feat: File upload client validation

pom.xml

@@ -15,7 +15,8 @@
  * See the License for the specific language governing permissions and
  * limitations under the License.
 -->
-<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
   <modelVersion>4.0.0</modelVersion>
   <parent>
     <groupId>org.apache.myfaces</groupId>
@@ -27,7 +28,9 @@
   <packaging>pom</packaging>
   <name>Apache Tobago</name>
   <version>5.14.0-SNAPSHOT</version>
-  <description>The goal of Tobago is to provide the community with a well designed set of user interface components based on JSF and run on MyFaces.</description>
+  <description>The goal of Tobago is to provide the community with a well designed set of user interface components
+    based on JSF and run on MyFaces.
+  </description>
   <url>http://myfaces.apache.org/tobago</url>
   <inceptionYear>2002</inceptionYear>
 
@@ -95,7 +98,9 @@
       <name>Myfaces Developer List (use [Tobago] prefix)</name>
       <subscribe>dev-subscribe@myfaces.apache.org</subscribe>
       <unsubscribe>dev-unsubscribe@myfaces.apache.org</unsubscribe>
-      <post>List for posting patches and discussing internal code implementation issues. Subscribe to this list before posting</post>
+      <post>List for posting patches and discussing internal code implementation issues. Subscribe to this list before
+        posting
+      </post>
       <archive>https://lists.apache.org/list.html?dev@myfaces.apache.org</archive>
       <otherArchives>
         <otherArchive>http://mail-archives.apache.org/mod_mbox/myfaces-dev</otherArchive>
@@ -123,7 +128,8 @@
       <archive>https://lists.apache.org/list.html?notifications@myfaces.apache.org</archive>
       <otherArchives>
         <otherArchive>http://mail-archives.apache.org/mod_mbox/myfaces-notifications</otherArchive>
-        <otherArchive>http://myfaces.markmail.org/search/?q=#query:list%3Aorg.apache.myfaces.notifications</otherArchive>
+        <otherArchive>http://myfaces.markmail.org/search/?q=#query:list%3Aorg.apache.myfaces.notifications
+        </otherArchive>
       </otherArchives>
     </mailingList>
     <mailingList>
@@ -275,14 +281,14 @@
         <scope>test</scope>
       </dependency>
       <!--        myfaces "next"-->
-<!--
-      <dependency>
-        <groupId>org.apache.myfaces.core</groupId>
-        <artifactId>myfaces-test</artifactId>
-        <version>${myfaces23.version}</version>
-        <scope>test</scope>
-      </dependency>
--->
+      <!--
+            <dependency>
+              <groupId>org.apache.myfaces.core</groupId>
+              <artifactId>myfaces-test</artifactId>
+              <version>${myfaces23.version}</version>
+              <scope>test</scope>
+            </dependency>
+      -->
       <!-- needed for myfaces 2.0 - 2.3 -->
       <dependency>
         <groupId>commons-collections</groupId>
@@ -450,6 +456,51 @@
           </execution>
         </executions>
       </plugin>
+      <plugin>
+        <groupId>de.thetaphi</groupId>
+        <artifactId>forbiddenapis</artifactId>
+        <version>3.8</version>
+        <configuration>
+          <!--
+            if the used Java version is too new,
+            don't fail, just do nothing:
+          -->
+          <failOnUnsupportedJava>false</failOnUnsupportedJava>
+          <!--
+            If a class is missing while parsing signatures files, all methods
+            and fields from this class are silently ignored. This is useful
+            in multi-module Maven projects where only some modules have the
+            dependency to which the signature file(s) apply.
+
+            This settings prints no warning at all, so verify the signatures
+            at least once with full dependencies.
+          -->
+          <!--          <ignoreSignaturesOfMissingClasses>true</ignoreSignaturesOfMissingClasses>-->
+          <bundledSignatures>
+            <!--
+              This will automatically choose the right
+              signatures based on 'maven.compiler.target':
+            -->
+            <!--            <bundledSignature>jdk-unsafe</bundledSignature>-->
+            <!--            <bundledSignature>jdk-deprecated</bundledSignature>-->
+            <!-- disallow undocumented classes like sun.misc.Unsafe: -->
+            <bundledSignature>jdk-non-portable</bundledSignature>
+            <!-- don't allow unsafe reflective access: -->
+            <bundledSignature>jdk-reflection</bundledSignature>
+          </bundledSignatures>
+          <!--          <signaturesFiles>-->
+          <!--            <signaturesFile>./rel/path/to/signatures.txt</signaturesFile>-->
+          <!--          </signaturesFiles>-->
+        </configuration>
+        <executions>
+          <execution>
+            <goals>
+              <goal>check</goal>
+              <goal>testCheck</goal>
+            </goals>
+          </execution>
+        </executions>
+      </plugin>
     </plugins>
     <pluginManagement>
       <plugins>
@@ -563,10 +614,10 @@
             <childDelegation>false</childDelegation>
             <forkMode>perTest</forkMode>
             -->
-<!--
-            <argLine>-Xdebug -Xnoagent -Djava.compiler=NONE
-            -Xrunjdwp:transport=dt_socket,address=5005,server=y,suspend=y</argLine>
--->
+            <!--
+                        <argLine>-Xdebug -Xnoagent -Djava.compiler=NONE
+                        -Xrunjdwp:transport=dt_socket,address=5005,server=y,suspend=y</argLine>
+            -->
           </configuration>
         </plugin>
         <plugin>
@@ -581,10 +632,10 @@
           <configuration>
             <!-- switched off check in Java 8 -->
             <additionalparam>
-                -Xdoclint:accessibility
-                -Xdoclint:html
-                -Xdoclint:reference
-                -Xdoclint:syntax
+              -Xdoclint:accessibility
+              -Xdoclint:html
+              -Xdoclint:reference
+              -Xdoclint:syntax
             </additionalparam>
           </configuration>
         </plugin>
@@ -793,20 +844,20 @@
 
