From ea5da426e955a0451f42753bbc0849bba29ae4c9 Mon Sep 17 00:00:00 2001
From: Sebastiaan Janssen <sebastiaan@umbraco.com>
Date: Sat, 20 Feb 2021 17:20:35 +0100
Subject: [PATCH 01/12] Bump version to 8.12.0-rc

---
 src/SolutionInfo.cs                      | 4 ++--
 src/Umbraco.Web.UI/Umbraco.Web.UI.csproj | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/src/SolutionInfo.cs b/src/SolutionInfo.cs
index 3ecfd20f03..cab7b9a12b 100644
--- a/src/SolutionInfo.cs
+++ b/src/SolutionInfo.cs
@@ -18,5 +18,5 @@ using System.Resources;
 [assembly: AssemblyVersion("8.0.0")]
 
 // these are FYI and changed automatically
-[assembly: AssemblyFileVersion("8.11.1")]
-[assembly: AssemblyInformationalVersion("8.11.1")]
+[assembly: AssemblyFileVersion("8.12.0")]
+[assembly: AssemblyInformationalVersion("8.12.0-rc")]
diff --git a/src/Umbraco.Web.UI/Umbraco.Web.UI.csproj b/src/Umbraco.Web.UI/Umbraco.Web.UI.csproj
index 69bdeba643..6da1e7bcdf 100644
--- a/src/Umbraco.Web.UI/Umbraco.Web.UI.csproj
+++ b/src/Umbraco.Web.UI/Umbraco.Web.UI.csproj
@@ -347,9 +347,9 @@
         <WebProjectProperties>
           <UseIIS>False</UseIIS>
           <AutoAssignPort>True</AutoAssignPort>
-          <DevelopmentServerPort>8111</DevelopmentServerPort>
+          <DevelopmentServerPort>8120</DevelopmentServerPort>
           <DevelopmentServerVPath>/</DevelopmentServerVPath>
-          <IISUrl>http://localhost:8111</IISUrl>
+          <IISUrl>http://localhost:8120</IISUrl>
           <NTLMAuthentication>False</NTLMAuthentication>
           <UseCustomServer>False</UseCustomServer>
           <CustomServerUrl>

From ad0b70fc04354876132c2b1129ed0f8977689091 Mon Sep 17 00:00:00 2001
From: Chad <chad.d.currie@gmail.com>
Date: Sun, 21 Feb 2021 23:00:00 +1300
Subject: [PATCH 02/12] Speed up boot times and Improve Json (De)Serialization
 performance and reduce memory usage by reusing JsonSerializerSettings (#9670)

(cherry picked from commit 75ee3b96229d2fe5debfdf7fb274c321ae2342a8)
---
 .../ImageCropperValueConverter.cs             | 12 ++--
 .../NoTypeConverterJsonConverter.cs           |  5 +-
 .../JsonSerializerSettingsBenchmarks.cs       | 69 +++++++++++++++++++
 .../Umbraco.Tests.Benchmarks.csproj           |  1 +
 .../Editors/BackOfficeController.cs           |  6 +-
 .../ImageCropperTemplateExtensions.cs         | 14 ++--
 src/Umbraco.Web/Mvc/JsonNetResult.cs          |  9 +++
 .../MultiUrlPickerValueEditor.cs              | 11 +--
 .../NuCache/DataSource/DatabaseDataSource.cs  | 11 +--
 9 files changed, 112 insertions(+), 26 deletions(-)
 create mode 100644 src/Umbraco.Tests.Benchmarks/JsonSerializerSettingsBenchmarks.cs

diff --git a/src/Umbraco.Core/PropertyEditors/ValueConverters/ImageCropperValueConverter.cs b/src/Umbraco.Core/PropertyEditors/ValueConverters/ImageCropperValueConverter.cs
index 8926174c03..29e501f993 100644
--- a/src/Umbraco.Core/PropertyEditors/ValueConverters/ImageCropperValueConverter.cs
+++ b/src/Umbraco.Core/PropertyEditors/ValueConverters/ImageCropperValueConverter.cs
@@ -25,6 +25,12 @@ namespace Umbraco.Core.PropertyEditors.ValueConverters
         public override PropertyCacheLevel GetPropertyCacheLevel(IPublishedPropertyType propertyType)
             => PropertyCacheLevel.Element;
 
+        private static readonly JsonSerializerSettings ImageCropperValueJsonSerializerSettings = new JsonSerializerSettings
+        {
+            Culture = CultureInfo.InvariantCulture,
+            FloatParseHandling = FloatParseHandling.Decimal
+        };
+
         /// <inheritdoc />
         public override object ConvertSourceToIntermediate(IPublishedElement owner, IPublishedPropertyType propertyType, object source, bool preview)
         {
@@ -34,11 +40,7 @@ namespace Umbraco.Core.PropertyEditors.ValueConverters
             ImageCropperValue value;
             try
             {
-                value = JsonConvert.DeserializeObject<ImageCropperValue>(sourceString, new JsonSerializerSettings
-                {
-                    Culture = CultureInfo.InvariantCulture,
-                    FloatParseHandling = FloatParseHandling.Decimal
-                });
+                value = JsonConvert.DeserializeObject<ImageCropperValue>(sourceString, ImageCropperValueJsonSerializerSettings);
             }
             catch (Exception ex)
             {
diff --git a/src/Umbraco.Core/Serialization/NoTypeConverterJsonConverter.cs b/src/Umbraco.Core/Serialization/NoTypeConverterJsonConverter.cs
index b06ee870de..ab64d5b368 100644
--- a/src/Umbraco.Core/Serialization/NoTypeConverterJsonConverter.cs
+++ b/src/Umbraco.Core/Serialization/NoTypeConverterJsonConverter.cs
@@ -19,6 +19,7 @@ namespace Umbraco.Core.Serialization
     internal class NoTypeConverterJsonConverter<T> : JsonConverter
     {
         static readonly IContractResolver resolver = new NoTypeConverterContractResolver();
+        private static readonly JsonSerializerSettings JsonSerializerSettings = new JsonSerializerSettings { ContractResolver = resolver };
 
         private class NoTypeConverterContractResolver : DefaultContractResolver
         {
@@ -41,12 +42,12 @@ namespace Umbraco.Core.Serialization
 
         public override object ReadJson(JsonReader reader, Type objectType, object existingValue, JsonSerializer serializer)
         {
-            return JsonSerializer.CreateDefault(new JsonSerializerSettings { ContractResolver = resolver }).Deserialize(reader, objectType);
+            return JsonSerializer.CreateDefault(JsonSerializerSettings).Deserialize(reader, objectType);
         }
 
