V9: Merge v8: 03-11-2021

build/templates/UmbracoProject/appsettings.json

@@ -17,6 +17,7 @@
     "CMS": {
       //#if (HasNoNodesViewPath || UseHttpsRedirect)
       "Global": {
+        "SanitizeTinyMce": true,
         //#if (!HasNoNodesViewPath && UseHttpsRedirect)
         "UseHttps": true
         //#elseif (UseHttpsRedirect)
@@ -25,6 +26,7 @@
         //#if (HasNoNodesViewPath)
         "NoNodesViewPath": "NO_NODES_VIEW_PATH_FROM_TEMPLATE"
         //#endif
+
       },
       //#endif
       "Hosting": {

src/Umbraco.Core/Configuration/Models/GlobalSettings.cs

@@ -28,6 +28,7 @@ public class GlobalSettings
         internal const bool StaticDisableElectionForSingleServer = false;
         internal const string StaticNoNodesViewPath = "~/umbraco/UmbracoWebsite/NoNodes.cshtml";
         internal const string StaticSqlWriteLockTimeOut = "00:00:05";
+        internal const bool StaticSanitizeTinyMce = false;
 
         /// <summary>
         /// Gets or sets a value for the reserved URLs.
@@ -157,6 +158,12 @@ public class GlobalSettings
         /// </summary>
         public bool IsSmtpServerConfigured => !string.IsNullOrWhiteSpace(Smtp?.Host);
 
+        /// <summary>
+        /// Gets a value indicating whether TinyMCE scripting sanitization should be applied
+        /// </summary>
+        [DefaultValue(StaticSanitizeTinyMce)]
+        public bool SanitizeTinyMce => StaticSanitizeTinyMce;
+
         /// <summary>
         /// An int value representing the time in milliseconds to lock the database for a write operation
         /// </summary>

src/Umbraco.Core/HealthChecks/Checks/Security/BaseHttpHeaderCheck.cs

@@ -79,7 +79,7 @@ protected async Task<HealthCheckStatus> CheckForHeader()
             var success = false;
 
             // Access the site home page and check for the click-jack protection header or meta tag
-            Uri url = _hostingEnvironment.ApplicationMainUrl;
+            var url = _hostingEnvironment.ApplicationMainUrl.GetLeftPart(UriPartial.Authority);
 
             try
             {

src/Umbraco.Infrastructure/Search/UmbracoTreeSearcherFields.cs

@@ -23,28 +23,28 @@ public UmbracoTreeSearcherFields(ILocalizationService localizationService)
         }
 
         /// <inheritdoc />
-        public IEnumerable<string> GetBackOfficeFields() => _backOfficeFields;
+        public virtual IEnumerable<string> GetBackOfficeFields() => _backOfficeFields;
 
         /// <inheritdoc />
-        public IEnumerable<string> GetBackOfficeMembersFields() => _backOfficeMembersFields;
+        public virtual IEnumerable<string> GetBackOfficeMembersFields() => _backOfficeMembersFields;
 
         /// <inheritdoc />
-        public IEnumerable<string> GetBackOfficeMediaFields() => _backOfficeMediaFields;
+        public virtual IEnumerable<string> GetBackOfficeMediaFields() => _backOfficeMediaFields;
 
         /// <inheritdoc />
-        public IEnumerable<string> GetBackOfficeDocumentFields() => Enumerable.Empty<string>();
+        public virtual IEnumerable<string> GetBackOfficeDocumentFields() => Enumerable.Empty<string>();
 
         /// <inheritdoc />
-        public ISet<string> GetBackOfficeFieldsToLoad() => _backOfficeFieldsToLoad;
+        public virtual ISet<string> GetBackOfficeFieldsToLoad() => _backOfficeFieldsToLoad;
 
         /// <inheritdoc />
-        public ISet<string> GetBackOfficeMembersFieldsToLoad() => _backOfficeMembersFieldsToLoad;
+        public virtual ISet<string> GetBackOfficeMembersFieldsToLoad() => _backOfficeMembersFieldsToLoad;
 
         /// <inheritdoc />
-        public ISet<string> GetBackOfficeMediaFieldsToLoad() => _backOfficeMediaFieldsToLoad;
+        public virtual ISet<string> GetBackOfficeMediaFieldsToLoad() => _backOfficeMediaFieldsToLoad;
 
