From 16573446dbb3814a5e62fbd731b294de8e801176 Mon Sep 17 00:00:00 2001
From: Chad <chad.d.currie@gmail.com>
Date: Mon, 22 Feb 2021 21:53:53 +1300
Subject: [PATCH 1/5] Fixes #9615 - Upgrade to Htmlsanitizer v5 (#9856)

---
 build/NuSpecs/UmbracoCms.Web.nuspec           | 2 +-
 src/Umbraco.Web/Runtime/WebInitialComposer.cs | 9 +++++++++
 src/Umbraco.Web/Umbraco.Web.csproj            | 5 +++--
 3 files changed, 13 insertions(+), 3 deletions(-)

diff --git a/build/NuSpecs/UmbracoCms.Web.nuspec b/build/NuSpecs/UmbracoCms.Web.nuspec
index 82d15d2b95..ac787f64e3 100644
--- a/build/NuSpecs/UmbracoCms.Web.nuspec
+++ b/build/NuSpecs/UmbracoCms.Web.nuspec
@@ -42,7 +42,7 @@
                 <dependency id="Microsoft.Owin.Security.Cookies" version="[4.0.1,4.999999)" />
                 <dependency id="Microsoft.Owin.Security.OAuth" version="[4.0.1,4.999999)" />
                 <dependency id="System.Threading.Tasks.Dataflow" version="[4.9.0,4.999999)" />
-                <dependency id="HtmlSanitizer" version="[4.0.217,4.999999)" />
+                <dependency id="HtmlSanitizer" version="[5.0.376,5.999999)" />
 
             </group>
 
diff --git a/src/Umbraco.Web/Runtime/WebInitialComposer.cs b/src/Umbraco.Web/Runtime/WebInitialComposer.cs
index 112910930e..97e2cc1b15 100644
--- a/src/Umbraco.Web/Runtime/WebInitialComposer.cs
+++ b/src/Umbraco.Web/Runtime/WebInitialComposer.cs
@@ -40,6 +40,7 @@ using Current = Umbraco.Web.Composing.Current;
 using Umbraco.Web.PropertyEditors;
 using Umbraco.Core.Models;
 using Umbraco.Web.Models;
+using Ganss.XSS;
 
 namespace Umbraco.Web.Runtime
 {
@@ -139,6 +140,14 @@ namespace Umbraco.Web.Runtime
             composition.RegisterUnique<ISectionService, SectionService>();
             composition.RegisterUnique<IDashboardService, DashboardService>();
             composition.RegisterUnique<IIconService, IconService>();
+            composition.Register<IHtmlSanitizer>(_ =>
+            {
+                var sanitizer = new HtmlSanitizer();
+                sanitizer.AllowedAttributes.UnionWith(Umbraco.Core.Constants.SvgSanitizer.Attributes);
+                sanitizer.AllowedCssProperties.UnionWith(Umbraco.Core.Constants.SvgSanitizer.Attributes);
+                sanitizer.AllowedTags.UnionWith(Umbraco.Core.Constants.SvgSanitizer.Tags);
+                return sanitizer;
+            },Lifetime.Singleton);
 
             composition.RegisterUnique<IExamineManager>(factory => ExamineManager.Instance);
 
diff --git a/src/Umbraco.Web/Umbraco.Web.csproj b/src/Umbraco.Web/Umbraco.Web.csproj
index c3eba87d6f..1a6c9a49a2 100644
--- a/src/Umbraco.Web/Umbraco.Web.csproj
+++ b/src/Umbraco.Web/Umbraco.Web.csproj
@@ -67,6 +67,7 @@
     <PackageReference Include="HtmlAgilityPack" Version="1.8.14" />
     <PackageReference Include="HtmlSanitizer">
       <Version>4.0.217</Version>
+      <Version>5.0.376</Version>
     </PackageReference>
     <PackageReference Include="ImageProcessor">
       <Version>2.7.0.100</Version>
@@ -1286,7 +1287,7 @@
     </PropertyGroup>
     <ItemGroup>
       <!-- we want to exclude all facade references ?! -->
-      <FixedReferencePath Include="@(ReferencePath)" Condition="'%(ReferencePath.FileName)' != 'System.ValueTuple' and '%(ReferencePath.FileName)' != 'System.Net.Http'" />
+      <FixedReferencePath Include="@(ReferencePath)" Condition="'%(ReferencePath.FileName)' != 'System.ValueTuple' and '%(ReferencePath.FileName)' != 'System.Net.Http' and '%(ReferencePath.FileName)' != 'System.Text.Encoding.CodePages'" />
     </ItemGroup>
     <Delete Files="$(TargetDir)$(TargetName).XmlSerializers.dll" ContinueOnError="true" />
     <!--
@@ -1296,4 +1297,4 @@
       <Output TaskParameter="SerializationAssembly" ItemName="SerializationAssembly" />
     </SGen>
   </Target>
-</Project>
\ No newline at end of file
+</Project>

From b7553e311ad04c11faf1d0a54633703b3f0e2916 Mon Sep 17 00:00:00 2001
From: Kenn Jacobsen <kja@vertica.dk>
Date: Tue, 9 Mar 2021 12:58:10 +0100
Subject: [PATCH 2/5] Cache the SVG icons serverside to boost performance
 (#9200)

Co-authored-by: Nathan Woulfe <nathan@nathanw.com.au>
(cherry picked from commit 8e01ac30d60f0a5c7340a44c411815bf75c14c50)

