Merge remote-tracking branch 'origin/8.3' into 9.0

# Conflicts:
#	Neos.ContentRepository/Classes/Domain/Repository/NodeDataRepository.php
#	Neos.Neos/Classes/Controller/Backend/MenuHelper.php
#	Neos.Neos/Classes/Controller/Module/Management/WorkspacesController.php
#	Neos.Neos/Documentation/References/CommandReference.rst
#	Neos.Neos/Documentation/References/Signals/ContentRepository.rst
#	Neos.Neos/Documentation/References/ViewHelpers/ContentRepository.rst
#	Neos.Neos/Resources/Private/Templates/Module/Management/Workspaces/Show.html

Neos.ContentRepositoryRegistry/Classes/Command/NodeTypesCommandController.php

@@ -52,9 +52,14 @@ public function showCommand(string $nodeTypeName, string $path = '', int $level
             $this->quit();
         }
 
-        $configuration = $path
-            ? self::truncateArrayAtLevel($nodeType->getConfiguration($path), $level)
-            : [$nodeTypeName => self::truncateArrayAtLevel($nodeType->getFullConfiguration(), $level)];
+        if (empty($path)) {
+            $configuration = [$nodeTypeName => self::truncateArrayAtLevel($nodeType->getFullConfiguration(), $level)];
+        } else {
+            $configuration = $nodeType->getConfiguration($path);
+            if (is_array($configuration)) {
+                $configuration = self::truncateArrayAtLevel($configuration, $level);
+            }
+        }
 
         $yaml = Yaml::dump($configuration, 99);
 

Neos.Fusion/Classes/Core/Cache/ParserCache.php

@@ -63,7 +63,12 @@ public function cacheForFusionFile(?string $contextPathAndFilename, \Closure $ge
         if (str_contains($contextPathAndFilename, 'nodetypes://')) {
             $contextPathAndFilename = $this->getAbsolutePathForNodeTypesUri($contextPathAndFilename);
         }
-        $identifier = $this->getCacheIdentifierForFile($contextPathAndFilename);
+        $fusionFileRealPath = realpath($contextPathAndFilename);
+        if ($fusionFileRealPath === false) {
+            // should not happen as the file would not been able to be read in the first place.
+            throw new \RuntimeException("Couldn't resolve realpath for: '$contextPathAndFilename'", 1705409467);
+        }
+        $identifier = $this->getCacheIdentifierForAbsoluteUnixStyleFilePathWithoutDirectoryTraversal($fusionFileRealPath);
         return $this->cacheForIdentifier($identifier, $generateValueToCache);
     }
 
@@ -78,11 +83,16 @@ public function cacheForDsl(string $identifier, string $code, \Closure $generate
 
     private function cacheForIdentifier(string $identifier, \Closure $generateValueToCache): mixed
     {
-        if ($this->parsePartialsCache->has($identifier)) {
-            return $this->parsePartialsCache->get($identifier);
+        $value = $this->parsePartialsCache->get($identifier);
+        if ($value !== false) {
+            return $value;
         }
         $value = $generateValueToCache();
-        $this->parsePartialsCache->set($identifier, $value);
+        if ($value !== false) {
+            // in the rare edge-case of a fusion dsl returning `false` we cannot cache it,
+            // as the above get would be ignored. This is an acceptable compromise.
+            $this->parsePartialsCache->set($identifier, $value);
+        }
         return $value;
     }
 

Neos.Fusion/Classes/Core/Cache/ParserCacheFlusher.php

@@ -50,7 +50,10 @@ public function flushPartialCacheOnFileChanges($fileMonitorIdentifier, array $ch
 
         $identifiersToFlush = [];
         foreach ($changedFiles as $changedFile => $status) {
-            $identifiersToFlush[] = $this->getCacheIdentifierForFile($changedFile);
+            // flow already returns absolute file paths from the file monitor, so we don't have to call realpath.
+            // attempting to use realpath can even result in an error as the file might be removed and thus no realpath can be resolved via file system.
+            // https://github.com/neos/neos-development-collection/pull/4509
+            $identifiersToFlush[] = $this->getCacheIdentifierForAbsoluteUnixStyleFilePathWithoutDirectoryTraversal($changedFile);
         }
 
         if ($identifiersToFlush !== []) {

Neos.Fusion/Classes/Core/Cache/ParserCacheIdentifierTrait.php

@@ -19,26 +19,32 @@
 trait ParserCacheIdentifierTrait
 {
     /**
-     * creates a comparable hash of the dsl type and content to be used as cache identifier
+     * Creates a comparable hash of the dsl type and content to be used as cache identifier
      */
     private function getCacheIdentifierForDslCode(string $identifier, string $code): string
     {
         return 'dsl_' . $identifier . '_' . md5($code);
     }
 
