From cf1c0d50d55e686dbb722b8f4de85b543ae2e5e1 Mon Sep 17 00:00:00 2001
From: LucasC <lucas.charpentier@xwiki.com>
Date: Fri, 22 Nov 2024 14:58:50 +0100
Subject: [PATCH] XWIKI-22205: Underline inline link in CSRF confirmation Panel
 (#3200)

* Deprecated the old translation key that contained HTML syntax
* Replaced it with a juxtaposition of smaller translations.
* When nesting was needed, used parameters to make sure we don't have syntax inside the translation values.
* Updated the two uses of the old translation key
---
 .../resources/ApplicationResources.properties |  9 +++++++-
 .../src/main/resources/templates/resubmit.vm  | 23 ++++++++++++++++++-
 .../js/xwiki/actionbuttons/actionButtons.js   | 10 +++++++-
 3 files changed, 39 insertions(+), 3 deletions(-)

diff --git a/xwiki-platform-core/xwiki-platform-oldcore/src/main/resources/ApplicationResources.properties b/xwiki-platform-core/xwiki-platform-oldcore/src/main/resources/ApplicationResources.properties
index cafdfc266d5b..7be876c6c294 100644
--- a/xwiki-platform-core/xwiki-platform-oldcore/src/main/resources/ApplicationResources.properties
+++ b/xwiki-platform-core/xwiki-platform-oldcore/src/main/resources/ApplicationResources.properties
@@ -3640,7 +3640,13 @@ XWiki.SearchSuggestSourceClass_activated=Activated
 XWiki.SearchSuggestSourceClass_activated.hint=Whether this source is used or not (as long as the source search engine matches the search engine used by the current wiki).
 
 ### CSRFToken resources
-csrf.confirmation=<p>This request contains an invalid authentication information.</p><p>This might happen in the following situations:</p><ul><li>You left the editor open in another window/tab and logged off and on again</li><li>Your authentication token expired after a long period of inactivity</li><li>Somebody tried to perform a CSRF attack</li></ul><p>If you are sure that none of these situations apply in your case, you might have found a bug. We are sorry about that, please report it on <a href="http://jira.xwiki.org/">XWiki JIRA</a></p><p>Do you want to resend the request? If unsure, say <strong>No</strong>.</p>
+csrf.confirmation.status=This request contains an invalid authentication information.
+csrf.confirmation.possibleReasons.description=This might happen in the following situations:
+csrf.confirmation.possibleReasons.firstReason=You left the editor open in another window/tab and logged off and on again
+csrf.confirmation.possibleReasons.secondReason=Your authentication token expired after a long period of inactivity
+csrf.confirmation.possibleReasons.thirdReason=Somebody tried to perform a CSRF attack
+csrf.confirmation.unsure=If you are sure that none of these situations apply in your case, you might have found a bug. We are sorry about that, please report it on {0}XWiki JIRA{1}.
+csrf.confirmation.question=Do you want to resend the request? If unsure, say {0}No{1}.
 
 ### Extension Manager application resources
 admin.extensions=Extension Manager
@@ -5667,6 +5673,7 @@ platform.index.spaceIndexDocumentListCreate=Create a new page
 #######################################
 ## until 16.10.0RC1
 #######################################
+csrf.confirmation=<p>This request contains an invalid authentication information.</p><p>This might happen in the following situations:</p><ul><li>You left the editor open in another window/tab and logged off and on again</li><li>Your authentication token expired after a long period of inactivity</li><li>Somebody tried to perform a CSRF attack</li></ul><p>If you are sure that none of these situations apply in your case, you might have found a bug. We are sorry about that, please report it on <a href="http://jira.xwiki.org/">XWiki JIRA</a></p><p>Do you want to resend the request? If unsure, say <strong>No</strong>.</p>
 core.register.successful={0} ({1}): Registration successful.
 