   <!-- Use this to include the staging repository for testing a new unreleased myfaces core.
   Change the number 1100 the the current for that. -->
-<!--
-  <repositories>
-    <repository>
-      <id>myfaces-staging</id>
-      <url>https://repository.apache.org/content/repositories/orgapachemyfaces-1100/</url>
-    </repository>
-  </repositories>
-  <pluginRepositories>
-    <pluginRepository>
-      <id>myfaces-staging</id>
-      <url>https://repository.apache.org/content/repositories/orgapachemyfaces-1100/</url>
-    </pluginRepository>
-  </pluginRepositories>
--->
+  <!--
+    <repositories>
+      <repository>
+        <id>myfaces-staging</id>
+        <url>https://repository.apache.org/content/repositories/orgapachemyfaces-1100/</url>
+      </repository>
+    </repositories>
+    <pluginRepositories>
+      <pluginRepository>
+        <id>myfaces-staging</id>
+        <url>https://repository.apache.org/content/repositories/orgapachemyfaces-1100/</url>
+      </pluginRepository>
+    </pluginRepositories>
+  -->
   <repositories>
     <repository>
       <releases>
@@ -1013,7 +1064,9 @@
             <executions>
               <execution>
                 <id>attach-javadoc</id>
-                <goals><goal>jar</goal></goals>
+                <goals>
+                  <goal>jar</goal>
+                </goals>
               </execution>
             </executions>
           </plugin>
@@ -1023,7 +1076,9 @@
             <executions>
               <execution>
                 <id>attach-source</id>
-                <goals><goal>jar</goal></goals>
+                <goals>
+                  <goal>jar</goal>
+                </goals>
               </execution>
             </executions>
           </plugin>
@@ -1062,8 +1117,8 @@
       <activation>
         <property>
           <name>!jsf</name>
-<!--          <name>jsf</name>-->
-<!--          <value>myfaces-2.3</value>-->
+          <!--          <name>jsf</name>-->
+          <!--          <value>myfaces-2.3</value>-->
         </property>
       </activation>
       <dependencyManagement>

tobago-core/src/main/java/org/apache/myfaces/tobago/convert/DurationConverter.java