# Conflicts:
#	src/Umbraco.Web.UI/Umbraco/Views/Default.cshtml
#	src/Umbraco.Web/Services/IconService.cs
---
 src/Umbraco.Core/IO/SystemDirectories.cs      |   2 +
 src/Umbraco.Core/Services/IIconService.cs     |  14 +-
 .../components/umbicon.directive.js           |   3 +-
 .../src/common/services/iconhelper.service.js | 128 ++++++++----------
 .../Umbraco/Views/Default.cshtml              |   6 -
 .../Editors/BackOfficeController.cs           |  47 ++-----
 src/Umbraco.Web/Editors/BackOfficeModel.cs    |  15 +-
 .../Editors/BackOfficePreviewModel.cs         |  17 +--
 .../Editors/BackOfficeServerVariables.cs      |   8 +-
 src/Umbraco.Web/Editors/IconController.cs     |  24 +++-
 src/Umbraco.Web/Editors/PreviewController.cs  |  24 +---
 src/Umbraco.Web/Services/IconService.cs       | 105 ++++++++++----
 12 files changed, 189 insertions(+), 204 deletions(-)

diff --git a/src/Umbraco.Core/IO/SystemDirectories.cs b/src/Umbraco.Core/IO/SystemDirectories.cs
index 485fd7f965..9d09bf2f0d 100644
--- a/src/Umbraco.Core/IO/SystemDirectories.cs
+++ b/src/Umbraco.Core/IO/SystemDirectories.cs
@@ -25,6 +25,8 @@ namespace Umbraco.Core.IO
 
         public static string AppPlugins => "~/App_Plugins";
 
+        public static string AppPluginIcons => "/Backoffice/Icons";
+
         public static string MvcViews => "~/Views";
 
         public static string PartialViews => MvcViews + "/Partials/";
diff --git a/src/Umbraco.Core/Services/IIconService.cs b/src/Umbraco.Core/Services/IIconService.cs
index 963edb22a5..1e1ae38002 100644
--- a/src/Umbraco.Core/Services/IIconService.cs
+++ b/src/Umbraco.Core/Services/IIconService.cs
@@ -1,4 +1,6 @@
+using System;
 using System.Collections.Generic;
+using System.ComponentModel;
 using Umbraco.Core.Models;
 
 namespace Umbraco.Core.Services
@@ -6,7 +8,7 @@ namespace Umbraco.Core.Services
     public interface IIconService
     {
         /// <summary>
-        /// Gets an IconModel containing the icon name and SvgString according to an icon name found at the global icons path
+        /// Gets the svg string for the icon name found at the global icons path
         /// </summary>
         /// <param name="iconName"></param>
         /// <returns></returns>
@@ -15,7 +17,15 @@ namespace Umbraco.Core.Services
         /// <summary>
         /// Gets a list of all svg icons found at at the global icons path.
         /// </summary>
-        /// <returns></returns>
+        /// <returns>A list of <see cref="IconModel"/></returns>
+        [Obsolete("This method should not be used - use GetIcons instead")]
+        [EditorBrowsable(EditorBrowsableState.Never)]
         IList<IconModel> GetAllIcons();
+
+        /// <summary>
+        /// Gets a list of all svg icons found at at the global icons path.
+        /// </summary>
+        /// <returns></returns>
+        IReadOnlyDictionary<string, string> GetIcons();
     }
 }
diff --git a/src/Umbraco.Web.UI.Client/src/common/directives/components/umbicon.directive.js b/src/Umbraco.Web.UI.Client/src/common/directives/components/umbicon.directive.js
index 87d976f6d9..73a9617aee 100644
--- a/src/Umbraco.Web.UI.Client/src/common/directives/components/umbicon.directive.js
+++ b/src/Umbraco.Web.UI.Client/src/common/directives/components/umbicon.directive.js
@@ -75,9 +75,8 @@ Icon with additional attribute. It can be treated like any other dom element
 
                     iconHelper.getIcon(icon)
                         .then(data => {
-                            if (data !== null && data.svgString !== undefined) {
+                            if (data && data.svgString) {
                                 // Watch source SVG string
-                                //icon.svgString.$$unwrapTrustedValue();
                                 scope.svgString = data.svgString;
                             }
                         });
diff --git a/src/Umbraco.Web.UI.Client/src/common/services/iconhelper.service.js b/src/Umbraco.Web.UI.Client/src/common/services/iconhelper.service.js
index f26763bd14..f3f5deb695 100644
--- a/src/Umbraco.Web.UI.Client/src/common/services/iconhelper.service.js
+++ b/src/Umbraco.Web.UI.Client/src/common/services/iconhelper.service.js
@@ -3,9 +3,9 @@
 * @name umbraco.services.iconHelper
 * @description A helper service for dealing with icons, mostly dealing with legacy tree icons
 **/
-function iconHelper($http, $q, $sce, $timeout, umbRequestHelper) {
+function iconHelper($http, $q, $sce, $timeout) {
 
-    var converter = [
+    const converter = [
         { oldIcon: ".sprNew", newIcon: "add" },
         { oldIcon: ".sprDelete", newIcon: "remove" },
         { oldIcon: ".sprMove", newIcon: "enter" },
@@ -85,15 +85,61 @@ function iconHelper($http, $q, $sce, $timeout, umbRequestHelper) {
         { oldIcon: ".sprTreeDeveloperPython", newIcon: "icon-linux" }
     ];
 
-    var collectedIcons;
+    let collectedIcons;
 
-    var imageConverter = [
-            {oldImage: "contour.png", newIcon: "icon-umb-contour"}
-            ];
+    let imageConverter = [
+        {oldImage: "contour.png", newIcon: "icon-umb-contour"}
+    ];
 
-    var iconCache = [];
-    var liveRequests = [];
-    var allIconsRequested = false;
+    const iconCache = [];
+    const promiseQueue = [];
+    let resourceLoadStatus = "none";
+
+    /**
+     * This is the same approach as use for loading the localized text json 
+     * We don't want multiple requests for the icon collection, so need to track
+     * the current request state, and resolve the queued requests once the icons arrive
+     * Subsequent requests are returned immediately as the icons are cached into 
+     */
+    function init() {       
+        const deferred = $q.defer();
+
+        if (resourceLoadStatus === "loaded") {
+            deferred.resolve(iconCache);
+            return deferred.promise;
+        }
+
+        if (resourceLoadStatus === "loading") {
+            promiseQueue.push(deferred);
+            return deferred.promise;
+        }
+
+        resourceLoadStatus = "loading";
+
+        $http({ method: "GET", url: Umbraco.Sys.ServerVariables.umbracoUrls.iconApiBaseUrl + 'GetIcons' })
+            .then(function (response) {
+                resourceLoadStatus = "loaded";
+
+                for (const [key, value] of Object.entries(response.data.Data)) {
+                    iconCache.push({name: key, svgString: $sce.trustAsHtml(value)})
+                }
+
+                deferred.resolve(iconCache);
+
+                //ensure all other queued promises are resolved
+                for (let p in promiseQueue) {
+                    promiseQueue[p].resolve(iconCache);
+                }
+            }, function (err) {
+                deferred.reject("Something broke");
+                //ensure all other queued promises are resolved
+                for (let p in promiseQueue) {
+                    promiseQueue[p].reject("Something broke");
+                }
+            });
+
+        return deferred.promise;    
+    }
 
     return {
 
@@ -187,67 +233,12 @@ function iconHelper($http, $q, $sce, $timeout, umbRequestHelper) {
 
