[bot] Fast-forward for 24.1.0

api/src/org/labkey/api/data/JsonTest.java

@@ -101,12 +101,14 @@ public void jsonOrgViaJackson() throws IOException
         obj.put("str", "hello");
         obj.put("arr", new JSONArray(Arrays.asList("one", null, 3, new JSONObject(Collections.singletonMap("four", 4)))));
         obj.put("nul", (Object)null);
+        obj.put("key", "</tricky\tvalue\\");
 //        obj.put("d", d);  //TODO: new JSONObject serializes date-times as ISO
 
         // Verify serializing JSONObject via Jackson is equivalent
         String jacksonToString = mapper.writeValueAsString(obj);
         String jsonOrgToString = obj.toString();
         assertEquals(jsonOrgToString, jacksonToString);
+        assertTrue(jsonOrgToString.contains("<\\/"));
 
         // Verify deserializing JSONObject via Jackson is equivalent
         // NOTE: In both cases, the date value is deserialized as a string because JSON sucks

api/src/org/labkey/api/notification/notificationpanel.jsp

@@ -43,7 +43,7 @@
     %>
     <a id="<%=h(linkId)%>" href="#">
         <i class="fa fa-inbox labkey-notification-inbox"></i>
-        <span id=<%=q(notificationCountId)%>>&nbsp;</span>
+        <span id="<%=h(notificationCountId)%>">&nbsp;</span>
     </a>
 </li>
 

api/src/org/labkey/api/reports/report/r/RReport.java

@@ -219,12 +219,48 @@ public static synchronized String getDefaultRPath()
         return DEFAULT_APP_PATH;
     }
 
+
     public static String toR(String s)
     {
-        String r = PageFlowUtil.jsString(s);
-        return "\"" + StringUtils.strip(r, "'") + "\"";
+        if (s == null)
+            return "\"\"";
+
+        StringBuilder r = new StringBuilder(s.length() + 10);
+        r.append("\"");
+        int len = s.length();
+        for (int i = 0 ; i<len ; i++)
+        {
+            char c = s.charAt(i);
+            switch (c)
+            {
+                case '\\':
+                    r.append("\\\\");
+                    break;
+                case '\n':
+                    r.append("\\n");
+                    break;
+                case '\r':
+                    r.append("\\r");
+                    break;
+                case '\'':
+                    r.append("\\'");
+                    break;
+                case '\"':
+                    r.append("\\\"");
+                    break;
+                case '\t':
+                    r.append("\\t");
+                    break;
+                default:
+                    r.append(c);
+                    break;
+            }
+        }
+        r.append("\"");
+        return r.toString();
     }
 
+
     // static for access by RserveScriptEngine with no backing report
     public static void appendParamList(StringBuilder labkey, Map<String, Object> inputParameters)
     {

api/src/org/labkey/api/util/PageFlowUtil.java

@@ -428,6 +428,9 @@ public static String jsString(String s)
                 case '\\':
                     js.append("\\\\");
                     break;
+                case '/':
+                    js.append("\\/");
+                    break;
                 case '\n':
                     js.append("\\n");
                     break;

core/src/org/labkey/core/CoreModule.java

@@ -15,6 +15,7 @@
  */
 package org.labkey.core;
 
+import com.fasterxml.jackson.core.io.CharTypes;
 import com.google.common.collect.Sets;
 import org.apache.commons.lang3.StringUtils;
 import org.apache.logging.log4j.LogManager;
@@ -317,6 +318,18 @@ public class CoreModule extends SpringModule implements SearchService.DocumentPr
 
         // Register dialect extra early, since we need to initialize the data sources before calling DefaultModule.initialize()
         SqlDialectRegistry.register(new PostgreSqlDialectFactory());
+
+        try
+        {
+            var field = CharTypes.class.getDeclaredField("sOutputEscapes128");
+            field.setAccessible(true);
+            ((int[])field.get(null))['/'] = '/';
+            field.setAccessible(false);
+        }
+        catch (NoSuchFieldException|IllegalArgumentException|IllegalAccessException x)
+        {
+            // pass
+        }
     }
 
     private CoreWarningProvider _warningProvider;