@@ -29,10 +29,9 @@
 import javax.faces.convert.Converter;
 import javax.faces.convert.ConverterException;
 import java.lang.invoke.MethodHandles;
-import java.text.DecimalFormat;
-import java.text.NumberFormat;
 import java.util.ArrayList;
 import java.util.List;
+import java.util.Locale;
 import java.util.StringTokenizer;
 
 /**
@@ -80,7 +79,6 @@ public String getAsString(
     final double factor = getUnitFactor(component);
     aDouble = aDouble * factor;
 
-    final NumberFormat format = new DecimalFormat("00");
     long value = Double.valueOf(aDouble).longValue();
     final int seconds = (int) (value % 60);
     value = value / 60;
@@ -89,11 +87,11 @@ public String getAsString(
     final String string;
     if (value > 0) {
       string = (negative ? "-" : "") + value + ":"
-          + format.format(minutes) + ":"
-          + format.format(seconds);
+          + String.format(Locale.ROOT, "%02d", minutes) + ":"
+          + String.format(Locale.ROOT, "%02d", seconds);
     } else {
       string = (negative ? "-" : "") + minutes + ":"
-          + format.format(seconds);
+          + String.format(Locale.ROOT, "%02d", seconds);
     }
     LOG.debug("string = '{}'", string);
     return string;

tobago-core/src/main/java/org/apache/myfaces/tobago/layout/Measure.java

@@ -25,6 +25,7 @@
 
 import java.io.Serializable;
 import java.lang.invoke.MethodHandles;
+import java.util.Locale;
 
 /**
  * In PDLs the class {@link org.apache.myfaces.tobago.layout.MeasureEditor} will convert the string literals.
@@ -113,7 +114,7 @@ public static Measure valueOf(final String s, final Unit defaultUnit) {
       for (int i = 4; i >= 2; i--) {
         final int pos = length - i;
         if (length >= i && Character.isLetter(s.charAt(pos))) {
-          return new Measure(s.substring(0, pos), Unit.valueOf(s.substring(pos).toUpperCase()));
+          return new Measure(s.substring(0, pos), Unit.valueOf(s.substring(pos).toUpperCase(Locale.ROOT)));
         }
       }
       return new Measure(s, defaultUnit);
@@ -214,7 +215,7 @@ public enum Unit {
     private final String value;
 
     Unit() {
-      value = name().equals("PERCENT") ? "%" : name().toLowerCase();
+      value = name().equals("PERCENT") ? "%" : name().toLowerCase(Locale.ROOT);
     }
 
     String getValue() {

tobago-core/src/main/java/org/apache/myfaces/tobago/model/SuggestFilter.java

@@ -19,6 +19,8 @@
 
 package org.apache.myfaces.tobago.model;
 
+import java.util.Locale;
+
 public enum SuggestFilter {
 
   all,
@@ -30,13 +32,13 @@ public enum SuggestFilter {
   public static final String CONTAINS = "contains";
 
   public String getValue() {
-    return name().toLowerCase();
+    return name().toLowerCase(Locale.ROOT);
   }
 
   public static SuggestFilter parse(final String string) {
     if (string == null) {
       return null;
     }
-    return valueOf(string.toUpperCase());
+    return valueOf(string.toUpperCase(Locale.ROOT));
   }
 }

tobago-core/src/main/java/org/apache/myfaces/tobago/renderkit/css/Icons.java

@@ -23,6 +23,7 @@
 import org.slf4j.LoggerFactory;
 
 import java.lang.invoke.MethodHandles;
+import java.util.Locale;
 import java.util.regex.Pattern;
 