         /** Gets a single IconModel */
         getIcon: function(iconName) {
-            return $q((resolve, reject) => {
-                var icon = this._getIconFromCache(iconName);
-
-                 if(icon !== undefined) {
-                    resolve(icon);
-                } else {
-                    var iconRequestPath = Umbraco.Sys.ServerVariables.umbracoUrls.iconApiBaseUrl +  'GetIcon?iconName=' + iconName;
-
-                     // If the current icon is being requested, wait a bit so that we don't have to make another http request and can instead get the icon from the cache.
-                    // This is a bit rough and ready and could probably be improved used an event based system
-                    if(liveRequests.indexOf(iconRequestPath) >= 0) {
-                        setTimeout(() => {
-                            resolve(this.getIcon(iconName));
-                        }, 10);
-                    } else {
-                        liveRequests.push(iconRequestPath);
-                        // TODO - fix bug where Umbraco.Sys.ServerVariables.umbracoUrls.iconApiBaseUrl is undefinied when help icon
-                        umbRequestHelper.resourcePromise(
-                            $http.get(iconRequestPath)
-                            ,'Failed to retrieve icon: ' + iconName)
-                        .then(icon => {
-                            if(icon) {
-                                var trustedIcon = this.defineIcon(icon.Name, icon.SvgString);
-
-                                liveRequests = _.filter(liveRequests, iconRequestPath);
-
-                                resolve(trustedIcon);
-                            }
-                        })
-                        .catch(err => {
-                            console.warn(err);
-                        });
-                    };
-
-                 }
-            });
+            return init().then(icons => icons.find(i => i.name === iconName));
         },
 
         /** Gets all the available icons in the backoffice icon folder and returns them as an array of IconModels */
          getAllIcons: function() {
-            return $q((resolve, reject) => {
-                if(allIconsRequested === false) {
-                    allIconsRequested = true;
-
-                     umbRequestHelper.resourcePromise(
-                        $http.get(Umbraco.Sys.ServerVariables.umbracoUrls.iconApiBaseUrl + 'GetAllIcons')
-                        ,'Failed to retrieve icons')
-                    .then(icons => {
-                        icons.forEach(icon => {
-                            this.defineIcon(icon.Name, icon.SvgString);
-                        });
-
-                        resolve(iconCache);
-                    })
-                    .catch(err => {
-                        console.warn(err);
-                    });;
-                } else {
-                    resolve(iconCache);
-                }
-            });
+            return init().then(icons => icons);
         },
 
         /** LEGACY - Return a list of icons from icon fonts, optionally filter them */
@@ -312,9 +303,8 @@ function iconHelper($http, $q, $sce, $timeout, umbRequestHelper) {
         },
 
          /** Returns the cached icon or undefined */
-        _getIconFromCache: function(iconName) {
-            return _.find(iconCache, {name: iconName});
-        }
+        _getIconFromCache: iconName => iconCache.find(icon => icon.name === iconName)
+        
     };
 }
 angular.module('umbraco.services').factory('iconHelper', iconHelper);
diff --git a/src/Umbraco.Web.UI/Umbraco/Views/Default.cshtml b/src/Umbraco.Web.UI/Umbraco/Views/Default.cshtml
index 666f7a64f5..eca1deda10 100644
--- a/src/Umbraco.Web.UI/Umbraco/Views/Default.cshtml
+++ b/src/Umbraco.Web.UI/Umbraco/Views/Default.cshtml
@@ -120,12 +120,6 @@
             @Html.AngularValueResetPasswordCodeInfoScript(ViewData["PasswordResetCode"])
             @Html.AngularValueTinyMceAssets()
 
-            app.run(["iconHelper", function (iconHelper) {
-                @* We inject icons to the icon helper(service), since icons can only be loaded if user is authorized. By injecting these to the service they will not be requested as they will become cached. *@
-                iconHelper.defineIcon("icon-check", '@Html.Raw(Model.IconCheckData)');
-                iconHelper.defineIcon("icon-delete", '@Html.Raw(Model.IconDeleteData)');
-            }]);
-
             //required for the noscript trick
             document.getElementById("mainwrapper").style.display = "inherit";
 
diff --git a/src/Umbraco.Web/Editors/BackOfficeController.cs b/src/Umbraco.Web/Editors/BackOfficeController.cs
index cd5a3a50b6..6889695e54 100644
--- a/src/Umbraco.Web/Editors/BackOfficeController.cs
+++ b/src/Umbraco.Web/Editors/BackOfficeController.cs
@@ -1,4 +1,8 @@
-using System;
+using Microsoft.AspNet.Identity;
+using Microsoft.AspNet.Identity.Owin;
+using Microsoft.Owin.Security;
+using Newtonsoft.Json;
+using System;
 using System.Collections.Generic;
 using System.Globalization;
 using System.Linq;
@@ -7,24 +11,19 @@ using System.Threading.Tasks;
 using System.Web;
 using System.Web.Mvc;
 using System.Web.UI;
-using Microsoft.AspNet.Identity;
-using Microsoft.AspNet.Identity.Owin;
-using Microsoft.Owin.Security;
-using Newtonsoft.Json;
 using Umbraco.Core;
 using Umbraco.Core.Cache;
 using Umbraco.Core.Configuration;
 using Umbraco.Core.Logging;
 using Umbraco.Core.Manifest;
 using Umbraco.Core.Models.Identity;
-using Umbraco.Web.Models;
-using Umbraco.Web.Mvc;
 using Umbraco.Core.Services;
 using Umbraco.Web.Composing;
 using Umbraco.Web.Features;
 using Umbraco.Web.JavaScript;
+using Umbraco.Web.Models;
+using Umbraco.Web.Mvc;
 using Umbraco.Web.Security;
-using Umbraco.Web.Services;
 using Constants = Umbraco.Core.Constants;
 using JArray = Newtonsoft.Json.Linq.JArray;
 