     /**
-     * creates a comparable hash of the absolute, resolved $fusionFileName
+     * Creates a comparable hash of the absolute-unix-style-file-path-without-directory-traversal
      *
-     * @throws \InvalidArgumentException
+     * something like
+     *  - /Users/marc/Code/neos-project/Packages/Neos
+     *
+     * its crucial that the path
+     *  - is absolute
+     *  - the path separator is in unix style: forward-slash /
+     *  - doesn't contain directory traversal /../ or /./
+     *
+     * to be absolutely sure the path matches the criteria, {@see realpath} can be used.
+     *
+     * if the path does not match the criteria, a different hash as expected will be generated and caching will break.
      */
-    private function getCacheIdentifierForFile(string $fusionFileName): string
-    {
-        $realPath = realpath($fusionFileName);
-        if ($realPath === false) {
-            throw new \InvalidArgumentException("Couldn't resolve realpath for: '$fusionFileName'");
-        }
-
-        $realFusionFilePathWithoutRoot = str_replace(FLOW_PATH_ROOT, '', $realPath);
-        return 'file_' . md5($realFusionFilePathWithoutRoot);
+    private function getCacheIdentifierForAbsoluteUnixStyleFilePathWithoutDirectoryTraversal(
+        string $absoluteUnixStyleFilePathWithoutDirectoryTraversal
+    ): string {
+        $filePathWithoutRoot = str_replace(FLOW_PATH_ROOT, '', $absoluteUnixStyleFilePathWithoutDirectoryTraversal);
+        return 'file_' . md5($filePathWithoutRoot);
     }
 }

Neos.Fusion/Classes/Core/ObjectTreeParser/ExceptionMessage/MessageLinePart.php

@@ -37,10 +37,11 @@ public function linePrint(int $offset = 0): string
 
     public function char(int $index = 0): string
     {
-        if ($index < 0) {
-            return mb_substr($this->linePart, $index, 1);
+        if ($index < 0 && mb_strlen($this->linePart) < abs($index)) {
+            // prevent mb_substr returning first char if out of bounds
+            return '';
         }
-        return mb_substr($this->linePart, $index, $index + 1);
+        return mb_substr($this->linePart, $index, 1);
     }
 
     public function charPrint(int $index = 0): string

Neos.Fusion/Classes/Core/ObjectTreeParser/Lexer.php

@@ -44,12 +44,14 @@ class Lexer
         Token::MULTILINE_COMMENT => <<<'REGEX'
         `^
           /\*               # start of a comment '/*'
-          [^*]*             # match everything until special case '*'
+          [^*]*             # consume until special case '*'
+          \*+               # consume all '*'
           (?:
-            \*[^/]          # if after the '*' there is a '/' break, else continue
-            [^*]*           # until the special case '*' is encountered - unrolled loop following Jeffrey Friedl
+            [^/]            # break if its the end: '/'
+            [^*]*           # unrolled loop following Jeffrey E.F. Friedl
+            \*+
           )*
-          \*/               # the end of a comment.
+          /                 # the end of a comment.
         `x
         REGEX,
 

Neos.Fusion/Classes/FusionObjects/Helpers/LazyReference.php

@@ -42,8 +42,11 @@ public function deref(): mixed
         }
 
         $this->isLocked = true;
-        $this->value = ($this->calculateValueCallback)();
-        $this->hasBeenDereferenced = true;
+        try {
+            $this->value = ($this->calculateValueCallback)();
+        } finally {
+            $this->hasBeenDereferenced = true;
+        }
 
         return $this->value;
     }

Neos.Fusion/Resources/Private/Fusion/Prototypes/Matcher.fusion

@@ -1,6 +1,9 @@
 prototype(Neos.Fusion:Matcher) {
   @class = 'Neos\\Fusion\\FusionObjects\\MatcherImplementation'
   condition = false
-  type = null
+  renderer = null
   renderPath = null
+  type = null
+  element {
+  }
 }