core/src/org/labkey/core/analytics/AnalyticsServiceImpl.java

@@ -205,7 +205,7 @@ private String getSanitizedUrl(ViewContext context)
     private static final String GA4_TRACKING_SCRIPT_TEMPLATE =
             """
                     <!-- Global site tag (gtag.js) - Google Analytics -->
-                    <script async src="${GA4_JS:htmlEncode}"></script>
+                    <script async src="${GA4_JS:htmlEncode}" nonce="${SCRIPT_NONCE:htmlEncode}"></script>
                     <script nonce="${SCRIPT_NONCE:htmlEncode}">
                       window.dataLayer = window.dataLayer || [];
                       function gtag(){dataLayer.push(arguments);}

core/src/org/labkey/core/analytics/analyticsSettings.jsp

@@ -70,10 +70,10 @@
             <td style="padding-left: 1em;">
                 <strong><label for="customScript">Custom JavaScript Analytics</label></strong>
                 <p>
-                    Add <label for="ff_trackingScript">custom analytics script</label> to the <code>&lt;head&gt;</code> of every page.  Include required <code>&lt;script&gt;</code> tags.
+                    Add <label for="ff_trackingScript">custom analytics script</label> to the <code>&lt;head&gt;</code> of every page. Include required <code>&lt;script&gt;</code> tags. If the server enforces a Content Security Policy, script blocks may need a nonce to function: <code>&lt;script nonce="\${SCRIPT_NONCE:htmlEncode}"&gt;</code>.
                 </p>
                 <p>
-                    <strong>NOTE:</strong> You can mess up your site if you make a mistake here.  You may want to bookmark this page to aid in making corrections, just in case.
+                    <strong>NOTE:</strong> You can mess up your site if you make a mistake here. You may want to bookmark this page to aid in making corrections, just in case.
                 </p>
                 <textarea <%=unsafe(hasAdminOpsPerms?"":"disabled=\"disabled\"")%> style="width:100%; height:15em;" id="ff_trackingScript" name="ff_trackingScript"><%=h(settingsForm.ff_trackingScript)%></textarea>
             </td>

core/src/org/labkey/core/user/securityAccess.jsp

@@ -79,7 +79,7 @@
     However, if this account were re-enabled, it would have the following permissions.</div>
 <% } %>
 
-<table id=<%=q(accessRegion.getDomId())%> lk-region-name=<%=q(accessRegion.getName())%> class="labkey-data-region-legacy labkey-show-borders">
+<table id="<%=h(accessRegion.getDomId())%>" lk-region-name="<%=h(accessRegion.getName())%>" class="labkey-data-region-legacy labkey-show-borders">
     <colgroup><col><col><col></colgroup>
     <tr id="dataregion_column_header_row_access">
         <th>&nbsp;</th>

filecontent/src/org/labkey/filecontent/FileContentServiceImpl.java

@@ -331,10 +331,8 @@ public java.nio.file.Path getDefaultRootPath(Container c, boolean createDir)
             }
             else
             {
-                File fileRootFile = new File(parentRoot.toFile(), getRelativePath(c, firstOverride));
-                _log.info("File root for '%s': '%s'".formatted(c.getPath(), fileRootFile.toString()));
                 // For local, the path may be several directories deep (since it matches the LK folder path), so we should create the directories for that path
-                fileRootPath = fileRootFile.toPath();
+                fileRootPath = new File(parentRoot.toFile(), getRelativePath(c, firstOverride)).toPath();
 
                 try
                 {

study/src/org/labkey/study/controllers/ParticipantGroupController.java

@@ -1086,6 +1086,13 @@ public ApiResponse execute(ParticipantGroupSpecification form, BindException err
                         ParticipantGroupManager.getInstance().setParticipantCategory(getContainer(), getUser(), category);
                     }
 