         public override void WriteJson(JsonWriter writer, object value, JsonSerializer serializer)
         {
-            JsonSerializer.CreateDefault(new JsonSerializerSettings { ContractResolver = resolver }).Serialize(writer, value);
+            JsonSerializer.CreateDefault(JsonSerializerSettings).Serialize(writer, value);
         }
     }
 }
diff --git a/src/Umbraco.Tests.Benchmarks/JsonSerializerSettingsBenchmarks.cs b/src/Umbraco.Tests.Benchmarks/JsonSerializerSettingsBenchmarks.cs
new file mode 100644
index 0000000000..7f419547bd
--- /dev/null
+++ b/src/Umbraco.Tests.Benchmarks/JsonSerializerSettingsBenchmarks.cs
@@ -0,0 +1,69 @@
+using BenchmarkDotNet.Attributes;
+using Newtonsoft.Json;
+using System;
+using System.Collections.Generic;
+using System.Linq;
+using System.Text;
+using System.Threading.Tasks;
+using Umbraco.Tests.Benchmarks.Config;
+
+namespace Umbraco.Tests.Benchmarks
+{
+    [QuickRunConfig]
+    [MemoryDiagnoser]
+    public class JsonSerializerSettingsBenchmarks
+    {
+        [Benchmark]
+        public void SerializerSettingsInstantiation()
+        {
+            int instances = 1000;
+            for (int i = 0; i < instances; i++)
+            {
+                new JsonSerializerSettings();
+            }
+        }
+
+        [Benchmark(Baseline =true)]
+        public void SerializerSettingsSingleInstantiation()
+        {
+            new JsonSerializerSettings();
+        }
+
+//        // * Summary *
+
+//        BenchmarkDotNet=v0.11.3, OS=Windows 10.0.18362
+//Intel Core i5-8265U CPU 1.60GHz(Kaby Lake R), 1 CPU, 8 logical and 4 physical cores
+// [Host]     : .NET Framework 4.7.2 (CLR 4.0.30319.42000), 32bit LegacyJIT-v4.8.4250.0
+//  Job-JIATTD : .NET Framework 4.7.2 (CLR 4.0.30319.42000), 32bit LegacyJIT-v4.8.4250.0
+
+//IterationCount=3  IterationTime=100.0000 ms LaunchCount = 1
+//WarmupCount=3
+
+//                                Method |         Mean |        Error |      StdDev |  Ratio | RatioSD | Gen 0/1k Op | Gen 1/1k Op | Gen 2/1k Op | Allocated Memory/Op |
+//-------------------------------------- |-------------:|-------------:|------------:|-------:|--------:|------------:|------------:|------------:|--------------------:|
+//       SerializerSettingsInstantiation | 29,120.48 ns | 5,532.424 ns | 303.2508 ns | 997.84 |   23.66 |     73.8122 |           - |           - |            232346 B |
+// SerializerSettingsSingleInstantiation |     29.19 ns |     8.089 ns |   0.4434 ns |   1.00 |    0.00 |      0.0738 |           - |           - |               232 B |
+
+//// * Warnings *
+//MinIterationTime
+//  JsonSerializerSettingsBenchmarks.SerializerSettingsSingleInstantiation: IterationCount= 3, IterationTime= 100.0000 ms, LaunchCount= 1, WarmupCount= 3->MinIterationTime = 96.2493 ms which is very small. It's recommended to increase it.
+
+//// * Legends *
+//  Mean                : Arithmetic mean of all measurements
+//  Error               : Half of 99.9% confidence interval
+//  StdDev              : Standard deviation of all measurements
+//  Ratio               : Mean of the ratio distribution ([Current]/[Baseline])
+//  RatioSD             : Standard deviation of the ratio distribution([Current]/[Baseline])
+//  Gen 0/1k Op         : GC Generation 0 collects per 1k Operations
+//  Gen 1/1k Op         : GC Generation 1 collects per 1k Operations
+//  Gen 2/1k Op         : GC Generation 2 collects per 1k Operations
+//  Allocated Memory/Op : Allocated memory per single operation(managed only, inclusive, 1KB = 1024B)
+//  1 ns                : 1 Nanosecond(0.000000001 sec)
+
+//// * Diagnostic Output - MemoryDiagnoser *
+
+
+//        // ***** BenchmarkRunner: End *****
+//        Run time: 00:00:04 (4.88 sec), executed benchmarks: 2
+    }
+}
diff --git a/src/Umbraco.Tests.Benchmarks/Umbraco.Tests.Benchmarks.csproj b/src/Umbraco.Tests.Benchmarks/Umbraco.Tests.Benchmarks.csproj
index 48d69cf757..58b45aa743 100644
--- a/src/Umbraco.Tests.Benchmarks/Umbraco.Tests.Benchmarks.csproj
+++ b/src/Umbraco.Tests.Benchmarks/Umbraco.Tests.Benchmarks.csproj
@@ -53,6 +53,7 @@
     <Compile Include="CtorInvokeBenchmarks.cs" />
     <Compile Include="HexStringBenchmarks.cs" />
     <Compile Include="EnumeratorBenchmarks.cs" />
+    <Compile Include="JsonSerializerSettingsBenchmarks.cs" />
     <Compile Include="LinqCastBenchmarks.cs" />
     <Compile Include="ModelToSqlExpressionHelperBenchmarks.cs" />
     <Compile Include="Program.cs" />
diff --git a/src/Umbraco.Web/Editors/BackOfficeController.cs b/src/Umbraco.Web/Editors/BackOfficeController.cs
index 458c76b3ae..92b67cbf1b 100644
--- a/src/Umbraco.Web/Editors/BackOfficeController.cs
+++ b/src/Umbraco.Web/Editors/BackOfficeController.cs
@@ -226,7 +226,7 @@ namespace Umbraco.Web.Editors
                 .ToDictionary(pv => pv.Key, pv =>
                     pv.ToDictionary(pve => pve.valueAlias, pve => pve.value));
 
-            return new JsonNetResult { Data = nestedDictionary, Formatting = Formatting.None };
+            return new JsonNetResult(JsonNetResult.DefaultJsonSerializerSettings) { Data = nestedDictionary, Formatting = Formatting.None };
         }
 
         /// <summary>
@@ -273,7 +273,7 @@ namespace Umbraco.Web.Editors
                     GetAssetList,
                     new TimeSpan(0, 2, 0));
 
-            return new JsonNetResult { Data = result, Formatting = Formatting.None };
+            return new JsonNetResult(JsonNetResult.DefaultJsonSerializerSettings) { Data = result, Formatting = Formatting.None };
         }
 
         [UmbracoAuthorize(Order = 0)]
@@ -281,7 +281,7 @@ namespace Umbraco.Web.Editors
         public JsonNetResult GetGridConfig()
         {
             var gridConfig = Current.Configs.Grids();
-            return new JsonNetResult { Data = gridConfig.EditorsConfig.Editors, Formatting = Formatting.None };
+            return new JsonNetResult(JsonNetResult.DefaultJsonSerializerSettings) { Data = gridConfig.EditorsConfig.Editors, Formatting = Formatting.None };
         }
 
 
diff --git a/src/Umbraco.Web/ImageCropperTemplateExtensions.cs b/src/Umbraco.Web/ImageCropperTemplateExtensions.cs
index 26dd2a5d36..78b55a8930 100644
--- a/src/Umbraco.Web/ImageCropperTemplateExtensions.cs
+++ b/src/Umbraco.Web/ImageCropperTemplateExtensions.cs
@@ -253,19 +253,20 @@ namespace Umbraco.Web
             ImageCropRatioMode? ratioMode = null,
             bool upScale = true) => ImageCropperTemplateCoreExtensions.GetCropUrl(imageUrl, Current.ImageUrlGenerator, cropDataSet, width, height, cropAlias, quality, imageCropMode, imageCropAnchor, preferFocalPoint, useCropDimensions, cacheBusterValue, furtherOptions, ratioMode, upScale);
 
+        private static readonly JsonSerializerSettings ImageCropperValueJsonSerializerSettings = new JsonSerializerSettings
+        {
+            Culture = CultureInfo.InvariantCulture,
+            FloatParseHandling = FloatParseHandling.Decimal
+        };
 
         internal static ImageCropperValue DeserializeImageCropperValue(this string json)
         {
-            var imageCrops = new ImageCropperValue();
+            ImageCropperValue imageCrops = null;
             if (json.DetectIsJson())
             {
                 try
                 {
-                    imageCrops = JsonConvert.DeserializeObject<ImageCropperValue>(json, new JsonSerializerSettings
-                    {
-                        Culture = CultureInfo.InvariantCulture,
-                        FloatParseHandling = FloatParseHandling.Decimal
-                    });
+                    imageCrops = JsonConvert.DeserializeObject<ImageCropperValue>(json, ImageCropperValueJsonSerializerSettings);
                 }
                 catch (Exception ex)
                 {
@@ -273,6 +274,7 @@ namespace Umbraco.Web
                 }
             }
 
+            imageCrops = imageCrops ?? new ImageCropperValue();
             return imageCrops;
         }
     }
diff --git a/src/Umbraco.Web/Mvc/JsonNetResult.cs b/src/Umbraco.Web/Mvc/JsonNetResult.cs
index da6780451e..3dd6c2f398 100644
--- a/src/Umbraco.Web/Mvc/JsonNetResult.cs
+++ b/src/Umbraco.Web/Mvc/JsonNetResult.cs
@@ -22,10 +22,19 @@ namespace Umbraco.Web.Mvc
         public JsonSerializerSettings SerializerSettings { get; set; }
         public Formatting Formatting { get; set; }
 
+        /// <summary>
+        /// Default, unchanged JsonSerializerSettings
+        /// </summary>
+        public static readonly JsonSerializerSettings DefaultJsonSerializerSettings = new JsonSerializerSettings();
+
         public JsonNetResult()
         {
             SerializerSettings = new JsonSerializerSettings();
         }
+        public JsonNetResult(JsonSerializerSettings jsonSerializerSettings)
+        {
+            SerializerSettings = jsonSerializerSettings;
+        }
 
         public override void ExecuteResult(ControllerContext context)
         {
diff --git a/src/Umbraco.Web/PropertyEditors/MultiUrlPickerValueEditor.cs b/src/Umbraco.Web/PropertyEditors/MultiUrlPickerValueEditor.cs
index 5a84e4b20c..560275b29a 100644
--- a/src/Umbraco.Web/PropertyEditors/MultiUrlPickerValueEditor.cs
+++ b/src/Umbraco.Web/PropertyEditors/MultiUrlPickerValueEditor.cs
@@ -121,6 +121,10 @@ namespace Umbraco.Web.PropertyEditors
             return base.ToEditor(property, dataTypeService, culture, segment);
         }
 
+        private static readonly JsonSerializerSettings LinkDisplayJsonSerializerSettings = new JsonSerializerSettings
+        {
+            NullValueHandling = NullValueHandling.Ignore
+        };
 
         public override object FromEditor(ContentPropertyData editorValue, object currentValue)
         {
@@ -142,11 +146,8 @@ namespace Umbraco.Web.PropertyEditors
                         Target = link.Target,
                         Udi = link.Udi,
                         Url = link.Udi == null ? link.Url : null, // only save the URL for external links
-                    },
-                    new JsonSerializerSettings
-                    {
-                        NullValueHandling = NullValueHandling.Ignore
-                    });
+                    }, LinkDisplayJsonSerializerSettings
+                    );
             }
             catch (Exception ex)
             {
diff --git a/src/Umbraco.Web/PublishedCache/NuCache/DataSource/DatabaseDataSource.cs b/src/Umbraco.Web/PublishedCache/NuCache/DataSource/DatabaseDataSource.cs
index f62014a368..f9ad0ac715 100644
--- a/src/Umbraco.Web/PublishedCache/NuCache/DataSource/DatabaseDataSource.cs
+++ b/src/Umbraco.Web/PublishedCache/NuCache/DataSource/DatabaseDataSource.cs
@@ -303,17 +303,18 @@ namespace Umbraco.Web.PublishedCache.NuCache.DataSource
             return s;
         }
 