 ## Used to indicate where deprecated keys end
diff --git a/xwiki-platform-core/xwiki-platform-web/xwiki-platform-web-templates/src/main/resources/templates/resubmit.vm b/xwiki-platform-core/xwiki-platform-web/xwiki-platform-web-templates/src/main/resources/templates/resubmit.vm
index b7ddce0f9084..ff3ac9cf2150 100644
--- a/xwiki-platform-core/xwiki-platform-web/xwiki-platform-web-templates/src/main/resources/templates/resubmit.vm
+++ b/xwiki-platform-core/xwiki-platform-web/xwiki-platform-web-templates/src/main/resources/templates/resubmit.vm
@@ -29,7 +29,28 @@ $response.addHeader( "X-FRAME-OPTIONS", "DENY" )
 <div class="main layoutsubsection">
 ## Set as an HTML main for better DOM tree semantics to facilitate navigation with assistive technologies.
 <main id="mainContentArea">
-#xwikimessageboxstart($services.localization.render('warning') $services.localization.render('csrf.confirmation'))
+#define ($messageBoxContent)
+<p>
+$services.localization.render('csrf.confirmation.status')
+</p>
+<p>
+$services.localization.render('csrf.confirmation.possibleReasons.description')
+</p>
+<ul><li>
+$services.localization.render('csrf.confirmation.possibleReasons.firstReason')
+</li><li>
+$services.localization.render('csrf.confirmation.possibleReasons.secondReason')
+</li><li>
+$services.localization.render('csrf.confirmation.possibleReasons.thirdReason')
+</li></ul>
+<p class="force-underline">
+$services.localization.render('csrf.confirmation.unsure', ["<a href='http://jira.xwiki.org/'>", "</a>"])
+</p>
+<p>
+$services.localization.render('csrf.confirmation.question', ["<strong>", "</strong>"])
+</p>
+#end
+#xwikimessageboxstart($services.localization.render('warning') $messageBoxContent)
 #getSanitizedURLAttributeValue('form','action', $request.getParameter('resubmit'), '', $resubmit)
 #getSanitizedURLAttributeValue('a','href', $request.getParameter('xback'), $doc.getURL(), $xback)
 <form action="$resubmit" method="post">
diff --git a/xwiki-platform-core/xwiki-platform-web/xwiki-platform-web-war/src/main/webapp/resources/js/xwiki/actionbuttons/actionButtons.js b/xwiki-platform-core/xwiki-platform-web/xwiki-platform-web-war/src/main/webapp/resources/js/xwiki/actionbuttons/actionButtons.js
index 3c540216bfaa..5fd2851a1476 100644
--- a/xwiki-platform-core/xwiki-platform-web/xwiki-platform-web-war/src/main/webapp/resources/js/xwiki/actionbuttons/actionButtons.js
+++ b/xwiki-platform-core/xwiki-platform-web/xwiki-platform-web-war/src/main/webapp/resources/js/xwiki/actionbuttons/actionButtons.js
@@ -529,7 +529,15 @@ var XWiki = (function(XWiki) {
         var buttonsDiv =  new Element('div');
 
         // the confirmation message contains some double quotes that should be escaped.
-        content.insert("$escapetool.json($services.localization.render('csrf.confirmation'))");
+        content.insert("<p>$services.localization.render('csrf.confirmation.status')</p>" +
+          "<p>$services.localization.render('csrf.confirmation.possibleReasons.description')</p>" +
+          "<ul><li>$services.localization.render('csrf.confirmation.possibleReasons.firstReason')</li>" +
+          "<li>$services.localization.render('csrf.confirmation.possibleReasons.secondReason')</li>" +
+          "<li>$services.localization.render('csrf.confirmation.possibleReasons.thirdReason')</li></ul>" +
+          "<p class='force-underline'>" +
+          "$services.localization.render('csrf.confirmation.unsure', ["<a href='http://jira.xwiki.org/'>", "</a>"])" +
+          "</p>" +
+          "<p>$services.localization.render('csrf.confirmation.question', ['<strong>', '</strong>'])</p>");
         content.insert(new Element('br'));
         var buttonCreate = new Element('button', {'class': 'btn btn-default', 'id': 'force-save-csrf'});
         buttonCreate.insert("$services.localization.render('yes')");