+                    //if the label has changed, update the category label as well
+                    if (null != form.getCategoryLabel() && !form.getCategoryLabel().equalsIgnoreCase(category.getLabel()))
+                    {
+                        category.setLabel(form.getCategoryLabel());
+                        ParticipantGroupManager.getInstance().setParticipantCategory(getContainer(), getUser(), category);
+                    }
+
                     deleteImplicitCategory(oldCategoryId, category);
                 }
                 transaction.commit();

study/src/org/labkey/study/controllers/publish/PublishController.java

@@ -374,6 +374,10 @@ public void run()
             {
                 error("Failure", t);
             }
+
+            if (getErrors() == 0)
+                setStatus(TaskStatus.complete);
+
             info("Auto link to study complete");
         }
     }

study/src/org/labkey/study/importer/CreateChildStudyPipelineJob.java

@@ -275,6 +275,7 @@ public boolean run(ViewContext context)
                 // Save the snapshot RowId to the destination study
                 StudyImpl mutableStudy = StudyManager.getInstance().getStudy(getDstContainer()).createMutable();
                 mutableStudy.setStudySnapshot(snapshot.getRowId());
+                StudyManager.getInstance().updateStudy(user, mutableStudy);
 
                 // export objects from the parent study, then import them into the new study
                 getLogger().info("Exporting data from parent study.");
@@ -311,6 +312,7 @@ public boolean run(ViewContext context)
                 new TopLevelStudyPropertiesImporter().process(studyImportContext, studyDir, errors);
 
                 // after the data has been imported, configure the new study setting for undefined timepoints
+                mutableStudy = StudyManager.getInstance().getStudy(getDstContainer()).createMutable();
                 if (sourceStudy.isFailForUndefinedTimepoints())
                     mutableStudy.setFailForUndefinedTimepoints(true);
 

study/src/org/labkey/study/model/StudyManager.java

@@ -1148,14 +1148,17 @@ public VisitImpl getVisit(Study study, User user, BigDecimal sequenceNum, Visit.
         for (BigDecimal sequencenum : sequencenums)
         {
             VisitImpl result = ensureVisitWithoutSaving(study, sequencenum, type, visits);
-            if (result.getRowId() == 0 && !failForUndefinedVisits)
+            if (result.getRowId() == 0)
             {
-                createVisit(study, user, result, visits);
-                // Refresh existing visits to avoid constraint violation, see #44425
-                visits = getVisits(study, Visit.Order.SEQUENCE_NUM);
+                if (!failForUndefinedVisits)
+                {
+                    createVisit(study, user, result, visits);
+                    // Refresh existing visits to avoid constraint violation, see #44425
+                    visits = getVisits(study, Visit.Order.SEQUENCE_NUM);
+                }
+                else
+                    seqNumFailures.add(String.valueOf(sequencenum));
             }
-            else
-                seqNumFailures.add(String.valueOf(sequencenum));
         }
 
         if (!seqNumFailures.isEmpty())

study/src/org/labkey/study/visitmanager/RelativeDateVisitManager.java

@@ -327,7 +327,7 @@ private void _updateVisitRowId()
         return errors;
     }
 
-    public @Nullable ValidationException recomputeDates(Date oldStartDate, User user)
+    public @NotNull ValidationException recomputeDates(Date oldStartDate, User user)
     {
         if (null != oldStartDate)
         {
@@ -351,7 +351,7 @@ private void _updateVisitRowId()
                 return updateParticipantVisits(user, getStudy().getDatasets());
             }
         }
-        return null;
+        return new ValidationException();
     }
 
     // Return sql for fetching all datasets and their visit sequence numbers, given a container

survey/src/org/labkey/survey/view/customizeSurveysWebPart.jsp

@@ -40,7 +40,7 @@
 %>
 
 This webpart displays a list of survey instances created by the end user. Select which survey design this webpart should use:<br><br>
-<div id=<%=q(divId)%>></div>
+<div id="<%=h(divId)%>"></div>
 
 <script type="text/javascript" nonce="<%=getScriptNonce()%>">
     Ext4.onReady(function(){

survey/src/org/labkey/survey/view/surveyWizard.jsp

@@ -76,9 +76,9 @@
     else
     {
 %>
-<div id=<%=q(headerRenderId)%>></div>
-<div id=<%=q(formRenderId)%>></div>
-<div id=<%=q(footerRenderId)%>></div>
+<div id="<%=h(headerRenderId)%>"></div>
+<div id="<%=h(formRenderId)%>"></div>
+<div id="<%=h(footerRenderId)%>"></div>
 <script type="text/javascript" nonce="<%=getScriptNonce()%>">
 
     Ext4.onReady(function(){