+        private static readonly JsonSerializerSettings NestedContentDataJsonSerializerSettings = new JsonSerializerSettings
+            {
+                Converters = new List<JsonConverter> { new ForceInt32Converter() }
+            };
+
         private static ContentNestedData DeserializeNestedData(string data)
         {
             // by default JsonConvert will deserialize our numeric values as Int64
             // which is bad, because they were Int32 in the database - take care
 
-            var settings = new JsonSerializerSettings
-            {
-                Converters = new List<JsonConverter> { new ForceInt32Converter() }
-            };
 
-            return JsonConvert.DeserializeObject<ContentNestedData>(data, settings);
+            return JsonConvert.DeserializeObject<ContentNestedData>(data, NestedContentDataJsonSerializerSettings);
         }
     }
 }

From 64117921eada1761c93d6564b932441d92098c0c Mon Sep 17 00:00:00 2001
From: Shannon Deminick <sdeminick@gmail.com>
Date: Sun, 21 Feb 2021 22:03:28 +1100
Subject: [PATCH 03/12] Fixes: After deleting a member, a reindex is attempted,
 which fails (#9807)

(cherry picked from commit fa49d6ed1082dc0ad82ada8fb98c5281ed13271e)
---
 .../Cache/DistributedCacheExtensions.cs          |  5 ++++-
 src/Umbraco.Web/Cache/MemberCacheRefresher.cs    |  4 ++++
 src/Umbraco.Web/Search/ExamineComponent.cs       | 16 +++++++++++++---
 3 files changed, 21 insertions(+), 4 deletions(-)

diff --git a/src/Umbraco.Web/Cache/DistributedCacheExtensions.cs b/src/Umbraco.Web/Cache/DistributedCacheExtensions.cs
index f360d37d03..92a9dd6e98 100644
--- a/src/Umbraco.Web/Cache/DistributedCacheExtensions.cs
+++ b/src/Umbraco.Web/Cache/DistributedCacheExtensions.cs
@@ -135,7 +135,10 @@ namespace Umbraco.Web.Cache
         public static void RemoveMemberCache(this DistributedCache dc, params IMember[] members)
         {
             if (members.Length == 0) return;
-            dc.RefreshByPayload(MemberCacheRefresher.UniqueId, members.Select(x => new MemberCacheRefresher.JsonPayload(x.Id, x.Username)));
+            dc.RefreshByPayload(MemberCacheRefresher.UniqueId, members.Select(x => new MemberCacheRefresher.JsonPayload(x.Id, x.Username)
+            {
+                Removed = true
+            }));
         }
 
         #endregion
diff --git a/src/Umbraco.Web/Cache/MemberCacheRefresher.cs b/src/Umbraco.Web/Cache/MemberCacheRefresher.cs
index 736a858af3..48ae40ce3b 100644
--- a/src/Umbraco.Web/Cache/MemberCacheRefresher.cs
+++ b/src/Umbraco.Web/Cache/MemberCacheRefresher.cs
@@ -33,6 +33,10 @@ namespace Umbraco.Web.Cache
             public int Id { get; }
             public string Username { get; }
 
+            // TODO: In netcore change this to be get only and adjust the ctor. We cannot do that now since that
+            // is a breaking change due to only having a single jsonconstructor allowed.
+            public bool Removed { get; set; }
+
         }
 
         #region Define
diff --git a/src/Umbraco.Web/Search/ExamineComponent.cs b/src/Umbraco.Web/Search/ExamineComponent.cs
index c9d7b7cf56..eb6b81ba16 100644
--- a/src/Umbraco.Web/Search/ExamineComponent.cs
+++ b/src/Umbraco.Web/Search/ExamineComponent.cs
@@ -271,10 +271,20 @@ namespace Umbraco.Web.Search
                     break;
                 case MessageType.RefreshByPayload:
                     var payload = (MemberCacheRefresher.JsonPayload[])args.MessageObject;
-                    var members = payload.Select(x => _services.MemberService.GetById(x.Id));
-                    foreach(var m in members)
+                    foreach(var p in payload)
                     {
-                        ReIndexForMember(m);
+                        if (p.Removed)
+                        {
+                            DeleteIndexForEntity(p.Id, false);
+                        }
+                        else
+                        {
+                            var m = _services.MemberService.GetById(p.Id);
+                            if (m != null)
+                            {
+                                ReIndexForMember(m);
+                            }
+                        }
                     }
                     break;
                 case MessageType.RefreshAll:

From 388e0283bc2b493a8c285f45d0bdbbea088fef20 Mon Sep 17 00:00:00 2001
From: Chad <chad.d.currie@gmail.com>
Date: Mon, 22 Feb 2021 21:53:53 +1300
Subject: [PATCH 04/12] Fixes #9615 - Upgrade to Htmlsanitizer v5 (#9856)

(cherry picked from commit a6e1c2e90170dc796a2ed5f601b59f7d1a94a9a9)
---
 build/NuSpecs/UmbracoCms.Web.nuspec           |  1 +
 src/Umbraco.Core/Constants-SvgSanitizer.cs    | 23 +++++++++++++++++++
 src/Umbraco.Core/Umbraco.Core.csproj          |  1 +
 src/Umbraco.Web/Runtime/WebInitialComposer.cs |  9 ++++++++
 src/Umbraco.Web/Services/IconService.cs       | 22 ++++++++----------
 src/Umbraco.Web/Umbraco.Web.csproj            |  7 ++++--
 6 files changed, 48 insertions(+), 15 deletions(-)
 create mode 100644 src/Umbraco.Core/Constants-SvgSanitizer.cs

diff --git a/build/NuSpecs/UmbracoCms.Web.nuspec b/build/NuSpecs/UmbracoCms.Web.nuspec
index e0ffd57aff..fc31551d6c 100644
--- a/build/NuSpecs/UmbracoCms.Web.nuspec
+++ b/build/NuSpecs/UmbracoCms.Web.nuspec
@@ -42,6 +42,7 @@
                 <dependency id="Microsoft.Owin.Security.Cookies" version="[4.0.1,4.999999)" />
                 <dependency id="Microsoft.Owin.Security.OAuth" version="[4.0.1,4.999999)" />
                 <dependency id="System.Threading.Tasks.Dataflow" version="[4.9.0,4.999999)" />
+                <dependency id="HtmlSanitizer" version="[5.0.376,5.999999)" />
 