         /// <inheritdoc />
-        public ISet<string> GetBackOfficeDocumentFieldsToLoad()
+        public virtual ISet<string> GetBackOfficeDocumentFieldsToLoad()
         {
             var fields = _backOfficeDocumentFieldsToLoad;
 

src/Umbraco.Web.BackOffice/Controllers/BackOfficeServerVariables.cs

@@ -413,6 +413,7 @@ internal async Task<Dictionary<string, object>> GetServerVariablesAsync()
                         {"showAllowSegmentationForDocumentTypes", false},
                         {"minimumPasswordLength", _memberPasswordConfigurationSettings.RequiredLength},
                         {"minimumPasswordNonAlphaNum", _memberPasswordConfigurationSettings.GetMinNonAlphaNumericChars()},
+                        {"sanitizeTinyMce", _globalSettings.SanitizeTinyMce}
                     }
                 },
                 {

src/Umbraco.Web.BackOffice/Controllers/ContentTypeController.cs

@@ -590,35 +590,43 @@ public ActionResult<ContentTypeImportModel> Upload(List<IFormFile> file)
 
                 var root = _hostingEnvironment.MapPathContentRoot(Constants.SystemDirectories.TempFileUploads);
                 var tempPath = Path.Combine(root,fileName);
-
-                using (var stream = System.IO.File.Create(tempPath))
-                {
-                    formFile.CopyToAsync(stream).GetAwaiter().GetResult();
-                }
-
-                if (ext.InvariantEquals("udt"))
+                if (Path.GetFullPath(tempPath).StartsWith(Path.GetFullPath(root)))
                 {
-                    model.TempFileName = Path.Combine(root, fileName);
+                    using (var stream = System.IO.File.Create(tempPath))
+                    {
+                        formFile.CopyToAsync(stream).GetAwaiter().GetResult();
+                    }
 
-                    var xd = new XmlDocument
+                    if (ext.InvariantEquals("udt"))
                     {
-                        XmlResolver = null
-                    };
-                    xd.Load(model.TempFileName);
+                        model.TempFileName = Path.Combine(root, fileName);
+
+                        var xd = new XmlDocument
+                        {
+                            XmlResolver = null
+                        };
+                        xd.Load(model.TempFileName);
 
-                    model.Alias = xd.DocumentElement?.SelectSingleNode("//DocumentType/Info/Alias")?.FirstChild.Value;
-                    model.Name = xd.DocumentElement?.SelectSingleNode("//DocumentType/Info/Name")?.FirstChild.Value;
+                        model.Alias = xd.DocumentElement?.SelectSingleNode("//DocumentType/Info/Alias")?.FirstChild.Value;
+                        model.Name = xd.DocumentElement?.SelectSingleNode("//DocumentType/Info/Name")?.FirstChild.Value;
+                    }
+                    else
+                    {
+                        model.Notifications.Add(new BackOfficeNotification(
+                            _localizedTextService.Localize("speechBubbles","operationFailedHeader"),
+                            _localizedTextService.Localize("media","disallowedFileType"),
+                            NotificationStyle.Warning));
+                    }
                 }
                 else
                 {
                     model.Notifications.Add(new BackOfficeNotification(
-                        _localizedTextService.Localize("speechBubbles","operationFailedHeader"),
-                        _localizedTextService.Localize("media","disallowedFileType"),
+                        _localizedTextService.Localize("speechBubbles", "operationFailedHeader"),
+                        _localizedTextService.Localize("media", "invalidFileName"),
                         NotificationStyle.Warning));
                 }
-            }
-
 
+            }
 
             return model;
 

src/Umbraco.Web.UI.Client/src/common/services/overlay.service.js

@@ -12,6 +12,58 @@
 
         var currentOverlay = null;
 