Neos.Fusion/Resources/Private/Fusion/Prototypes/Renderer.fusion

@@ -1,6 +1,8 @@
 prototype(Neos.Fusion:Renderer) {
   @class = 'Neos\\Fusion\\FusionObjects\\RendererImplementation'
-  type = null
-  renderPath = null
   renderer = null
+  renderPath = null
+  type = null
+  element {
+  }
 }

Neos.Fusion/Tests/Unit/Core/Fixtures/ParserTestFusionComments01.fusion

@@ -57,7 +57,17 @@ comment with // ane more comment
  Here comes some comment with # and /* and // in it
 */
 
+/**
+ * php doc style comment
+ */
 
+/***
+comment with multiple stars uneven
+***/
 
-// another edge-case mentioned in NEOS-864
+/**
+comment with multiple stars even
+**/
+
+// another edge-case mentioned in NEOS-864 (no new line at the end)
 #include: Pages/**/*.fusion

Neos.Fusion/Tests/Unit/Core/Parser/ParserExceptionTest.php

@@ -11,6 +11,7 @@
  * source code.
  */
 
+use Neos\Fusion\Core\ObjectTreeParser\ExceptionMessage\MessageLinePart;
 use Neos\Fusion\Core\Parser;
 use Neos\Fusion\Core\Cache\ParserCache;
 use Neos\Fusion\Core\ObjectTreeParser\Exception\ParserException;
@@ -234,6 +235,11 @@ public function unclosedStatements(): \Generator
             'Unclosed comment.'
         ];
 
+        yield 'unclosed multiline comment with multiple stars' => [
+            '/***',
+            'Unclosed comment.'
+        ];
+
         yield 'unclosed eel expression' => [
             'a = ${',
             'Unclosed eel expression.'
@@ -326,4 +332,26 @@ public function itMatchesThePartialExceptionMessage($fusion, $expectedMessage):
             self::assertSame($expectedMessage, $e->getHelperMessagePart());
         }
     }
+
+    /**
+     * @test
+     */
+    public function messageLinePartWorks()
+    {
+        $part = new MessageLinePart('abcd');
+
+        self::assertSame('', $part->char(-5));
+        self::assertSame('a', $part->char(-4));
+        self::assertSame('b', $part->char(-3));
+        self::assertSame('c', $part->char(-2));
+        self::assertSame('d', $part->char(-1));
+        self::assertSame('a', $part->char());
+        self::assertSame('a', $part->char(0));
+        self::assertSame('b', $part->char(1));
+        self::assertSame('c', $part->char(2));
+        self::assertSame('d', $part->char(3));
+        self::assertSame('', $part->char(4));
+        self::assertSame('abcd', $part->line());
+        self::assertSame('bcd', $part->line(1));
+    }
 }

Neos.Media.Browser/Classes/Controller/AssetController.php

@@ -1025,15 +1025,11 @@ private function forwardWithConstraints(string $actionName, string $controllerNa
     private function checkForMaliciousContent(AssetProxyInterface $assetProxy): bool
     {
         if ($assetProxy->getMediaType() == 'image/svg+xml') {
-            // @todo: Simplify again when https://github.com/darylldoyle/svg-sanitizer/pull/90 is merged and released.
-            $previousXmlErrorHandling = libxml_use_internal_errors(true);
             $sanitizer = new Sanitizer();
 
             $resource = stream_get_contents($assetProxy->getImportStream());
 
             $sanitizer->sanitize($resource);
-            libxml_clear_errors();
-            libxml_use_internal_errors($previousXmlErrorHandling);
             $issues = $sanitizer->getXmlIssues();
             if ($issues && count($issues) > 0) {
                 return true;

Neos.Media.Browser/Resources/Private/Templates/Asset/Edit.html

@@ -57,14 +57,16 @@ <h2>{neos:backend.translate(id: 'connectionError', package: 'Neos.Media.Browser'
                                             </label>
                                         </f:for>
                                     </f:if>
-                                    <f:if condition="{assetCollections}">
-                                        <label>{neos:backend.translate(id: 'collections', package: 'Neos.Media.Browser')}</label>
-                                        <f:for each="{assetCollections}" as="assetCollection">
-                                            <label class="neos-checkbox neos-inline">
-                                                <m:form.checkbox property="assetCollections" multiple="TRUE" value="{assetCollection}" /><span></span> {assetCollection.title}
-                                            </label>
-                                        </f:for>
-                                    </f:if>
+                                    <f:security.ifAccess privilegeTarget="Neos.Media.Browser:ManageAssetCollections">
+                                        <f:if condition="{assetCollections}">
+                                            <label>{neos:backend.translate(id: 'collections', package: 'Neos.Media.Browser')}</label>
+                                            <f:for each="{assetCollections}" as="assetCollection">
+                                                <label class="neos-checkbox neos-inline">
+                                                    <m:form.checkbox property="assetCollections" multiple="TRUE" value="{assetCollection}" /><span></span> {assetCollection.title}
+                                                </label>
+                                            </f:for>
+                                        </f:if>
+                                    </f:security.ifAccess>
                                 </fieldset>
                                 <fieldset>
                                     <legend>{neos:backend.translate(id: 'metadata', package: 'Neos.Media.Browser')}</legend>