@@ -41,11 +40,9 @@ namespace Umbraco.Web.Editors
         private readonly ManifestParser _manifestParser;
         private readonly UmbracoFeatures _features;
         private readonly IRuntimeState _runtimeState;
-        private readonly IIconService _iconService;
         private BackOfficeUserManager<BackOfficeIdentityUser> _userManager;
         private BackOfficeSignInManager _signInManager;
 
-        [Obsolete("Use the constructor that injects IIconService.")]
         public BackOfficeController(
             ManifestParser manifestParser,
             UmbracoFeatures features,
@@ -56,37 +53,11 @@ namespace Umbraco.Web.Editors
             IProfilingLogger profilingLogger,
             IRuntimeState runtimeState,
             UmbracoHelper umbracoHelper)
-            : this(manifestParser,
-                features,
-                globalSettings,
-                umbracoContextAccessor,
-                services,
-                appCaches,
-                profilingLogger,
-                runtimeState,
-                umbracoHelper,
-                Current.IconService)
-        {
-
-        }
-
-        public BackOfficeController(
-            ManifestParser manifestParser,
-            UmbracoFeatures features,
-            IGlobalSettings globalSettings,
-            IUmbracoContextAccessor umbracoContextAccessor,
-            ServiceContext services,
-            AppCaches appCaches,
-            IProfilingLogger profilingLogger,
-            IRuntimeState runtimeState,
-            UmbracoHelper umbracoHelper,
-            IIconService iconService)
             : base(globalSettings, umbracoContextAccessor, services, appCaches, profilingLogger, umbracoHelper)
         {
             _manifestParser = manifestParser;
             _features = features;
             _runtimeState = runtimeState;
-            _iconService = iconService;
         }
 
         protected BackOfficeSignInManager SignInManager => _signInManager ?? (_signInManager = OwinContext.GetBackOfficeSignInManager());
@@ -101,7 +72,7 @@ namespace Umbraco.Web.Editors
         /// <returns></returns>
         public async Task<ActionResult> Default()
         {
-            var backofficeModel = new BackOfficeModel(_features, GlobalSettings, _iconService);
+            var backofficeModel = new BackOfficeModel(_features, GlobalSettings);
             return await RenderDefaultOrProcessExternalLoginAsync(
                 () => View(GlobalSettings.Path.EnsureEndsWith('/') + "Views/Default.cshtml", backofficeModel),
                 () => View(GlobalSettings.Path.EnsureEndsWith('/') + "Views/Default.cshtml", backofficeModel));
@@ -187,7 +158,7 @@ namespace Umbraco.Web.Editors
         {
             return await RenderDefaultOrProcessExternalLoginAsync(
                 //The default view to render when there is no external login info or errors
-                () => View(GlobalSettings.Path.EnsureEndsWith('/') + "Views/AuthorizeUpgrade.cshtml", new BackOfficeModel(_features, GlobalSettings, _iconService)),
+                () => View(GlobalSettings.Path.EnsureEndsWith('/') + "Views/AuthorizeUpgrade.cshtml", new BackOfficeModel(_features, GlobalSettings)),
                 //The ActionResult to perform if external login is successful
                 () => Redirect("/"));
         }
diff --git a/src/Umbraco.Web/Editors/BackOfficeModel.cs b/src/Umbraco.Web/Editors/BackOfficeModel.cs
index cbdafd2e94..d0d2e324f3 100644
--- a/src/Umbraco.Web/Editors/BackOfficeModel.cs
+++ b/src/Umbraco.Web/Editors/BackOfficeModel.cs
@@ -1,32 +1,19 @@
 using System;
 using Umbraco.Core.Configuration;
-using Umbraco.Core.Services;
-using Umbraco.Web.Composing;
 using Umbraco.Web.Features;
 
 namespace Umbraco.Web.Editors
 {
-
     public class BackOfficeModel
     {
 
-
-        [Obsolete("Use the overload that injects IIconService.")]
-        public BackOfficeModel(UmbracoFeatures features, IGlobalSettings globalSettings) : this(features, globalSettings, Current.IconService)
-        {
-
-        }
-        public BackOfficeModel(UmbracoFeatures features, IGlobalSettings globalSettings, IIconService iconService)
+        public BackOfficeModel(UmbracoFeatures features, IGlobalSettings globalSettings)
         {
             Features = features;
             GlobalSettings = globalSettings;
-            IconCheckData = iconService.GetIcon("icon-check")?.SvgString;
-            IconDeleteData = iconService.GetIcon("icon-delete")?.SvgString;
         }
 
         public UmbracoFeatures Features { get; }
         public IGlobalSettings GlobalSettings { get; }
-        public string IconCheckData { get; }
-        public string IconDeleteData { get; }
     }
 }
diff --git a/src/Umbraco.Web/Editors/BackOfficePreviewModel.cs b/src/Umbraco.Web/Editors/BackOfficePreviewModel.cs
index cc7356b687..6ace8e7198 100644
--- a/src/Umbraco.Web/Editors/BackOfficePreviewModel.cs
+++ b/src/Umbraco.Web/Editors/BackOfficePreviewModel.cs
@@ -1,9 +1,6 @@
-using System;
-using System.Collections.Generic;
+using System.Collections.Generic;
 using Umbraco.Core.Configuration;
 using Umbraco.Core.Models;
-using Umbraco.Core.Services;
-using Umbraco.Web.Composing;
 using Umbraco.Web.Features;
 
 namespace Umbraco.Web.Editors
@@ -13,21 +10,11 @@ namespace Umbraco.Web.Editors
         private readonly UmbracoFeatures _features;
         public IEnumerable<ILanguage> Languages { get; }
 