+        /**
+         * @ngdoc method
+         * @name umbraco.services.overlayService#open
+         * @methodOf umbraco.services.overlayService
+         *
+         * @description
+         * Opens a new overlay.
+         *
+         * @param {object} overlay The rendering options for the overlay.
+         * @param {string=} overlay.view The URL to the view. Defaults to `views/common/overlays/default/default.html` if nothing is specified.
+         * @param {string=} overlay.position The alias of the position of the overlay. Defaults to `center`.
+         * 
+         * Custom positions can be added by adding a CSS rule for the the underlying CSS rule. Eg. for the position `center`, the corresponding `umb-overlay-center` CSS rule is defined as:
+         * 
+         * <pre>
+         * .umb-overlay.umb-overlay-center {
+         *     position: absolute;
+         *     width: 600px;
+         *     height: auto;
+         *     top: 50%;
+         *     left: 50%;
+         *     transform: translate(-50%,-50%);
+         *     border-radius: 3px;
+         * }
+         * </pre>
+         * @param {string=} overlay.size Sets an alias for the size of the overlay to be opened. If set to `small` (default), an `umb-overlay--small` class name will be appended the the class list of the main overlay element in the DOM.
+         * 
+         * Umbraco does not support any more sizes by default, but if you wish to introduce a `medium` size, you could do so by adding a CSS rule simlar to:
+         * 
+         * <pre>
+         * .umb-overlay-center.umb-overlay--medium {
+         *     width: 800px;
+         * }
+         * </pre>
+         * @param {booean=} overlay.disableBackdropClick A boolean value indicating whether the click event on the backdrop should be disabled.
+         * @param {string=} overlay.title The overall title of the overlay. The title will be omitted if not specified.
+         * @param {string=} overlay.subtitle The sub title of the overlay. The sub title will be omitted if not specified.
+         * @param {object=} overlay.itemDetails An item that will replace the header of the overlay.
+         * @param {string=} overlay.itemDetails.icon The icon of the item - eg. `icon-book`.
+         * @param {string=} overlay.itemDetails.title The title of the item.
+         * @param {string=} overlay.itemDetails.description Sets the description of the item.         * 
+         * @param {string=} overlay.submitButtonLabel The label of the submit button. To support localized values, it's recommended to use the `submitButtonLabelKey` instead.
+         * @param {string=} overlay.submitButtonLabelKey The key to be used for the submit button label. Defaults to `general_submit` if not specified.
+         * @param {string=} overlay.submitButtonState The state of the submit button. Possible values are inherited from the [umbButton directive](#/api/umbraco.directives.directive:umbButton) and are `init`, `busy", `success`, `error`.
+         * @param {string=} overlay.submitButtonStyle The styling of the submit button. Possible values are inherited from the [umbButton directive](#/api/umbraco.directives.directive:umbButton) and are `primary`, `info`, `success`, `warning`, `danger`, `inverse`, `link` and `block`. Defaults to `success` if not specified specified.
+         * @param {string=} overlay.hideSubmitButton A boolean value indicating whether the submit button should be hidden. Default is `false`.
+         * @param {string=} overlay.disableSubmitButton A boolean value indicating whether the submit button should be disabled, preventing the user from submitting the overlay. Default is `false`.
+         * @param {string=} overlay.closeButtonLabel The label of the close button. To support localized values, it's recommended to use the `closeButtonLabelKey` instead.
+         * @param {string=} overlay.closeButtonLabelKey The key to be used for the close button label. Defaults to `general_close` if not specified.
+         * @param {string=} overlay.submit A callback function that is invoked when the user submits the overlay.
+         * @param {string=} overlay.close A callback function that is invoked when the user closes the overlay.
+         */
         function open(newOverlay) {
 
             // prevent two open overlays at the same time
@@ -49,6 +101,14 @@
             eventsService.emit("appState.overlay", overlay);
         }
 
+        /**
+         * @ngdoc method
+         * @name umbraco.services.overlayService#close
+         * @methodOf umbraco.services.overlayService
+         *
+         * @description
+         * Closes the current overlay.
+         */
         function close() {
             focusLockService.removeInertAttribute();
 
@@ -61,6 +121,16 @@
             eventsService.emit("appState.overlay", null);
         }
 
+        /**
+         * @ngdoc method
+         * @name umbraco.services.overlayService#ysod
+         * @methodOf umbraco.services.overlayService
+         *
+         * @description
+         * Opens a new overlay with an error message.
+         *
+         * @param {object} error The error to be shown.
+         */
         function ysod(error) {
             const overlay = {
                 view: "views/common/overlays/ysod/ysod.html",
@@ -72,6 +142,36 @@
             open(overlay);
         }
 