             </group>
 
diff --git a/src/Umbraco.Core/Constants-SvgSanitizer.cs b/src/Umbraco.Core/Constants-SvgSanitizer.cs
new file mode 100644
index 0000000000..c92b9f56c7
--- /dev/null
+++ b/src/Umbraco.Core/Constants-SvgSanitizer.cs
@@ -0,0 +1,23 @@
+using System.Collections.Generic;
+
+namespace Umbraco.Core
+{
+    public static partial class Constants
+    {
+        /// <summary>
+        /// Defines the alias identifiers for Umbraco's core application sections.
+        /// </summary>
+        public static class SvgSanitizer
+        {
+            /// <summary>
+            /// Allowlist for SVG attributes.
+            /// </summary>
+            public static readonly IList<string> Attributes = new [] { "accent-height", "accumulate", "additive", "alignment-baseline", "allowReorder", "alphabetic", "amplitude", "arabic-form", "ascent", "attributeName", "attributeType", "autoReverse", "azimuth", "baseFrequency", "baseline-shift", "baseProfile", "bbox", "begin", "bias", "by", "calcMode", "cap-height", "class", "clip", "clipPathUnits", "clip-path", "clip-rule", "color", "color-interpolation", "color-interpolation-filters", "color-profile", "color-rendering", "contentScriptType", "contentStyleType", "cursor", "cx", "cy", "d", "decelerate", "descent", "diffuseConstant", "direction", "display", "divisor", "dominant-baseline", "dur", "dx", "dy", "edgeMode", "elevation", "enable-background", "end", "exponent", "externalResourcesRequired", "Section", "fill", "fill-opacity", "fill-rule", "filter", "filterRes", "filterUnits", "flood-color", "flood-opacity", "font-family", "font-size", "font-size-adjust", "font-stretch", "font-style", "font-variant", "font-weight", "format", "from", "fr", "fx", "fy", "g1", "g2", "glyph-name", "glyph-orientation-horizontal", "glyph-orientation-vertical", "glyphRef", "gradientTransform", "gradientUnits", "hanging", "height", "href", "hreflang", "horiz-adv-x", "horiz-origin-x", "ISection", "id", "ideographic", "image-rendering", "in", "in2", "intercept", "k", "k1", "k2", "k3", "k4", "kernelMatrix", "kernelUnitLength", "kerning", "keyPoints", "keySplines", "keyTimes", "lang", "lengthAdjust", "letter-spacing", "lighting-color", "limitingConeAngle", "local", "MSection", "marker-end", "marker-mid", "marker-start", "markerHeight", "markerUnits", "markerWidth", "mask", "maskContentUnits", "maskUnits", "mathematical", "max", "media", "method", "min", "mode", "NSection", "name", "numOctaves", "offset", "opacity", "operator", "order", "orient", "orientation", "origin", "overflow", "overline-position", "overline-thickness", "panose-1", "paint-order", "path", "pathLength", "patternContentUnits", "patternTransform", "patternUnits", "ping", "pointer-events", "points", "pointsAtX", "pointsAtY", "pointsAtZ", "preserveAlpha", "preserveAspectRatio", "primitiveUnits", "r", "radius", "referrerPolicy", "refX", "refY", "rel", "rendering-intent", "repeatCount", "repeatDur", "requiredExtensions", "requiredFeatures", "restart", "result", "rotate", "rx", "ry", "scale", "seed", "shape-rendering", "slope", "spacing", "specularConstant", "specularExponent", "speed", "spreadMethod", "startOffset", "stdDeviation", "stemh", "stemv", "stitchTiles", "stop-color", "stop-opacity", "strikethrough-position", "strikethrough-thickness", "string", "stroke", "stroke-dasharray", "stroke-dashoffset", "stroke-linecap", "stroke-linejoin", "stroke-miterlimit", "stroke-opacity", "stroke-width", "style", "surfaceScale", "systemLanguage", "tabindex", "tableValues", "target", "targetX", "targetY", "text-anchor", "text-decoration", "text-rendering", "textLength", "to", "transform", "type", "u1", "u2", "underline-position", "underline-thickness", "unicode", "unicode-bidi", "unicode-range", "units-per-em", "v-alphabetic", "v-hanging", "v-ideographic", "v-mathematical", "values", "vector-effect", "version", "vert-adv-y", "vert-origin-x", "vert-origin-y", "viewBox", "viewTarget", "visibility", "width", "widths", "word-spacing", "writing-mode", "x", "x-height", "x1", "x2", "xChannelSelector", "xlink:actuate", "xlink:arcrole", "xlink:href", "xlink:role", "xlink:show", "xlink:title", "xlink:type", "xml:base", "xml:lang", "xml:space", "y", "y1", "y2", "yChannelSelector", "z", "zoomAndPan" };
+
+            /// <summary>
+            /// Allowlist for SVG tabs.
+            /// </summary>
+            public static readonly IList<string> Tags = new [] { "a", "altGlyph", "altGlyphDef", "altGlyphItem", "animate", "animateColor", "animateMotion", "animateTransform", "circle", "clipPath", "color-profile", "cursor", "defs", "desc", "discard", "ellipse", "feBlend", "feColorMatrix", "feComponentTransfer", "feComposite", "feConvolveMatrix", "feDiffuseLighting", "feDisplacementMap", "feDistantLight", "feDropShadow", "feFlood", "feFuncA", "feFuncB", "feFuncG", "feFuncR", "feGaussianBlur", "feImage", "feMerge", "feMergeNode", "feMorphology", "feOffset", "fePointLight", "feSpecularLighting", "feSpotLight", "feTile", "feTurbulence", "filter", "font", "font-face", "font-face-format", "font-face-name", "font-face-src", "font-face-uri", "foreignObject", "g", "glyph", "glyphRef", "hatch", "hatchpath", "hkern", "image", "line", "linearGradient", "marker", "mask", "mesh", "meshgradient", "meshpatch", "meshrow", "metadata", "missing-glyph", "mpath", "path", "pattern", "polygon", "polyline", "radialGradient", "rect", "set", "solidcolor", "stop", "svg", "switch", "symbol", "text", "textPath", "title", "tref", "tspan", "unknown", "use", "view", "vkern" };
+        }
+    }
+}
diff --git a/src/Umbraco.Core/Umbraco.Core.csproj b/src/Umbraco.Core/Umbraco.Core.csproj
index b98ad64f7a..832b8a5801 100755
--- a/src/Umbraco.Core/Umbraco.Core.csproj
+++ b/src/Umbraco.Core/Umbraco.Core.csproj
@@ -256,6 +256,7 @@
     <Compile Include="CompositionExtensions_Essentials.cs" />
     <Compile Include="CompositionExtensions_FileSystems.cs" />
     <Compile Include="CompositionExtensions_Uniques.cs" />
+    <Compile Include="Constants-SvgSanitizer.cs" />
     <Compile Include="Exceptions\PanicException.cs" />
     <Compile Include="FactoryExtensions.cs" />
     <Compile Include="Composing\RegisterFactory.cs" />
diff --git a/src/Umbraco.Web/Runtime/WebInitialComposer.cs b/src/Umbraco.Web/Runtime/WebInitialComposer.cs
index ac7e34d5cb..b15641b503 100644
--- a/src/Umbraco.Web/Runtime/WebInitialComposer.cs
+++ b/src/Umbraco.Web/Runtime/WebInitialComposer.cs
@@ -40,6 +40,7 @@ using Current = Umbraco.Web.Composing.Current;
 using Umbraco.Web.PropertyEditors;
 using Umbraco.Core.Models;
 using Umbraco.Web.Models;
+using Ganss.XSS;
 
 namespace Umbraco.Web.Runtime
 {
@@ -139,6 +140,14 @@ namespace Umbraco.Web.Runtime
             composition.RegisterUnique<ISectionService, SectionService>();
             composition.RegisterUnique<IDashboardService, DashboardService>();
             composition.RegisterUnique<IIconService, IconService>();
+            composition.Register<IHtmlSanitizer>(_ =>
+            {
+                var sanitizer = new HtmlSanitizer();
+                sanitizer.AllowedAttributes.UnionWith(Umbraco.Core.Constants.SvgSanitizer.Attributes);
+                sanitizer.AllowedCssProperties.UnionWith(Umbraco.Core.Constants.SvgSanitizer.Attributes);
+                sanitizer.AllowedTags.UnionWith(Umbraco.Core.Constants.SvgSanitizer.Tags);
+                return sanitizer;
+            },Lifetime.Singleton);
 
             composition.RegisterUnique<IExamineManager>(factory => ExamineManager.Instance);
 
diff --git a/src/Umbraco.Web/Services/IconService.cs b/src/Umbraco.Web/Services/IconService.cs
index a74fa909e0..175650fd12 100644
--- a/src/Umbraco.Web/Services/IconService.cs
+++ b/src/Umbraco.Web/Services/IconService.cs
@@ -1,6 +1,7 @@
 using System.Collections.Generic;
 using System.IO;
 using System.Linq;
+using Ganss.XSS;
 using Umbraco.Core;
 using Umbraco.Core.Configuration;
 using Umbraco.Core.IO;
@@ -12,31 +13,24 @@ namespace Umbraco.Web.Services
     public class IconService : IIconService
     {
         private readonly IGlobalSettings _globalSettings;
+        private readonly IHtmlSanitizer _htmlSanitizer;
 
-        public IconService(IGlobalSettings globalSettings)
+        public IconService(IGlobalSettings globalSettings, IHtmlSanitizer htmlSanitizer)
         {
             _globalSettings = globalSettings;
+            _htmlSanitizer = htmlSanitizer;
         }
 
 
         /// <inheritdoc />
         public IList<IconModel> GetAllIcons()
         {
-            var icons = new List<IconModel>();
             var directory = new DirectoryInfo(IOHelper.MapPath($"{_globalSettings.IconsPath}/"));
             var iconNames = directory.GetFiles("*.svg");
 
-            iconNames.OrderBy(f => f.Name).ToList().ForEach(iconInfo =>
-            {
-                var icon = GetIcon(iconInfo);
+            return iconNames.OrderBy(f => f.Name)
+                .Select(iconInfo => GetIcon(iconInfo)).WhereNotNull().ToList();
 
-                if (icon != null)
-                {
-                    icons.Add(icon);
-                }
-            });
-
-            return icons;
         }
 
         /// <inheritdoc />
@@ -70,10 +64,12 @@ namespace Umbraco.Web.Services
             try
             {
                 var svgContent = System.IO.File.ReadAllText(iconPath);
+                var sanitizedString = _htmlSanitizer.Sanitize(svgContent);
+
                 var svg = new IconModel
                 {
                     Name = iconName,
-                    SvgString = svgContent
+                    SvgString = sanitizedString
                 };
 
                 return svg;
diff --git a/src/Umbraco.Web/Umbraco.Web.csproj b/src/Umbraco.Web/Umbraco.Web.csproj
index 80c8d19a58..ca29e69991 100644
--- a/src/Umbraco.Web/Umbraco.Web.csproj
+++ b/src/Umbraco.Web/Umbraco.Web.csproj
@@ -65,6 +65,9 @@
     <PackageReference Include="CSharpTest.Net.Collections" Version="14.906.1403.1082" />
     <PackageReference Include="Examine" Version="1.1.0" />
     <PackageReference Include="HtmlAgilityPack" Version="1.8.14" />
+    <PackageReference Include="HtmlSanitizer">
+      <Version>5.0.376</Version>
+    </PackageReference>
     <PackageReference Include="ImageProcessor">
       <Version>2.7.0.100</Version>
     </PackageReference>
@@ -1293,7 +1296,7 @@
     </PropertyGroup>
     <ItemGroup>
       <!-- we want to exclude all facade references ?! -->
-      <FixedReferencePath Include="@(ReferencePath)" Condition="'%(ReferencePath.FileName)' != 'System.ValueTuple' and '%(ReferencePath.FileName)' != 'System.Net.Http'" />
+      <FixedReferencePath Include="@(ReferencePath)" Condition="'%(ReferencePath.FileName)' != 'System.ValueTuple' and '%(ReferencePath.FileName)' != 'System.Net.Http' and '%(ReferencePath.FileName)' != 'System.Text.Encoding.CodePages'" />
     </ItemGroup>
     <Delete Files="$(TargetDir)$(TargetName).XmlSerializers.dll" ContinueOnError="true" />
     <!--
@@ -1303,4 +1306,4 @@
       <Output TaskParameter="SerializationAssembly" ItemName="SerializationAssembly" />
     </SGen>
   </Target>
-</Project>
\ No newline at end of file
+</Project>

From 2cedf435a97982b2e78c45602451060238194dc8 Mon Sep 17 00:00:00 2001
From: Sebastiaan Janssen <sebastiaan@umbraco.com>
Date: Mon, 22 Feb 2021 16:41:19 +0100
Subject: [PATCH 05/12] Fix error where the SQL for setting the timeout was
 missing a crucial space.