Neos.Media.Browser/composer.json

@@ -24,7 +24,7 @@
         "neos/error-messages": "*",
         "doctrine/common": "^2.7 || ^3.0",
         "doctrine/orm": "^2.6",
-        "enshrined/svg-sanitize": "^0.16.0"
+        "enshrined/svg-sanitize": "^0.17.0"
     },
     "autoload": {
         "psr-4": {

Neos.Neos/Classes/Fusion/Helper/BackendHelper.php

@@ -32,6 +32,7 @@ class BackendHelper implements ProtectedContextAwareInterface
      *
      *     Translation.id("mh").locale(Neos.Backend.interfaceLanguage()).translate()
      *
+     * @return string
      */
     public function interfaceLanguage(): string
     {

Neos.Neos/Documentation/Appendixes/ChangeLogs/7319.rst

@@ -0,0 +1,57 @@
+`7.3.19 (2024-01-15) <https://github.com/neos/neos-development-collection/releases/tag/7.3.19>`_
+================================================================================================
+
+Overview of merged pull requests
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+`BUGFIX: Check SVG files for malicious code before providing original asset url links <https://github.com/neos/neos-development-collection/pull/4812>`_
+-------------------------------------------------------------------------------------------------------------------------------------------------------
+
+This adds a check in the preview of assets in the media module and checks for malicous content in svgs. If detected, the direct links to the original url get removed from the preview pages and a warning is shown.
+
+!`image <https://github.com/neos/neos-development-collection/assets/13046100/bb8a2b73-a251-499e-926a-1e6b866bbc87>`_
+
+Fixes https://github.com/neos/flow-development-collection/issues/3248
+
+* Packages: ``Neos`` ``Media.Browser``
+
+`BUGFIX: Resolve StyleCI issues <https://github.com/neos/neos-development-collection/pull/4820>`_
+-------------------------------------------------------------------------------------------------
+
+
+
+* Packages: ``Neos`` ``Fusion``
+
+`BUGFIX: node:repair fails with could not be converted to string <https://github.com/neos/neos-development-collection/pull/4795>`_
+----------------------------------------------------------------------------------------------------------------------------------
+
+Fixes the following crash during node:repair
+
+```shell
+./flow node:repair --dry-run --only removeBrokenEntityReferences
+Dry run, not committing any changes.
+
+Checking for broken entity references ...
+Object of class Neos\\Flow\\Persistence\\Doctrine\\Proxies\\__CG__\\Neos\\Media\\Domain\\Model\\ImageVariant could not be converted to string
+
+  Type: Error
+  File: Data/Temporary/Development/SubContextWbWeb/Cache/Code/Flow_Object_Classes/Neos_ContentRepository_Command_NodeCommandControllerPlugin.php
+  Line: 836
+```
+
+resolved `#4794 <https://github.com/neos/neos-development-collection/issues/4794>`_
+
+**Upgrade instructions**
+
+- [x] Code follows the PSR-2 coding style
+- ~~Tests have been created, run and adjusted as needed~~
+    - There are not tests in place and I added none.
+- [x] The PR is created against the `lowest maintained branch <https://www.neos.io/features/release-roadmap.html>`_ -> 7.3
+- [ ] Reviewer - PR Title is brief but complete and starts with ``FEATURE|TASK|BUGFIX``
+- [ ] Reviewer - The first section explains the change briefly for change-logs
+- [ ] Reviewer - Breaking Changes are marked with ``!!!`` and have upgrade-instructions
+
+* Packages: ``Neos`` ``ContentRepository``
+
+`Detailed log <https://github.com/neos/neos-development-collection/compare/7.3.18...7.3.19>`_
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~