+        /**
+         * @ngdoc method
+         * @name umbraco.services.overlayService#confirm
+         * @methodOf umbraco.services.overlayService
+         *
+         * @description
+         * Opens a new overlay prompting the user to confirm the overlay.
+         *
+         * @param {object} overlay The options for the overlay.
+         * @param {string=} overlay.confirmType The type of the confirm dialog, which helps define standard styling and labels of the overlay. Supported values are `delete` and `remove`.
+         * @param {string=} overlay.closeButtonLabelKey The key to be used for the cancel button label. Defaults to `general_cancel` if not specified.
+         * @param {string=} overlay.view The URL to the view. Defaults to `views/common/overlays/confirm/confirm.html` if nothing is specified.
+         * @param {string=} overlay.confirmMessageStyle The styling of the confirm message. If `overlay.confirmType` is `delete`, the fallback value is `danger` - otherwise a message style isn't explicitly specified.
+         * @param {string=} overlay.submitButtonStyle The styling of the confirm button. Possible values are inherited from the [umbButton directive](#/api/umbraco.directives.directive:umbButton) and are `primary`, `info`, `success`, `warning`, `danger`, `inverse`, `link` and `block`.
+         * 
+         * If not specified, the fallback value depends on the value specified for the `overlay.confirmType` parameter:
+         * 
+         * - `delete`: fallback key is `danger`
+         * - `remove`: fallback key is `primary`
+         * - anything else: no fallback AKA default button style
+         * @param {string=} overlay.submitButtonLabelKey The key to be used for the confirm button label. 
+         * 
+         * If not specified, the fallback value depends on the value specified for the `overlay.confirmType` parameter:
+         * 
+         * - `delete`: fallback key is `actions_delete`
+         * - `remove`: fallback key is `actions_remove`
+         * - anything else: fallback is `general_confirm`
+         * @param {function=} overlay.close A callback function that is invoked when the user closes the overlay.
+         * @param {function=} overlay.submit A callback function that is invoked when the user confirms the overlay.
+         */
         function confirm(overlay) {
 
             if (!overlay.closeButtonLabelKey) overlay.closeButtonLabelKey = "general_cancel";
@@ -99,11 +199,45 @@
             open(overlay);
         }
 
+        /**
+         * @ngdoc method
+         * @name umbraco.services.overlayService#confirmDelete
+         * @methodOf umbraco.services.overlayService
+         *
+         * @description
+         * Opens a new overlay prompting the user to confirm the overlay. The overlay will have styling and labels useful for when the user needs to confirm a delete action.
+         *
+         * @param {object} overlay The options for the overlay.
+         * @param {string=} overlay.closeButtonLabelKey The key to be used for the cancel button label. Defaults to `general_cancel` if not specified.
+         * @param {string=} overlay.view The URL to the view. Defaults to `views/common/overlays/confirm/confirm.html` if nothing is specified.
+         * @param {string=} overlay.confirmMessageStyle The styling of the confirm message. Defaults to `delete` if not specified specified.
+         * @param {string=} overlay.submitButtonStyle The styling of the confirm button. Possible values are inherited from the [umbButton directive](#/api/umbraco.directives.directive:umbButton) and are `primary`, `info`, `success`, `warning`, `danger`, `inverse`, `link` and `block`. Defaults to `danger` if not specified specified.
+         * @param {string=} overlay.submitButtonLabelKey The key to be used for the confirm button label. Defaults to `actions_delete` if not specified.
+         * @param {function=} overlay.close A callback function that is invoked when the user closes the overlay.
+         * @param {function=} overlay.submit A callback function that is invoked when the user confirms the overlay.
+         */
         function confirmDelete(overlay) {
             overlay.confirmType = "delete";
             confirm(overlay);
         }
 
+        /**
+         * @ngdoc method
+         * @name umbraco.services.overlayService#confirmRemove
+         * @methodOf umbraco.services.overlayService
+         *
+         * @description
+         * Opens a new overlay prompting the user to confirm the overlay. The overlay will have styling and labels useful for when the user needs to confirm a remove action.
+         *
+         * @param {object} overlay The options for the overlay.
+         * @param {string=} overlay.closeButtonLabelKey The key to be used for the cancel button label. Defaults to `general_cancel` if not specified.
+         * @param {string=} overlay.view The URL to the view. Defaults to `views/common/overlays/confirm/confirm.html` if nothing is specified.
+         * @param {string=} overlay.confirmMessageStyle The styling of the confirm message - eg. `danger`.
+         * @param {string=} overlay.submitButtonStyle The styling of the confirm button. Possible values are inherited from the [umbButton directive](#/api/umbraco.directives.directive:umbButton) and are `primary`, `info`, `success`, `warning`, `danger`, `inverse`, `link` and `block`. Defaults to `primary` if not specified specified.
+         * @param {string=} overlay.submitButtonLabelKey The key to be used for the confirm button label. Defaults to `actions_remove` if not specified.
+         * @param {function=} overlay.close A callback function that is invoked when the user closes the overlay.
+         * @param {function=} overlay.submit A callback function that is invoked when the user confirms the overlay.
+         */
         function confirmRemove(overlay) {
             overlay.confirmType = "remove";
             confirm(overlay);