysicalPath is null)
         {

src/Umbraco.Web.Common/Views/UmbracoViewPage.cs

@@ -142,7 +142,10 @@ public void WriteUmbracoContent(TagHelperOutput tagHelperOutput)
                         string.Format(
                             ContentSettings.PreviewBadge,
                             HostingEnvironment.ToAbsolute(Core.Constants.System.DefaultUmbracoPath),
-                            Context.Request.GetEncodedUrl(),
+                            System.Web.HttpUtility.HtmlEncode(Context.Request.GetEncodedUrl()), // Belt and braces - via a browser at least it doesn't seem possible to have anything other than
+                                                                                                // a valid culture code provided in the querystring of this URL.
+                                                                                                // But just to be sure of prevention of an XSS vulnterablity we'll HTML encode here too.
+                                                                                                // An expected URL is untouched by this encoding.
                             UmbracoContext.PublishedRequest?.PublishedContent?.Key);
                 }
                 else

src/Umbraco.Web.UI.Client/src/libs/localization-api/localization.controller.test.ts

@@ -175,6 +175,12 @@ describe('UmbLocalizeController', () => {
 			expect((controller.term as any)('logout', 'Hello', 'World')).to.equal('Log out');
 		});
 
+		it('should encode HTML entities', () => {
+			expect(controller.term('withInlineToken', 'Hello', '<script>alert("XSS")</script>'), 'XSS detected').to.equal(
+				'Hello &lt;script&gt;alert(&#34;XSS&#34;)&lt;/script&gt;',
+			);
+		});
+
 		it('only reacts to changes of its own localization-keys', async () => {
 			const element: UmbLocalizationRenderCountElement = await fixture(
 				html`<umb-localization-render-count></umb-localization-render-count>`,

src/Umbraco.Web.UI.Client/src/libs/localization-api/localization.controller.ts

@@ -20,6 +20,7 @@ import type {
 import { umbLocalizationManager } from './localization.manager.js';
 import type { LitElement } from '@umbraco-cms/backoffice/external/lit';
 import type { UmbController, UmbControllerHost } from '@umbraco-cms/backoffice/controller-api';
+import { escapeHTML } from '@umbraco-cms/backoffice/utils';
 
 const LocalizationControllerAlias = Symbol();
 /**
@@ -119,29 +120,35 @@ export class UmbLocalizationController<LocalizationSetType extends UmbLocalizati
 		}
 
 		const { primary, secondary } = this.getLocalizationData(this.lang());
+
+		// eslint-disable-next-line @typescript-eslint/no-explicit-any
 		let term: any;
 
 		// Look for a matching term using regionCode, code, then the fallback
-		if (primary && primary[key]) {
+		if (primary?.[key]) {
 			term = primary[key];
-		} else if (secondary && secondary[key]) {
+		} else if (secondary?.[key]) {
 			term = secondary[key];
-		} else if (umbLocalizationManager.fallback && umbLocalizationManager.fallback[key]) {
+		} else if (umbLocalizationManager.fallback?.[key]) {
 			term = umbLocalizationManager.fallback[key];
 		} else {
 			return String(key);
 		}
 
+		// As translated texts can contain HTML, we will need to render with unsafeHTML.
+		// But arguments can come from user input, so they should be escaped.
+		const sanitizedArgs = args.map((a) => escapeHTML(a));
+
 		if (typeof term === 'function') {
-			return term(...args) as string;
+			return term(...sanitizedArgs) as string;
 		}
 
 		if (typeof term === 'string') {
-			if (args.length > 0) {
+			if (sanitizedArgs.length) {
 				// Replace placeholders of format "%index%" and "{index}" with provided values
 				term = term.replace(/(%(\d+)%|\{(\d+)\})/g, (match, _p1, p2, p3): string => {
 					const index = p2 || p3;
-					return String(args[index] || match);
+					return typeof sanitizedArgs[index] !== 'undefined' ? String(sanitizedArgs[index]) : match;
 				});
 			}
 		}

src/Umbraco.Web.UI.Client/src/packages/block/block-grid/clipboard/block/copy/block-grid-to-block-copy-translator.ts