-        [Obsolete("Use the overload that injects IIconService.")]
         public BackOfficePreviewModel(
             UmbracoFeatures features,
             IGlobalSettings globalSettings,
             IEnumerable<ILanguage> languages)
-            : this(features, globalSettings, languages, Current.IconService)
-        {
-        }
-
-        public BackOfficePreviewModel(
-            UmbracoFeatures features,
-            IGlobalSettings globalSettings,
-            IEnumerable<ILanguage> languages,
-            IIconService iconService)
-            : base(features, globalSettings, iconService)
+            : base(features, globalSettings)
         {
             _features = features;
             Languages = languages;
diff --git a/src/Umbraco.Web/Editors/BackOfficeServerVariables.cs b/src/Umbraco.Web/Editors/BackOfficeServerVariables.cs
index 60d3a6f779..a995aa7110 100644
--- a/src/Umbraco.Web/Editors/BackOfficeServerVariables.cs
+++ b/src/Umbraco.Web/Editors/BackOfficeServerVariables.cs
@@ -1,4 +1,6 @@
-using System;
+using ClientDependency.Core.Config;
+using Microsoft.Owin;
+using System;
 using System.Collections;
 using System.Collections.Generic;
 using System.Configuration;
@@ -7,15 +9,11 @@ using System.Runtime.Serialization;
 using System.Web;
 using System.Web.Configuration;
 using System.Web.Mvc;
-using ClientDependency.Core.Config;
-using Microsoft.Owin;
 using Microsoft.Owin.Security;
 using Umbraco.Core;
 using Umbraco.Core.Composing;
 using Umbraco.Core.Configuration;
-using Umbraco.Core.Configuration.UmbracoSettings;
 using Umbraco.Core.IO;
-using Umbraco.Web.Controllers;
 using Umbraco.Web.Features;
 using Umbraco.Web.HealthCheck;
 using Umbraco.Web.Models.ContentEditing;
diff --git a/src/Umbraco.Web/Editors/IconController.cs b/src/Umbraco.Web/Editors/IconController.cs
index 87303a4e62..c26389f239 100644
--- a/src/Umbraco.Web/Editors/IconController.cs
+++ b/src/Umbraco.Web/Editors/IconController.cs
@@ -1,13 +1,20 @@
-using System.Collections.Generic;
+using Newtonsoft.Json;
+using System;
+using System.Collections.Generic;
 using Umbraco.Core.Models;
 using Umbraco.Core.Services;
 using Umbraco.Web.Mvc;
 using Umbraco.Web.WebApi;
+using Umbraco.Web.WebApi.Filters;
 
 namespace Umbraco.Web.Editors
 {
     [PluginController("UmbracoApi")]
-    public class IconController : UmbracoAuthorizedApiController
+    [IsBackOffice]
+    [UmbracoWebApiRequireHttps]
+    [UnhandedExceptionLoggerConfiguration]
+    [EnableDetailedErrors]
+    public class IconController : UmbracoApiController
     {
         private readonly IIconService _iconService;
 
@@ -30,9 +37,22 @@ namespace Umbraco.Web.Editors
         /// Gets a list of all svg icons found at at the global icons path.
         /// </summary>
         /// <returns></returns>
+        [Obsolete("This method should not be used - use GetIcons instead")]
         public IList<IconModel> GetAllIcons()
         {
             return _iconService.GetAllIcons();
         }
+
+        /// <summary>
+        /// Gets a list of all svg icons found at at the global icons path.
+        /// </summary>
+        /// <returns></returns>
+        public JsonNetResult GetIcons()
+        {
+            return new JsonNetResult() {
+                Data = _iconService.GetIcons(),
+                Formatting = Formatting.None
+            };
+        }
     }
 }
diff --git a/src/Umbraco.Web/Editors/PreviewController.cs b/src/Umbraco.Web/Editors/PreviewController.cs
index f148655acd..8cff55305e 100644
--- a/src/Umbraco.Web/Editors/PreviewController.cs
+++ b/src/Umbraco.Web/Editors/PreviewController.cs
@@ -9,10 +9,8 @@ using Umbraco.Core.Services;
 using Umbraco.Web.Composing;
 using Umbraco.Web.Features;
 using Umbraco.Web.JavaScript;
-using Umbraco.Web.Models.ContentEditing;
 using Umbraco.Web.Mvc;
 using Umbraco.Web.PublishedCache;
-using Umbraco.Web.Services;
 using Constants = Umbraco.Core.Constants;
 
 namespace Umbraco.Web.Editors
@@ -25,39 +23,19 @@ namespace Umbraco.Web.Editors
         private readonly IPublishedSnapshotService _publishedSnapshotService;
         private readonly IUmbracoContextAccessor _umbracoContextAccessor;
         private readonly ILocalizationService _localizationService;
-        private readonly IIconService _iconService;
 
-        [Obsolete("Use the constructor that injects IIconService.")]
         public PreviewController(
             UmbracoFeatures features,
             IGlobalSettings globalSettings,
             IPublishedSnapshotService publishedSnapshotService,
             IUmbracoContextAccessor umbracoContextAccessor,
             ILocalizationService localizationService)
-            :this(features,
-                globalSettings,
-                publishedSnapshotService,
-                umbracoContextAccessor,
-                localizationService,
-                Current.IconService)
-        {
-
-        }
-
-        public PreviewController(
-            UmbracoFeatures features,
-            IGlobalSettings globalSettings,
-            IPublishedSnapshotService publishedSnapshotService,
-            IUmbracoContextAccessor umbracoContextAccessor,
-            ILocalizationService localizationService,
-            IIconService iconService)
         {
             _features = features;
             _globalSettings = globalSettings;
             _publishedSnapshotService = publishedSnapshotService;
             _umbracoContextAccessor = umbracoContextAccessor;
             _localizationService = localizationService;
-            _iconService = iconService;
         }
 