---
 .../Persistence/SqlSyntax/SqlServerSyntaxProvider.cs            | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/Umbraco.Core/Persistence/SqlSyntax/SqlServerSyntaxProvider.cs b/src/Umbraco.Core/Persistence/SqlSyntax/SqlServerSyntaxProvider.cs
index 372b6837bc..a038d06121 100644
--- a/src/Umbraco.Core/Persistence/SqlSyntax/SqlServerSyntaxProvider.cs
+++ b/src/Umbraco.Core/Persistence/SqlSyntax/SqlServerSyntaxProvider.cs
@@ -281,7 +281,7 @@ where tbl.[name]=@0 and col.[name]=@1;", tableName, columnName)
 
         private static void ObtainWriteLock(IDatabase db, TimeSpan timeout, int lockId)
         {
-            db.Execute("SET LOCK_TIMEOUT" + timeout.TotalMilliseconds + ";");
+            db.Execute("SET LOCK_TIMEOUT " + timeout.TotalMilliseconds + ";");
             var i = db.Execute(
                 @"UPDATE umbracoLock WITH (REPEATABLEREAD) SET value = (CASE WHEN (value=1) THEN -1 ELSE 1 END) WHERE id=@id",
                 new {id = lockId});

From 5ee98919bc9efd94849b71712d45ee68f36e8a82 Mon Sep 17 00:00:00 2001
From: Sebastiaan Janssen <sebastiaan@umbraco.com>
Date: Mon, 22 Feb 2021 17:22:04 +0100
Subject: [PATCH 06/12] Fix test where selector wasn't specific enough

---
 .../cypress/integration/Content/content.ts                      | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/Umbraco.Tests.AcceptanceTest/cypress/integration/Content/content.ts b/src/Umbraco.Tests.AcceptanceTest/cypress/integration/Content/content.ts
index 22f1f883d0..1a40e8451f 100644
--- a/src/Umbraco.Tests.AcceptanceTest/cypress/integration/Content/content.ts
+++ b/src/Umbraco.Tests.AcceptanceTest/cypress/integration/Content/content.ts
@@ -574,7 +574,7 @@ context('Content', () => {
 
         // Create content with content picker
         cy.get('.umb-tree-root-link').rightclick();
-        cy.get('.-opens-dialog > .umb-action-link').click();
+        cy.get('[data-element="action-create"]').click();
         cy.get('[data-element="action-create-' + pickerDocTypeAlias + '"] > .umb-action-link').click();
         // Fill out content
         cy.umbracoEditorHeaderName('ContentPickerContent');

From e3dc017d7ec39861bd65d7cb6580e243c01e59af Mon Sep 17 00:00:00 2001
From: Shannon <sdeminick@gmail.com>
Date: Tue, 23 Feb 2021 10:41:00 +1100
Subject: [PATCH 07/12] Keep custom claims that are flowed from autolinking

When auto linking with callbacks such as OnExternalLogin, custom claims can be added to the user which are flowed to the auth ticket/identity.
However, when the security stamp validator executes, the identity is re-created manually without any knowledge of those custom claims so
they are lost. This ensures that those custom claims flow through to the re-generated identity during the security stamp validation phase.
---
 .../Security/AppBuilderExtensions.cs          | 23 ++++++++++---
 .../BackOfficeClaimsIdentityFactory.cs        | 12 +++----
 .../Security/ClaimsIdentityExtensions.cs      | 34 +++++++++++++++++++
 src/Umbraco.Web/Umbraco.Web.csproj            |  1 +
 4 files changed, 58 insertions(+), 12 deletions(-)
 create mode 100644 src/Umbraco.Web/Security/ClaimsIdentityExtensions.cs

diff --git a/src/Umbraco.Web/Security/AppBuilderExtensions.cs b/src/Umbraco.Web/Security/AppBuilderExtensions.cs
index 8f33f10eea..ca92de49eb 100644
--- a/src/Umbraco.Web/Security/AppBuilderExtensions.cs
+++ b/src/Umbraco.Web/Security/AppBuilderExtensions.cs
@@ -169,11 +169,24 @@ namespace Umbraco.Web.Security
                 // Enables the application to validate the security stamp when the user
                 // logs in. This is a security feature which is used when you
                 // change a password or add an external login to your account.
-                OnValidateIdentity = SecurityStampValidator
-                    .OnValidateIdentity<BackOfficeUserManager, BackOfficeIdentityUser, int>(
-                        TimeSpan.FromMinutes(30),
-                        (manager, user) => manager.GenerateUserIdentityAsync(user),
-                        identity => identity.GetUserId<int>()),
+                OnValidateIdentity = context =>
+                {
+                    var identity = context.Identity;
+
+                    return SecurityStampValidator
+                        .OnValidateIdentity<BackOfficeUserManager, BackOfficeIdentityUser, int>(
+                        TimeSpan.FromMinutes(3),
+                        async (manager, user) =>
+                        {
+                            var regenerated = await manager.GenerateUserIdentityAsync(user);
+
+                            // Keep any custom claims from the original identity
+                            regenerated.MergeClaimsFromBackOfficeIdentity(identity);
+
+                            return regenerated;
+                        },
+                        identity => identity.GetUserId<int>())(context);
+                }
 
             };
 
diff --git a/src/Umbraco.Web/Security/BackOfficeClaimsIdentityFactory.cs b/src/Umbraco.Web/Security/BackOfficeClaimsIdentityFactory.cs
index d61d2ea711..2883ae8faf 100644
--- a/src/Umbraco.Web/Security/BackOfficeClaimsIdentityFactory.cs
+++ b/src/Umbraco.Web/Security/BackOfficeClaimsIdentityFactory.cs
@@ -27,12 +27,6 @@ namespace Umbraco.Web.Security
         {
             var baseIdentity = await base.CreateAsync(manager, user, authenticationType);
 
-            // now we can flow any custom claims that the actual user has currently assigned which could be done in the OnExternalLogin callback
-            foreach (var claim in user.Claims)
-            {
-                baseIdentity.AddClaim(new Claim(claim.ClaimType, claim.ClaimValue));
-            }
-
             var umbracoIdentity = new UmbracoBackOfficeIdentity(baseIdentity,
                 user.Id,
                 user.UserName,
@@ -40,12 +34,16 @@ namespace Umbraco.Web.Security
                 user.CalculatedContentStartNodeIds,
                 user.CalculatedMediaStartNodeIds,
                 user.Culture,
-                //NOTE - there is no session id assigned here, this is just creating the identity, a session id will be generated when the cookie is written
+                // NOTE - there is no session id assigned here, this is just creating the identity, a session id will be generated when the cookie is written
                 Guid.NewGuid().ToString(),
                 user.SecurityStamp,
                 user.AllowedSections,
                 user.Roles.Select(x => x.RoleId).ToArray());
 
+            // now we can flow any custom claims that the actual user has currently
+            // assigned which could be done in the OnExternalLogin callback
+            umbracoIdentity.MergeClaimsFromBackOfficeIdentity(user);
+
             return umbracoIdentity;
         }
     }
diff --git a/src/Umbraco.Web/Security/ClaimsIdentityExtensions.cs b/src/Umbraco.Web/Security/ClaimsIdentityExtensions.cs
new file mode 100644
index 0000000000..aa8549462d
--- /dev/null
+++ b/src/Umbraco.Web/Security/ClaimsIdentityExtensions.cs
@@ -0,0 +1,34 @@
+using System.Linq;
+using System.Security.Claims;
+using Umbraco.Core.Models.Identity;
+using Constants = Umbraco.Core.Constants;
+
+namespace Umbraco.Web.Security
+{
+    internal static class ClaimsIdentityExtensions
+    {
+        // Ignore these Claims when merging, these claims are dynamically added whenever the ticket
+        // is re-issued and we don't want to merge old values of these.
+        private static readonly string[] IgnoredClaims = new[] { ClaimTypes.CookiePath, Constants.Security.SessionIdClaimType };
+
+        internal static void MergeClaimsFromBackOfficeIdentity(this ClaimsIdentity destination, ClaimsIdentity source)
+        {
+            foreach (var claim in source.Claims
+                .Where(claim => !IgnoredClaims.Contains(claim.Type))
+                .Where(claim => !destination.HasClaim(claim.Type, claim.Value)))
+            {
+                destination.AddClaim(new Claim(claim.Type, claim.Value));
+            }
+        }
+
+        internal static void MergeClaimsFromBackOfficeIdentity(this ClaimsIdentity destination, BackOfficeIdentityUser source)
+        {
+            foreach (var claim in source.Claims
+                .Where(claim => !IgnoredClaims.Contains(claim.ClaimType))
+                .Where(claim => !destination.HasClaim(claim.ClaimType, claim.ClaimValue)))
+            {
+                destination.AddClaim(new Claim(claim.ClaimType, claim.ClaimValue));
+            }
+        }
+    }
+}
diff --git a/src/Umbraco.Web/Umbraco.Web.csproj b/src/Umbraco.Web/Umbraco.Web.csproj
index 16068b66f0..8717ca6a13 100644
--- a/src/Umbraco.Web/Umbraco.Web.csproj
+++ b/src/Umbraco.Web/Umbraco.Web.csproj
@@ -288,6 +288,7 @@
     <Compile Include="Security\BackOfficeExternalLoginProviderErrorMiddlware.cs" />
     <Compile Include="Security\BackOfficeExternalLoginProviderErrors.cs" />
     <Compile Include="Security\BackOfficeExternalLoginProviderOptions.cs" />
+    <Compile Include="Security\ClaimsIdentityExtensions.cs" />
     <Compile Include="Security\SignOutAuditEventArgs.cs" />
     <Compile Include="Security\UserInviteEventArgs.cs" />
     <Compile Include="Services\DashboardService.cs" />