@@ -24,6 +24,7 @@ export class UmbBlockGridToBlockClipboardCopyPropertyValueTranslator
 	}
 
 	#constructGridBlockValue(propertyValue: UmbBlockGridValueModel): UmbGridBlockClipboardEntryValueModel {
+		// TODO: investigate if structured can be remove here.
 		const valueClone = structuredClone(propertyValue);
 
 		const gridBlockValue: UmbGridBlockClipboardEntryValueModel = {
@@ -38,17 +39,38 @@ export class UmbBlockGridToBlockClipboardCopyPropertyValueTranslator
 	#constructBlockValue(propertyValue: UmbBlockGridValueModel): UmbBlockClipboardEntryValueModel {
 		const gridBlockValue = this.#constructGridBlockValue(propertyValue);
 
+		const contentData: typeof gridBlockValue.contentData = [];
+		const settingsData: typeof gridBlockValue.settingsData = [];
+
 		const layout: UmbBlockClipboardEntryValueModel['layout'] = gridBlockValue.layout?.map((gridLayout) => {
+			const contentDataEntry = gridBlockValue.contentData.find(
+				(contentData) => contentData.key === gridLayout.contentKey,
+			);
+			if (!contentDataEntry) {
+				throw new Error('No content data found for layout entry');
+			}
+			contentData.push(contentDataEntry);
+
+			if (gridLayout.settingsKey) {
+				const settingsDataEntry = gridBlockValue.settingsData.find(
+					(settingsData) => settingsData.key === gridLayout.settingsKey,
+				);
+				if (!settingsDataEntry) {
+					throw new Error('No settings data found for layout entry');
+				}
+				settingsData.push(settingsDataEntry);
+			}
+
 			return {
 				contentKey: gridLayout.contentKey,
 				settingsKey: gridLayout.settingsKey,
 			};
 		});
 
 		return {
-			contentData: gridBlockValue.contentData,
 			layout: layout,
-			settingsData: gridBlockValue.settingsData,
+			contentData,
+			settingsData,
 		};
 	}
 }

src/Umbraco.Web.UI.Client/src/packages/block/block-grid/clipboard/grid-block/copy/block-grid-to-grid-block-copy-translator.ts

@@ -1,28 +1,17 @@
 import type { UmbBlockGridValueModel } from '../../../types.js';
 import { UMB_BLOCK_GRID_PROPERTY_EDITOR_SCHEMA_ALIAS } from '../../../property-editors/constants.js';
 import type { UmbGridBlockClipboardEntryValueModel } from '../../types.js';
-import { forEachBlockLayoutEntryOf } from '../../../utils/index.js';
-import { UMB_BLOCK_GRID_MANAGER_CONTEXT } from '../../../context/constants.js';
 import { UmbControllerBase } from '@umbraco-cms/backoffice/class-api';
 import type { UmbClipboardCopyPropertyValueTranslator } from '@umbraco-cms/backoffice/clipboard';
 
 export class UmbBlockGridToGridBlockClipboardCopyPropertyValueTranslator
 	extends UmbControllerBase
 	implements UmbClipboardCopyPropertyValueTranslator<UmbBlockGridValueModel, UmbGridBlockClipboardEntryValueModel>
 {
-	#blockGridManager?: typeof UMB_BLOCK_GRID_MANAGER_CONTEXT.TYPE;
-
 	async translate(propertyValue: UmbBlockGridValueModel) {
 		if (!propertyValue) {
 			throw new Error('Property value is missing.');
 		}
-
-		this.#blockGridManager = await this.getContext(UMB_BLOCK_GRID_MANAGER_CONTEXT);
-
-		return this.#constructGridBlockValue(propertyValue);
-	}
-
-	#constructGridBlockValue(propertyValue: UmbBlockGridValueModel): UmbGridBlockClipboardEntryValueModel {
 		const valueClone = structuredClone(propertyValue);
 
 		const layout = valueClone.layout?.[UMB_BLOCK_GRID_PROPERTY_EDITOR_SCHEMA_ALIAS] ?? undefined;
@@ -33,24 +22,9 @@ export class UmbBlockGridToGridBlockClipboardCopyPropertyValueTranslator
 			throw new Error('No layouts found.');
 		}
 