         [UmbracoAuthorize(redirectToUmbracoLogin: true)]
@@ -66,7 +44,7 @@ namespace Umbraco.Web.Editors
         {
             var availableLanguages = _localizationService.GetAllLanguages();
 
-            var model = new BackOfficePreviewModel(_features, _globalSettings, availableLanguages, _iconService);
+            var model = new BackOfficePreviewModel(_features, _globalSettings, availableLanguages);
 
             if (model.PreviewExtendedHeaderView.IsNullOrWhiteSpace() == false)
             {
diff --git a/src/Umbraco.Web/Services/IconService.cs b/src/Umbraco.Web/Services/IconService.cs
index 206af296f9..15e673e6ba 100644
--- a/src/Umbraco.Web/Services/IconService.cs
+++ b/src/Umbraco.Web/Services/IconService.cs
@@ -1,8 +1,10 @@
+using System;
 using System.Collections.Generic;
 using System.IO;
 using System.Linq;
 using Ganss.XSS;
 using Umbraco.Core;
+using Umbraco.Core.Cache;
 using Umbraco.Core.Configuration;
 using Umbraco.Core.IO;
 using Umbraco.Core.Models;
@@ -13,39 +15,44 @@ namespace Umbraco.Web.Services
     public class IconService : IIconService
     {
         private readonly IGlobalSettings _globalSettings;
+        private readonly IHtmlSanitizer _htmlSanitizer;
+        private readonly IAppPolicyCache _cache;
 
-        public IconService(IGlobalSettings globalSettings)
+        public IconService(IGlobalSettings globalSettings, IHtmlSanitizer htmlSanitizer, AppCaches appCaches)
         {
             _globalSettings = globalSettings;
+            _htmlSanitizer = htmlSanitizer;
+            _cache = appCaches.RuntimeCache;
         }
 
-
         /// <inheritdoc />
-        public IList<IconModel> GetAllIcons()
-        {
-            var icons = new List<IconModel>();
-            var directory = new DirectoryInfo(IOHelper.MapPath($"{_globalSettings.IconsPath}/"));
-            var iconNames = directory.GetFiles("*.svg");
+        public IReadOnlyDictionary<string, string> GetIcons() => GetIconDictionary();
 
-            iconNames.OrderBy(f => f.Name).ToList().ForEach(iconInfo =>
-            {
-                var icon = GetIcon(iconInfo);
-
-                if (icon != null)
-                {
-                    icons.Add(icon);
-                }
-            });
-
-            return icons;
-        }
+        /// <inheritdoc />
+        public IList<IconModel> GetAllIcons() =>
+            GetIconDictionary()
+                .Select(x => new IconModel { Name = x.Key, SvgString = x.Value })
+                .ToList();
 
         /// <inheritdoc />
         public IconModel GetIcon(string iconName)
         {
-            return string.IsNullOrWhiteSpace(iconName)
-                ? null
-                : CreateIconModel(iconName.StripFileExtension(), IOHelper.MapPath($"{_globalSettings.IconsPath}/{iconName}.svg"));
+            if (iconName.IsNullOrWhiteSpace())
+            {
+                return null;
+            }
+
+            var allIconModels = GetIconDictionary();
+            if (allIconModels.ContainsKey(iconName))
+            {
+                return new IconModel
+                {
+                    Name = iconName,
+                    SvgString = allIconModels[iconName]
+                };
+            }
+
+            return null;
         }
 
         /// <summary>
@@ -68,15 +75,10 @@ namespace Umbraco.Web.Services
         /// <returns></returns>
         private IconModel CreateIconModel(string iconName, string iconPath)
         {
-            var sanitizer = new HtmlSanitizer();
-            sanitizer.AllowedAttributes.UnionWith(Constants.SvgSanitizer.Attributes);
-            sanitizer.AllowedCssProperties.UnionWith(Constants.SvgSanitizer.Attributes);
-            sanitizer.AllowedTags.UnionWith(Constants.SvgSanitizer.Tags);
-
             try
             {
                 var svgContent = System.IO.File.ReadAllText(iconPath);
-                var sanitizedString = sanitizer.Sanitize(svgContent);
+                var sanitizedString = _htmlSanitizer.Sanitize(svgContent);
 
                 var svg = new IconModel
                 {
@@ -91,5 +93,52 @@ namespace Umbraco.Web.Services
                 return null;
             }
         }
+
+        private IEnumerable<FileInfo> GetAllIconsFiles()
+        {
+            var icons = new HashSet<FileInfo>(new CaseInsensitiveFileInfoComparer());
+
+            // add icons from plugins
+            var appPluginsDirectoryPath = IOHelper.MapPath(SystemDirectories.AppPlugins);
+            if (Directory.Exists(appPluginsDirectoryPath))
+            {
+                var appPlugins = new DirectoryInfo(appPluginsDirectoryPath);
+
+                // iterate sub directories of app plugins
+                foreach (var dir in appPlugins.EnumerateDirectories())
+                {
+                    var iconPath = IOHelper.MapPath($"{SystemDirectories.AppPlugins}/{dir.Name}{SystemDirectories.AppPluginIcons}");
+                    if (Directory.Exists(iconPath))
+                    {
+                        var dirIcons = new DirectoryInfo(iconPath).EnumerateFiles("*.svg", SearchOption.TopDirectoryOnly);
+                        icons.UnionWith(dirIcons);
+                    }
+                }
+            }
+
+            // add icons from IconsPath if not already added from plugins
+            var coreIconsDirectory = new DirectoryInfo(IOHelper.MapPath($"{_globalSettings.IconsPath}/"));
+            var coreIcons = coreIconsDirectory.GetFiles("*.svg");
+
+            icons.UnionWith(coreIcons);
+
+            return icons;
+        }
+
+        private class CaseInsensitiveFileInfoComparer : IEqualityComparer<FileInfo>
+        {
+            public bool Equals(FileInfo one, FileInfo two) => StringComparer.InvariantCultureIgnoreCase.Equals(one.Name, two.Name);
+
+            public int GetHashCode(FileInfo item) => StringComparer.InvariantCultureIgnoreCase.GetHashCode(item.Name);
+        }
+
+        private IReadOnlyDictionary<string, string> GetIconDictionary() => _cache.GetCacheItem(
+            $"{typeof(IconService).FullName}.{nameof(GetIconDictionary)}",
+            () => GetAllIconsFiles()
+                .Select(GetIcon)
+                .Where(i => i != null)
+                .GroupBy(i => i.Name, StringComparer.OrdinalIgnoreCase)
+                .ToDictionary(g => g.Key, g => g.First().SvgString, StringComparer.OrdinalIgnoreCase)
+        );
     }
 }