From 27d94f1ca661af03a4ff6dfe63abcd4e5d856227 Mon Sep 17 00:00:00 2001
From: Shannon <sdeminick@gmail.com>
Date: Tue, 23 Feb 2021 11:25:27 +1100
Subject: [PATCH 08/12] removes testing timeout so it stays as it was

---
 src/Umbraco.Web/Security/AppBuilderExtensions.cs | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/Umbraco.Web/Security/AppBuilderExtensions.cs b/src/Umbraco.Web/Security/AppBuilderExtensions.cs
index ca92de49eb..a8dd84ef54 100644
--- a/src/Umbraco.Web/Security/AppBuilderExtensions.cs
+++ b/src/Umbraco.Web/Security/AppBuilderExtensions.cs
@@ -175,7 +175,7 @@ namespace Umbraco.Web.Security
 
                     return SecurityStampValidator
                         .OnValidateIdentity<BackOfficeUserManager, BackOfficeIdentityUser, int>(
-                        TimeSpan.FromMinutes(3),
+                        TimeSpan.FromMinutes(30),
                         async (manager, user) =>
                         {
                             var regenerated = await manager.GenerateUserIdentityAsync(user);

From 2bb8b02233c837ab098f1a52d1a22b131343d7db Mon Sep 17 00:00:00 2001
From: Shannon <sdeminick@gmail.com>
Date: Tue, 23 Feb 2021 11:28:42 +1100
Subject: [PATCH 09/12] adds notes

---
 src/Umbraco.Web/Security/AppBuilderExtensions.cs | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/src/Umbraco.Web/Security/AppBuilderExtensions.cs b/src/Umbraco.Web/Security/AppBuilderExtensions.cs
index a8dd84ef54..23afc36f93 100644
--- a/src/Umbraco.Web/Security/AppBuilderExtensions.cs
+++ b/src/Umbraco.Web/Security/AppBuilderExtensions.cs
@@ -171,10 +171,17 @@ namespace Umbraco.Web.Security
                 // change a password or add an external login to your account.
                 OnValidateIdentity = context =>
                 {
+                    // capture the current ticket for the request
                     var identity = context.Identity;
 
                     return SecurityStampValidator
                         .OnValidateIdentity<BackOfficeUserManager, BackOfficeIdentityUser, int>(
+                        // This will re-verify the security stamp at a throttled 30 mins
+                        // (the standard/default set in aspnet identity).
+                        // This ensures that if the security stamp has changed - i.e. passwords,
+                        // external logins, or other security profile data changed behind the
+                        // scenes while being logged in, that they are logged out and have
+                        // to re-verify their identity.
                         TimeSpan.FromMinutes(30),
                         async (manager, user) =>
                         {

From 7bb18f1cc3aa1385c39aa58e14f5c2ff4ab26136 Mon Sep 17 00:00:00 2001
From: Shannon <sdeminick@gmail.com>
Date: Wed, 24 Feb 2021 16:55:00 +1100
Subject: [PATCH 10/12] Fixes the Sql server SET LOCK_TIMEOUT call which was
 missing a space.

---
 .../Persistence/SqlSyntax/SqlServerSyntaxProvider.cs            | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/Umbraco.Core/Persistence/SqlSyntax/SqlServerSyntaxProvider.cs b/src/Umbraco.Core/Persistence/SqlSyntax/SqlServerSyntaxProvider.cs
index 372b6837bc..a038d06121 100644
--- a/src/Umbraco.Core/Persistence/SqlSyntax/SqlServerSyntaxProvider.cs
+++ b/src/Umbraco.Core/Persistence/SqlSyntax/SqlServerSyntaxProvider.cs
@@ -281,7 +281,7 @@ where tbl.[name]=@0 and col.[name]=@1;", tableName, columnName)
 
         private static void ObtainWriteLock(IDatabase db, TimeSpan timeout, int lockId)
         {
-            db.Execute("SET LOCK_TIMEOUT" + timeout.TotalMilliseconds + ";");
+            db.Execute("SET LOCK_TIMEOUT " + timeout.TotalMilliseconds + ";");
             var i = db.Execute(
                 @"UPDATE umbracoLock WITH (REPEATABLEREAD) SET value = (CASE WHEN (value=1) THEN -1 ELSE 1 END) WHERE id=@id",
                 new {id = lockId});

From e848e396af66fba35571d2b768bb698dec8e4534 Mon Sep 17 00:00:00 2001
From: Sebastiaan Janssen <sebastiaan@umbraco.com>
Date: Mon, 1 Mar 2021 13:20:58 +0100
Subject: [PATCH 11/12] Don't auto focus on the third menu item

---
 src/Umbraco.Web.UI.Client/src/views/documenttypes/create.html | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/Umbraco.Web.UI.Client/src/views/documenttypes/create.html b/src/Umbraco.Web.UI.Client/src/views/documenttypes/create.html
index f9e2402dc6..e370c30581 100644
--- a/src/Umbraco.Web.UI.Client/src/views/documenttypes/create.html
+++ b/src/Umbraco.Web.UI.Client/src/views/documenttypes/create.html
@@ -23,7 +23,7 @@
                     </button>
                 </li>
                 <li data-element="action-documentTypeWithIsElementTypeChecked" class="umb-action">
-                    <button type="button" ng-click="createElement()" class="umb-action-link umb-outline btn-reset" umb-auto-focus>
+                    <button type="button" ng-click="createElement()" class="umb-action-link umb-outline btn-reset">
                         <i class="large icon icon-science" aria-hidden="true"></i>
                         <span class="menu-label">
                             <localize key="create_elementType">Element Type</localize>

From 8004c8dfd30af20189618424bb7cd4bf7c4824b8 Mon Sep 17 00:00:00 2001
From: Bjarke Berg <mail@bergmania.dk>
Date: Wed, 24 Feb 2021 08:17:49 +0100
Subject: [PATCH 12/12] Merge pull request #9441 from
 umbraco/v8/bugfix/explicit-scope-examine

Ensure there's explicit scopes used for all service access in the Examine indexing logic

(cherry picked from commit 3e7f912fcdb9bd7a874370839fad6797dcf16c55)
---
 .../Services/Implement/PublicAccessService.cs |  6 +-
 .../ContentValueSetValidator.cs               | 47 ++++++++---
 .../UmbracoContentValueSetValidatorTests.cs   | 81 +++++++++++++++----
 src/Umbraco.Web/Search/ExamineComponent.cs    | 67 +++++++++------
 4 files changed, 145 insertions(+), 56 deletions(-)

diff --git a/src/Umbraco.Core/Services/Implement/PublicAccessService.cs b/src/Umbraco.Core/Services/Implement/PublicAccessService.cs
index ab9ea64292..06570da725 100644
--- a/src/Umbraco.Core/Services/Implement/PublicAccessService.cs
+++ b/src/Umbraco.Core/Services/Implement/PublicAccessService.cs
@@ -62,12 +62,10 @@ namespace Umbraco.Core.Services.Implement
             //start with the deepest id
             ids.Reverse();
 