-		layout.forEach((layout) => {
-			// Find sub Blocks and append their data:
-			forEachBlockLayoutEntryOf(layout, async (entry) => {
-				const content = this.#blockGridManager!.getContentOf(entry.contentKey);
-
-				if (!content) {
-					throw new Error('No content found');
-				}
-
-				contentData.push(structuredClone(content));
-
-				if (entry.settingsKey) {
-					const settings = this.#blockGridManager!.getSettingsOf(entry.settingsKey);
-					if (settings) {
-						settingsData.push(structuredClone(settings));
-					}
-				}
-			});
+		layout?.forEach((layoutItem) => {
+			// @ts-expect-error - We are removing the $type property from the layout item
+			delete layoutItem.$type;
 		});
 
 		const gridBlockValue: UmbGridBlockClipboardEntryValueModel = {

src/Umbraco.Web.UI.Client/src/packages/block/block-grid/components/block-grid-block-inline/block-grid-block-inline.element.ts

@@ -20,6 +20,8 @@ import {
 } from '@umbraco-cms/backoffice/extension-api';
 import { UmbLanguageItemRepository } from '@umbraco-cms/backoffice/language';
 import { UmbTextStyles } from '@umbraco-cms/backoffice/style';
+import { UmbDataPathPropertyValueQuery } from '@umbraco-cms/backoffice/validation';
+import type { UmbVariantId } from '@umbraco-cms/backoffice/variant';
 
 const apiArgsCreator: UmbApiConstructorArgumentsMethodType<unknown> = (manifest: unknown) => {
 	return [{ manifest }];
@@ -30,6 +32,7 @@ export class UmbBlockGridBlockInlineElement extends UmbLitElement {
 	//
 	#blockContext?: typeof UMB_BLOCK_GRID_ENTRY_CONTEXT.TYPE;
 	#workspaceContext?: typeof UMB_BLOCK_WORKSPACE_CONTEXT.TYPE;
+	#variantId: UmbVariantId | undefined;
 	#contentKey?: string;
 	#parentUnique?: string | null;
 	#areaKey?: string | null;
@@ -52,6 +55,9 @@ export class UmbBlockGridBlockInlineElement extends UmbLitElement {
 	@state()
 	_inlineProperty?: UmbPropertyTypeModel;
 
+	@state()
+	_inlinePropertyDataPath?: string;
+
 	@state()
 	private _ownerContentTypeName?: string;
 
@@ -82,7 +88,7 @@ export class UmbBlockGridBlockInlineElement extends UmbLitElement {
 			UMB_BLOCK_WORKSPACE_ALIAS,
 			apiArgsCreator,
 			(permitted, ctrl) => {
-				const context = ctrl.api as typeof UMB_BLOCK_WORKSPACE_CONTEXT.TYPE;
+				const context = ctrl.api as typeof UMB_BLOCK_WORKSPACE_CONTEXT.TYPE | undefined;
 				if (permitted && context) {
 					// Risky business, cause here we are lucky that it seems to be consumed and set before this is called and there for this is acceptable for now. [NL]
 					if (this.#parentUnique === undefined || this.#areaKey === undefined) {
@@ -101,6 +107,7 @@ export class UmbBlockGridBlockInlineElement extends UmbLitElement {
 						this.#workspaceContext.content.structure.contentTypeProperties,
 						(contentTypeProperties) => {
 							this._inlineProperty = contentTypeProperties[0];
+							this.#generatePropertyDataPath();
 						},
 						'observeProperties',
 					);
@@ -116,9 +123,10 @@ export class UmbBlockGridBlockInlineElement extends UmbLitElement {
 					this.observe(
 						context.variantId,
 						async (variantId) => {
+							this.#variantId = variantId;
+							this.#generatePropertyDataPath();
 							if (variantId) {
 								context.content.setup(this, variantId);
-								// TODO: Support segment name?
 								const culture = variantId.culture;
 								if (culture) {
 									const languageRepository = new UmbLanguageItemRepository(this);
@@ -142,6 +150,16 @@ export class UmbBlockGridBlockInlineElement extends UmbLitElement {
 		this.#workspaceContext.load(this.#contentKey);
 	}
 