From 41283aead9689aef05cb11841930af4f7f847ece Mon Sep 17 00:00:00 2001
From: Sebastiaan Janssen <sebastiaan@umbraco.com>
Date: Tue, 9 Mar 2021 14:54:13 +0100
Subject: [PATCH 3/5] Fix wrong version reference

---
 src/Umbraco.Web/Umbraco.Web.csproj | 1 -
 1 file changed, 1 deletion(-)

diff --git a/src/Umbraco.Web/Umbraco.Web.csproj b/src/Umbraco.Web/Umbraco.Web.csproj
index 1a6c9a49a2..405502d24c 100644
--- a/src/Umbraco.Web/Umbraco.Web.csproj
+++ b/src/Umbraco.Web/Umbraco.Web.csproj
@@ -66,7 +66,6 @@
     <PackageReference Include="Examine" Version="1.0.2" />
     <PackageReference Include="HtmlAgilityPack" Version="1.8.14" />
     <PackageReference Include="HtmlSanitizer">
-      <Version>4.0.217</Version>
       <Version>5.0.376</Version>
     </PackageReference>
     <PackageReference Include="ImageProcessor">

From 21bee005186f21ded03d4fa8aafcdbe800e25856 Mon Sep 17 00:00:00 2001
From: Sebastiaan Janssen <sebastiaan@umbraco.com>
Date: Thu, 11 Mar 2021 14:38:19 +0100
Subject: [PATCH 4/5] Bump version to 8.6.8

---
 src/SolutionInfo.cs                      | 4 ++--
 src/Umbraco.Web.UI/Umbraco.Web.UI.csproj | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/src/SolutionInfo.cs b/src/SolutionInfo.cs
index b5fb5fdd77..232fd90a8e 100644
--- a/src/SolutionInfo.cs
+++ b/src/SolutionInfo.cs
@@ -18,5 +18,5 @@ using System.Resources;
 [assembly: AssemblyVersion("8.0.0")]
 
 // these are FYI and changed automatically
-[assembly: AssemblyFileVersion("8.6.7")]
-[assembly: AssemblyInformationalVersion("8.6.7")]
+[assembly: AssemblyFileVersion("8.6.8")]
+[assembly: AssemblyInformationalVersion("8.6.8")]
diff --git a/src/Umbraco.Web.UI/Umbraco.Web.UI.csproj b/src/Umbraco.Web.UI/Umbraco.Web.UI.csproj
index bb36aeb8c2..6618d996ab 100644
--- a/src/Umbraco.Web.UI/Umbraco.Web.UI.csproj
+++ b/src/Umbraco.Web.UI/Umbraco.Web.UI.csproj
@@ -345,9 +345,9 @@
         <WebProjectProperties>
           <UseIIS>False</UseIIS>
           <AutoAssignPort>True</AutoAssignPort>
-          <DevelopmentServerPort>8670</DevelopmentServerPort>
+          <DevelopmentServerPort>8680</DevelopmentServerPort>
           <DevelopmentServerVPath>/</DevelopmentServerVPath>
-          <IISUrl>http://localhost:8670</IISUrl>
+          <IISUrl>http://localhost:8680</IISUrl>
           <NTLMAuthentication>False</NTLMAuthentication>
           <UseCustomServer>False</UseCustomServer>
           <CustomServerUrl>

From 83719f3505d80abafcf200797f51b7f78fd2fdbc Mon Sep 17 00:00:00 2001
From: Bjarke Berg <mail@bergmania.dk>
Date: Fri, 12 Mar 2021 09:23:32 +0100
Subject: [PATCH 5/5] =?UTF-8?q?Fix=20issue=20with=20SqlMainDomLock=20that?=
 =?UTF-8?q?=20cannot=20use=20implicit=20lock=20timeouts=20=E2=80=A6=20(#99?=
 =?UTF-8?q?73)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

(cherry picked from commit da5351dfcf23daad69fcd73eb74811456ffc34c0)
---
 .../Configuration/GlobalSettings.cs           | 40 +++++++++++--------
 src/Umbraco.Core/Runtime/SqlMainDomLock.cs    | 15 ++++---
 2 files changed, 34 insertions(+), 21 deletions(-)

diff --git a/src/Umbraco.Core/Configuration/GlobalSettings.cs b/src/Umbraco.Core/Configuration/GlobalSettings.cs
index b7dce21285..ba5baf9e87 100644
--- a/src/Umbraco.Core/Configuration/GlobalSettings.cs
+++ b/src/Umbraco.Core/Configuration/GlobalSettings.cs
@@ -409,26 +409,34 @@ namespace Umbraco.Core.Configuration
             {
                 if (_sqlWriteLockTimeOut != default) return _sqlWriteLockTimeOut;
 