-            using (var scope = ScopeProvider.CreateScope())
+            using (var scope = ScopeProvider.CreateScope(autoComplete: true))
             {
                 //This will retrieve from cache!
-                var entries = _publicAccessRepository.GetMany().ToArray();
-
-                scope.Complete();
+                var entries = _publicAccessRepository.GetMany().ToList();
                 foreach (var id in ids)
                 {
                     var found = entries.FirstOrDefault(x => x.ProtectedNodeId == id);
diff --git a/src/Umbraco.Examine/ContentValueSetValidator.cs b/src/Umbraco.Examine/ContentValueSetValidator.cs
index 9555566c53..f702e8197d 100644
--- a/src/Umbraco.Examine/ContentValueSetValidator.cs
+++ b/src/Umbraco.Examine/ContentValueSetValidator.cs
@@ -4,7 +4,9 @@ using System.Linq;
 using Examine;
 using Examine.LuceneEngine.Providers;
 using Umbraco.Core;
+using Umbraco.Core.Composing;
 using Umbraco.Core.Models;
+using Umbraco.Core.Scoping;
 using Umbraco.Core.Services;
 
 namespace Umbraco.Examine
@@ -15,9 +17,9 @@ namespace Umbraco.Examine
     public class ContentValueSetValidator : ValueSetValidator, IContentValueSetValidator
     {
         private readonly IPublicAccessService _publicAccessService;
-
+        private readonly IScopeProvider _scopeProvider;
         private const string PathKey = "path";
-        private static readonly IEnumerable<string> ValidCategories = new[] {IndexTypes.Content, IndexTypes.Media};
+        private static readonly IEnumerable<string> ValidCategories = new[] { IndexTypes.Content, IndexTypes.Media };
         protected override IEnumerable<string> ValidIndexCategories => ValidCategories;
 
         public bool PublishedValuesOnly { get; }
@@ -53,25 +55,38 @@ namespace Umbraco.Examine
 
         public bool ValidateProtectedContent(string path, string category)
         {
-            if (category == IndexTypes.Content
-                && !SupportProtectedContent
-                //if the service is null we can't look this up so we'll return false
-                && (_publicAccessService == null || _publicAccessService.IsProtected(path)))
+            if (category == IndexTypes.Content && !SupportProtectedContent)
             {
-                return false;
+                //if the service is null we can't look this up so we'll return false
+                if (_publicAccessService == null || _scopeProvider == null)
+                {
+                    return false;
+                }
+
+                // explicit scope since we may be in a background thread
+                using (_scopeProvider.CreateScope(autoComplete: true))
+                {
+                    if (_publicAccessService.IsProtected(path))
+                    {
+                        return false;
+                    }
+                }
             }
 
             return true;
         }
 
+        // used for tests
         public ContentValueSetValidator(bool publishedValuesOnly, int? parentId = null,
             IEnumerable<string> includeItemTypes = null, IEnumerable<string> excludeItemTypes = null)
-            : this(publishedValuesOnly, true, null, parentId, includeItemTypes, excludeItemTypes)
+            : this(publishedValuesOnly, true, null, null, parentId, includeItemTypes, excludeItemTypes)
         {
         }
 
         public ContentValueSetValidator(bool publishedValuesOnly, bool supportProtectedContent,
-            IPublicAccessService publicAccessService, int? parentId = null,
+            IPublicAccessService publicAccessService,
+            IScopeProvider scopeProvider,
+            int? parentId = null,
             IEnumerable<string> includeItemTypes = null, IEnumerable<string> excludeItemTypes = null)
             : base(includeItemTypes, excludeItemTypes, null, null)
         {
@@ -79,6 +94,16 @@ namespace Umbraco.Examine
             SupportProtectedContent = supportProtectedContent;
             ParentId = parentId;
             _publicAccessService = publicAccessService;
+            _scopeProvider = scopeProvider;
+        }
+
+        [Obsolete("Use the ctor with all parameters instead")]
+        public ContentValueSetValidator(bool publishedValuesOnly, bool supportProtectedContent,
+            IPublicAccessService publicAccessService, int? parentId = null,
+            IEnumerable<string> includeItemTypes = null, IEnumerable<string> excludeItemTypes = null)
+            : this(publishedValuesOnly, supportProtectedContent, publicAccessService, Current.ScopeProvider,
+                  parentId, includeItemTypes, excludeItemTypes)
+        {
         }
 
         public override ValueSetValidationResult Validate(ValueSet valueSet)
@@ -103,7 +128,7 @@ namespace Umbraco.Examine
                     && variesByCulture.Count > 0 && variesByCulture[0].Equals("y"))
                 {
                     //so this valueset is for a content that varies by culture, now check for non-published cultures and remove those values
-                    foreach(var publishField in valueSet.Values.Where(x => x.Key.StartsWith($"{UmbracoExamineIndex.PublishedFieldName}_")).ToList())
+                    foreach (var publishField in valueSet.Values.Where(x => x.Key.StartsWith($"{UmbracoExamineIndex.PublishedFieldName}_")).ToList())
                     {
                         if (publishField.Value.Count <= 0 || !publishField.Value[0].Equals("y"))
                         {
@@ -134,7 +159,7 @@ namespace Umbraco.Examine
                 || !ValidateProtectedContent(path, valueSet.Category))
                 return ValueSetValidationResult.Filtered;
 
-            return isFiltered ? ValueSetValidationResult.Filtered: ValueSetValidationResult.Valid;
+            return isFiltered ? ValueSetValidationResult.Filtered : ValueSetValidationResult.Valid;
         }
     }
 }
diff --git a/src/Umbraco.Tests/UmbracoExamine/UmbracoContentValueSetValidatorTests.cs b/src/Umbraco.Tests/UmbracoExamine/UmbracoContentValueSetValidatorTests.cs
index 8bdb0c71c7..330529a5db 100644
--- a/src/Umbraco.Tests/UmbracoExamine/UmbracoContentValueSetValidatorTests.cs
+++ b/src/Umbraco.Tests/UmbracoExamine/UmbracoContentValueSetValidatorTests.cs
@@ -8,6 +8,7 @@ using Umbraco.Core;
 using Umbraco.Core.Models;
 using System;
 using System.Linq;
+using Umbraco.Core.Scoping;
 
 namespace Umbraco.Tests.UmbracoExamine
 {
@@ -17,10 +18,14 @@ namespace Umbraco.Tests.UmbracoExamine
         [Test]
         public void Invalid_Category()
         {
-            var validator = new ContentValueSetValidator(false, true, Mock.Of<IPublicAccessService>());
+            var validator = new ContentValueSetValidator(
+                false,
+                true,
+                Mock.Of<IPublicAccessService>(),
+                Mock.Of<IScopeProvider>());
 
             var result = validator.Validate(ValueSet.FromObject("555", IndexTypes.Content, new { hello = "world", path = "-1,555" }));
-            Assert.AreEqual(ValueSetValidationResult.Valid, result);            
+            Assert.AreEqual(ValueSetValidationResult.Valid, result);
 
             result = validator.Validate(ValueSet.FromObject("777", IndexTypes.Media, new { hello = "world", path = "-1,555" }));
             Assert.AreEqual(ValueSetValidationResult.Valid, result);
@@ -33,7 +38,11 @@ namespace Umbraco.Tests.UmbracoExamine
         [Test]
         public void Must_Have_Path()
         {
-            var validator = new ContentValueSetValidator(false, true, Mock.Of<IPublicAccessService>());
+            var validator = new ContentValueSetValidator(
+                false,
+                true,
+                Mock.Of<IPublicAccessService>(),
+                Mock.Of<IScopeProvider>());
 
             var result = validator.Validate(ValueSet.FromObject("555", IndexTypes.Content, new { hello = "world" }));
             Assert.AreEqual(ValueSetValidationResult.Failed, result);
@@ -45,7 +54,12 @@ namespace Umbraco.Tests.UmbracoExamine
         [Test]
         public void Parent_Id()
         {
-            var validator = new ContentValueSetValidator(false, true, Mock.Of<IPublicAccessService>(), 555);
+            var validator = new ContentValueSetValidator(
+                false,
+                true,
+                Mock.Of<IPublicAccessService>(),
+                Mock.Of<IScopeProvider>(),
+                555);
 
             var result = validator.Validate(ValueSet.FromObject("555", IndexTypes.Content, new { hello = "world", path = "-1,555" }));
             Assert.AreEqual(ValueSetValidationResult.Filtered, result);
@@ -63,7 +77,9 @@ namespace Umbraco.Tests.UmbracoExamine
         [Test]
         public void Inclusion_Field_List()
         {
-            var validator = new ValueSetValidator(null, null,
+            var validator = new ValueSetValidator(
+                null,
+                null,
                 new[] { "hello", "world" },
                 null);
 
@@ -79,7 +95,9 @@ namespace Umbraco.Tests.UmbracoExamine
         [Test]
         public void Exclusion_Field_List()
         {
-            var validator = new ValueSetValidator(null, null,
+            var validator = new ValueSetValidator(
+                null,
+                null,
                 null,
                 new[] { "hello", "world" });
 
@@ -95,7 +113,9 @@ namespace Umbraco.Tests.UmbracoExamine
         [Test]
         public void Inclusion_Exclusion_Field_List()
         {
-            var validator = new ValueSetValidator(null, null,
+            var validator = new ValueSetValidator(
+                null,
+                null,
                 new[] { "hello", "world" },
                 new[] { "world" });
 
@@ -111,7 +131,11 @@ namespace Umbraco.Tests.UmbracoExamine
         [Test]
         public void Inclusion_Type_List()
         {
-            var validator = new ContentValueSetValidator(false, true, Mock.Of<IPublicAccessService>(),
+            var validator = new ContentValueSetValidator(
+                false,
+                true,
+                Mock.Of<IPublicAccessService>(),
+                Mock.Of<IScopeProvider>(),
                 includeItemTypes: new List<string> { "include-content" });
 
             var result = validator.Validate(ValueSet.FromObject("555", IndexTypes.Content, "test-content", new { hello = "world", path = "-1,555" }));
@@ -127,7 +151,11 @@ namespace Umbraco.Tests.UmbracoExamine
         [Test]
         public void Exclusion_Type_List()
         {
-            var validator = new ContentValueSetValidator(false, true, Mock.Of<IPublicAccessService>(),
+            var validator = new ContentValueSetValidator(
+                false,
+                true,
+                Mock.Of<IPublicAccessService>(),
+                Mock.Of<IScopeProvider>(),
                 excludeItemTypes: new List<string> { "exclude-content" });
 
             var result = validator.Validate(ValueSet.FromObject("555", IndexTypes.Content, "test-content", new { hello = "world", path = "-1,555" }));
@@ -143,7 +171,11 @@ namespace Umbraco.Tests.UmbracoExamine
         [Test]
         public void Inclusion_Exclusion_Type_List()
         {
-            var validator = new ContentValueSetValidator(false, true, Mock.Of<IPublicAccessService>(),
+            var validator = new ContentValueSetValidator(
+                false,
+                true,
+                Mock.Of<IPublicAccessService>(),
+                Mock.Of<IScopeProvider>(),
                 includeItemTypes: new List<string> { "include-content", "exclude-content" },
                 excludeItemTypes: new List<string> { "exclude-content" });
 