+	#generatePropertyDataPath() {
+		if (!this.#variantId || !this._inlineProperty) return;
+		const property = this._inlineProperty;
+		this._inlinePropertyDataPath = `$.values[${UmbDataPathPropertyValueQuery({
+			alias: property.alias,
+			culture: property.variesByCulture ? this.#variantId!.culture : null,
+			segment: property.variesBySegment ? this.#variantId!.segment : null,
+		})}].value`;
+	}
+
 	#expose = () => {
 		this.#workspaceContext?.expose();
 	};
@@ -189,6 +207,7 @@ export class UmbBlockGridBlockInlineElement extends UmbLitElement {
 			return html`<div id="inside">
 				<umb-property-type-based-property
 					.property=${this._inlineProperty}
+					.dataPath=${this._inlinePropertyDataPath ?? ''}
 					slot="areas"></umb-property-type-based-property>
 				<umb-block-grid-areas-container slot="areas"></umb-block-grid-areas-container>
 			</div>`;

src/Umbraco.Web.UI.Client/src/packages/block/block-grid/context/block-grid-entry.context.ts

@@ -1,4 +1,4 @@
-import { closestColumnSpanOption } from '../utils/index.js';
+import { closestColumnSpanOption, forEachBlockLayoutEntryOf } from '../utils/index.js';
 import type { UmbBlockGridValueModel } from '../types.js';
 import { UMB_BLOCK_GRID_PROPERTY_EDITOR_SCHEMA_ALIAS, UMB_BLOCK_GRID_PROPERTY_EDITOR_UI_ALIAS } from '../constants.js';
 import { UMB_BLOCK_GRID_MANAGER_CONTEXT } from './block-grid-manager.context-token.js';
@@ -296,6 +296,22 @@ export class UmbBlockGridEntryContext
 		const settingsData = settings ? [structuredClone(settings)] : [];
 		const exposes = expose ? [structuredClone(expose)] : [];
 
+		// Find sub Blocks and append their data:
+		forEachBlockLayoutEntryOf(layout, async (entry) => {
+			const content = this._manager!.getContentOf(entry.contentKey);
+			if (!content) {
+				throw new Error('No content found');
+			}
+			contentData.push(structuredClone(content));
+
+			if (entry.settingsKey) {
+				const settings = this._manager!.getSettingsOf(entry.settingsKey);
+				if (settings) {
+					settingsData.push(structuredClone(settings));
+				}
+			}
+		});
+
 		const propertyValue: UmbBlockGridValueModel = {
 			layout: {
 				[UMB_BLOCK_GRID_PROPERTY_EDITOR_SCHEMA_ALIAS]: layout ? [structuredClone(layout)] : undefined,

src/Umbraco.Web.UI.Client/src/packages/block/block-grid/property-value-cloner/property-value-cloner-block-grid.cloner.test.ts

@@ -49,7 +49,6 @@ describe('UmbBlockGridPropertyValueCloner', () => {
 															{
 																contentKey: 'content-3',
 																settingsKey: 'settings-3',
-																areas: [],
 															},
 														],
 													},