-                var timeOut = 5000; // 5 seconds
-                var appSettingSqlWriteLockTimeOut = ConfigurationManager.AppSettings[Constants.AppSettings.SqlWriteLockTimeOut];
-                if(int.TryParse(appSettingSqlWriteLockTimeOut, out var configuredTimeOut))
-                {
-                    // Only apply this setting if it's not excessively high or low
-                    const int minimumTimeOut = 100;
-                    const int maximumTimeOut = 20000;
-                    if (configuredTimeOut >= minimumTimeOut && configuredTimeOut <= maximumTimeOut) // between 0.1 and 20 seconds
-                    {
-                        timeOut = configuredTimeOut;
-                    }
-                    else
-                    {
-                      Current.Logger.Warn<GlobalSettings>($"The `{Constants.AppSettings.SqlWriteLockTimeOut}` setting in web.config is not between the minimum of {minimumTimeOut} ms and maximum of {maximumTimeOut} ms, defaulting back to {timeOut}");
-                    }
-                }
+                var timeOut = GetSqlWriteLockTimeoutFromConfigFile(Current.Logger);
 
                 _sqlWriteLockTimeOut = timeOut;
                 return _sqlWriteLockTimeOut;
             }
         }
+
+        internal static int GetSqlWriteLockTimeoutFromConfigFile(ILogger logger)
+        {
+            var timeOut = 5000; // 5 seconds
+            var appSettingSqlWriteLockTimeOut = ConfigurationManager.AppSettings[Constants.AppSettings.SqlWriteLockTimeOut];
+            if (int.TryParse(appSettingSqlWriteLockTimeOut, out var configuredTimeOut))
+            {
+                // Only apply this setting if it's not excessively high or low
+                const int minimumTimeOut = 100;
+                const int maximumTimeOut = 20000;
+                if (configuredTimeOut >= minimumTimeOut && configuredTimeOut <= maximumTimeOut) // between 0.1 and 20 seconds
+                {
+                    timeOut = configuredTimeOut;
+                }
+                else
+                {
+                    logger.Warn<GlobalSettings>(
+                        $"The `{Constants.AppSettings.SqlWriteLockTimeOut}` setting in web.config is not between the minimum of {minimumTimeOut} ms and maximum of {maximumTimeOut} ms, defaulting back to {timeOut}");
+                }
+            }
+
+            return timeOut;
+        }
     }
 }
diff --git a/src/Umbraco.Core/Runtime/SqlMainDomLock.cs b/src/Umbraco.Core/Runtime/SqlMainDomLock.cs
index f58b279a8d..6a82486c43 100644
--- a/src/Umbraco.Core/Runtime/SqlMainDomLock.cs
+++ b/src/Umbraco.Core/Runtime/SqlMainDomLock.cs
@@ -1,5 +1,6 @@
 using NPoco;
 using System;
+using System.Configuration;
 using System.Data;
 using System.Data.SqlClient;
 using System.Diagnostics;
@@ -7,6 +8,7 @@ using System.Linq;
 using System.Security.Cryptography;
 using System.Threading;
 using System.Threading.Tasks;
+using Umbraco.Core.Configuration;
 using Umbraco.Core.Logging;
 using Umbraco.Core.Persistence;
 using Umbraco.Core.Persistence.Dtos;
@@ -18,6 +20,7 @@ namespace Umbraco.Core.Runtime
 {
     internal class SqlMainDomLock : IMainDomLock
     {
+        private readonly TimeSpan _lockTimeout;
         private string _lockId;
         private const string MainDomKeyPrefix = "Umbraco.Core.Runtime.SqlMainDom";
         private const string UpdatedSuffix = "_updated";
@@ -40,6 +43,8 @@ namespace Umbraco.Core.Runtime
                Constants.System.UmbracoConnectionName,
                _logger,
                new Lazy<IMapperCollection>(() => new MapperCollection(Enumerable.Empty<BaseMapper>())));
+
+            _lockTimeout = TimeSpan.FromMilliseconds(GlobalSettings.GetSqlWriteLockTimeoutFromConfigFile(logger));
         }
 
         public async Task<bool> AcquireLockAsync(int millisecondsTimeout)
@@ -198,7 +203,7 @@ namespace Umbraco.Core.Runtime
 
                         db.BeginTransaction(IsolationLevel.ReadCommitted);
                         // get a read lock
-                        _sqlServerSyntax.ReadLock(db, Constants.Locks.MainDom);
+                        _sqlServerSyntax.ReadLock(db, _lockTimeout, Constants.Locks.MainDom);
 
                         if (!IsMainDomValue(_lockId, db))
                         {
@@ -284,7 +289,7 @@ namespace Umbraco.Core.Runtime
             {
                 transaction = db.GetTransaction(IsolationLevel.ReadCommitted);
                 // get a read lock
-                _sqlServerSyntax.ReadLock(db, Constants.Locks.MainDom);
+                _sqlServerSyntax.ReadLock(db, _lockTimeout, Constants.Locks.MainDom);
 
                 // the row
                 var mainDomRows = db.Fetch<KeyValueDto>("SELECT * FROM umbracoKeyValue WHERE [key] = @key", new { key = MainDomKey });
@@ -296,7 +301,7 @@ namespace Umbraco.Core.Runtime
                     // which indicates that we
                     // can acquire it and it has shutdown.
 
-                    _sqlServerSyntax.WriteLock(db, Constants.Locks.MainDom);
+                    _sqlServerSyntax.WriteLock(db, _lockTimeout, Constants.Locks.MainDom);
 
                     // so now we update the row with our appdomain id
                     InsertLockRecord(_lockId, db);
@@ -355,7 +360,7 @@ namespace Umbraco.Core.Runtime
             {
                 transaction = db.GetTransaction(IsolationLevel.ReadCommitted);
 
-                _sqlServerSyntax.WriteLock(db, Constants.Locks.MainDom);
+                _sqlServerSyntax.WriteLock(db, _lockTimeout, Constants.Locks.MainDom);
 
                 // so now we update the row with our appdomain id
                 InsertLockRecord(_lockId, db);
@@ -438,7 +443,7 @@ namespace Umbraco.Core.Runtime
                                 db.BeginTransaction(IsolationLevel.ReadCommitted);
 
                                 // get a write lock
-                                _sqlServerSyntax.WriteLock(db, Constants.Locks.MainDom);
+                                _sqlServerSyntax.WriteLock(db, _lockTimeout, Constants.Locks.MainDom);
 
                                 // When we are disposed, it means we have released the MainDom lock
                                 // and called all MainDom release callbacks, in this case