@@ -163,7 +195,11 @@ namespace Umbraco.Tests.UmbracoExamine
         [Test]
         public void Recycle_Bin_Content()
         {
-            var validator = new ContentValueSetValidator(true, false, Mock.Of<IPublicAccessService>());
+            var validator = new ContentValueSetValidator(
+                true,
+                false,
+                Mock.Of<IPublicAccessService>(),
+                Mock.Of<IScopeProvider>());
 
             var result = validator.Validate(ValueSet.FromObject("555", IndexTypes.Content, new { hello = "world", path = "-1,-20,555" }));
             Assert.AreEqual(ValueSetValidationResult.Failed, result);
@@ -187,7 +223,11 @@ namespace Umbraco.Tests.UmbracoExamine
         [Test]
         public void Recycle_Bin_Media()
         {
-            var validator = new ContentValueSetValidator(true, false, Mock.Of<IPublicAccessService>());
+            var validator = new ContentValueSetValidator(
+                true,
+                false,
+                Mock.Of<IPublicAccessService>(),
+                Mock.Of<IScopeProvider>());
 
             var result = validator.Validate(ValueSet.FromObject("555", IndexTypes.Media, new { hello = "world", path = "-1,-21,555" }));
             Assert.AreEqual(ValueSetValidationResult.Filtered, result);
@@ -203,7 +243,11 @@ namespace Umbraco.Tests.UmbracoExamine
         [Test]
         public void Published_Only()
         {
-            var validator = new ContentValueSetValidator(true, true, Mock.Of<IPublicAccessService>());
+            var validator = new ContentValueSetValidator(
+                true,
+                true,
+                Mock.Of<IPublicAccessService>(),
+                Mock.Of<IScopeProvider>());
 
             var result = validator.Validate(ValueSet.FromObject("555", IndexTypes.Content, new { hello = "world", path = "-1,555" }));
             Assert.AreEqual(ValueSetValidationResult.Failed, result);
@@ -230,7 +274,10 @@ namespace Umbraco.Tests.UmbracoExamine
         [Test]
         public void Published_Only_With_Variants()
         {
-            var validator = new ContentValueSetValidator(true, true, Mock.Of<IPublicAccessService>());
+            var validator = new ContentValueSetValidator(true,
+                true,
+                Mock.Of<IPublicAccessService>(),
+                Mock.Of<IScopeProvider>());
 
             var result = validator.Validate(new ValueSet("555", IndexTypes.Content,
                 new Dictionary<string, object>
@@ -288,7 +335,11 @@ namespace Umbraco.Tests.UmbracoExamine
                 .Returns(Attempt.Succeed(new PublicAccessEntry(Guid.NewGuid(), 555, 444, 333, Enumerable.Empty<PublicAccessRule>())));
             publicAccessService.Setup(x => x.IsProtected("-1,777"))
                 .Returns(Attempt.Fail<PublicAccessEntry>());
-            var validator = new ContentValueSetValidator(false, false, publicAccessService.Object);
+            var validator = new ContentValueSetValidator(
+                false,
+                false,
+                publicAccessService.Object,
+                Mock.Of<IScopeProvider>());
 
             var result = validator.Validate(ValueSet.FromObject("555", IndexTypes.Content, new { hello = "world", path = "-1,555" }));
             Assert.AreEqual(ValueSetValidationResult.Filtered, result);
diff --git a/src/Umbraco.Web/Search/ExamineComponent.cs b/src/Umbraco.Web/Search/ExamineComponent.cs
index c9d7b7cf56..bb3f30d4cf 100644
--- a/src/Umbraco.Web/Search/ExamineComponent.cs
+++ b/src/Umbraco.Web/Search/ExamineComponent.cs
@@ -629,22 +629,27 @@ namespace Umbraco.Web.Search
                 // perform the ValueSet lookup on a background thread
                 examineComponent._indexItemTaskRunner.Add(new SimpleTask(() =>
                 {
-                    // for content we have a different builder for published vs unpublished
-                    // we don't want to build more value sets than is needed so we'll lazily build 2 one for published one for non-published
-                    var builders = new Dictionary<bool, Lazy<List<ValueSet>>>
+                    // Background thread, wrap the whole thing in an explicit scope since we know
+                    // DB services are used within this logic.
+                    using (examineComponent._scopeProvider.CreateScope(autoComplete: true))
                     {
-                        [true] = new Lazy<List<ValueSet>>(() => examineComponent._publishedContentValueSetBuilder.GetValueSets(content).ToList()),
-                        [false] = new Lazy<List<ValueSet>>(() => examineComponent._contentValueSetBuilder.GetValueSets(content).ToList())
-                    };
+                        // for content we have a different builder for published vs unpublished
+                        // we don't want to build more value sets than is needed so we'll lazily build 2 one for published one for non-published
+                        var builders = new Dictionary<bool, Lazy<List<ValueSet>>>
+                        {
+                            [true] = new Lazy<List<ValueSet>>(() => examineComponent._publishedContentValueSetBuilder.GetValueSets(content).ToList()),
+                            [false] = new Lazy<List<ValueSet>>(() => examineComponent._contentValueSetBuilder.GetValueSets(content).ToList())
+                        };
 
-                    foreach (var index in examineComponent._examineManager.Indexes.OfType<IUmbracoIndex>()
-                        //filter the indexers
-                        .Where(x => isPublished || !x.PublishedValuesOnly)
-                        .Where(x => x.EnableDefaultEventHandler))
-                    {
-                        var valueSet = builders[index.PublishedValuesOnly].Value;
-                        index.IndexItems(valueSet);
-                    }
+                        foreach (var index in examineComponent._examineManager.Indexes.OfType<IUmbracoIndex>()
+                            //filter the indexers
+                            .Where(x => isPublished || !x.PublishedValuesOnly)
+                            .Where(x => x.EnableDefaultEventHandler))
+                        {
+                            var valueSet = builders[index.PublishedValuesOnly].Value;
+                            index.IndexItems(valueSet);
+                        }
+                    }   
                 }));
             }
         }
@@ -675,14 +680,19 @@ namespace Umbraco.Web.Search
                 // perform the ValueSet lookup on a background thread
                 examineComponent._indexItemTaskRunner.Add(new SimpleTask(() =>
                 {
-                    var valueSet = examineComponent._mediaValueSetBuilder.GetValueSets(media).ToList();
-
-                    foreach (var index in examineComponent._examineManager.Indexes.OfType<IUmbracoIndex>()
-                        //filter the indexers
-                        .Where(x => isPublished || !x.PublishedValuesOnly)
-                        .Where(x => x.EnableDefaultEventHandler))
+                    // Background thread, wrap the whole thing in an explicit scope since we know
+                    // DB services are used within this logic.
+                    using (examineComponent._scopeProvider.CreateScope(autoComplete: true))
                     {
-                        index.IndexItems(valueSet);
+                        var valueSet = examineComponent._mediaValueSetBuilder.GetValueSets(media).ToList();
+
+                        foreach (var index in examineComponent._examineManager.Indexes.OfType<IUmbracoIndex>()
+                            //filter the indexers
+                            .Where(x => isPublished || !x.PublishedValuesOnly)
+                            .Where(x => x.EnableDefaultEventHandler))
+                        {
+                            index.IndexItems(valueSet);
+                        }
                     }
                 })); 
             }
@@ -712,12 +722,17 @@ namespace Umbraco.Web.Search
                 // perform the ValueSet lookup on a background thread
                 examineComponent._indexItemTaskRunner.Add(new SimpleTask(() =>
                 {
-                    var valueSet = examineComponent._memberValueSetBuilder.GetValueSets(member).ToList();
-                    foreach (var index in examineComponent._examineManager.Indexes.OfType<IUmbracoIndex>()
-                        //filter the indexers
-                        .Where(x => x.EnableDefaultEventHandler))
+                    // Background thread, wrap the whole thing in an explicit scope since we know
+                    // DB services are used within this logic.
+                    using (examineComponent._scopeProvider.CreateScope(autoComplete: true))
                     {
-                        index.IndexItems(valueSet);
+                        var valueSet = examineComponent._memberValueSetBuilder.GetValueSets(member).ToList();
+                        foreach (var index in examineComponent._examineManager.Indexes.OfType<IUmbracoIndex>()
+                            //filter the indexers
+                            .Where(x => x.EnableDefaultEventHandler))
+                        {
+                            index.IndexItems(valueSet);
+                        }
                     }
                 }));
             }