 /**
@@ -62,7 +63,7 @@ public enum Icons implements CssItem {
   private final String clazz;
 
   Icons() {
-    this.clazz = "bi-" + name().toLowerCase().replaceAll("_", "-");
+    this.clazz = "bi-" + name().toLowerCase(Locale.ROOT).replaceAll("_", "-");
   }
 
   @Override

tobago-core/src/main/java/org/apache/myfaces/tobago/util/DebugPhaseListener.java

@@ -34,6 +34,7 @@
 import java.lang.invoke.MethodHandles;
 import java.text.MessageFormat;
 import java.util.Iterator;
+import java.util.Locale;
 import java.util.Map;
 
 public class DebugPhaseListener implements PhaseListener {
@@ -83,10 +84,14 @@ public void afterPhase(final PhaseEvent phaseEvent) {
         for (final Iterator<FacesMessage> messageIterator
              = facesContext.getMessages(clientId); messageIterator.hasNext(); ) {
           final FacesMessage msg = messageIterator.next();
-          LOG.info(MessageFormat.format("Faces message found."
-                  + "\n  Component: {0} \n  Severity : {1}"
-                  + "\n  Summary  : {2} \n  Detail   : {3}",
-              clientId, msg.getSeverity(), msg.getSummary(), msg.getDetail()));
+          MessageFormat messageFormat = new MessageFormat("""
+              Faces message found.
+                Component: {0}
+                Severity : {1}
+                Summary  : {2}
+                Detail   : {3}""", Locale.ROOT);
+          LOG.info(messageFormat.format(new Object[]{
+              clientId, msg.getSeverity(), msg.getSummary(), msg.getDetail()}));
         }
       }
     }

tobago-core/src/test/java/org/apache/myfaces/tobago/internal/config/TobagoConfigParserUnitTest.java

@@ -32,6 +32,7 @@
 import java.util.ArrayList;
 import java.util.HashSet;
 import java.util.List;
+import java.util.Locale;
 import java.util.Map;
 import java.util.Set;
 
@@ -176,7 +177,7 @@ public void testUniqueness() throws IllegalAccessException {
     // check hash code values
     for (final Field field : fields) {
       final int hash = field.getInt(dummy);
-      final String name = field.getName().toLowerCase().replace('_', '-');
+      final String name = field.getName().toLowerCase(Locale.ROOT).replace('_', '-');
       Assertions.assertEquals(name.hashCode(), hash, "Are the constants correct?");
     }
   }

tobago-core/src/test/java/org/apache/myfaces/tobago/internal/renderkit/renderer/RendererTestBase.java

@@ -27,6 +27,7 @@
 import java.io.IOException;
 import java.io.InputStream;
 import java.io.InputStreamReader;
+import java.nio.charset.StandardCharsets;
 import java.util.ArrayList;
 import java.util.List;
 import java.util.stream.Collectors;
@@ -43,7 +44,7 @@ protected String loadHtml(final String fileName) throws IOException {
       if (is == null) {
         throw new FileNotFoundException(fileName);
       }
-      try (InputStreamReader isr = new InputStreamReader(is);
+      try (InputStreamReader isr = new InputStreamReader(is, StandardCharsets.UTF_8);
            BufferedReader reader = new BufferedReader(isr)) {
         final String xml = reader.lines().collect(Collectors.joining(System.lineSeparator()))
             .replaceAll("<!--[^>]*-->", "")

tobago-core/src/test/java/org/apache/myfaces/tobago/renderkit/html/AriasUnitTest.java

@@ -23,6 +23,7 @@
 import org.junit.jupiter.api.Test;
 
 import java.lang.reflect.Field;
+import java.util.Locale;
 
 public class AriasUnitTest {
 
@@ -36,7 +37,7 @@ public void testAttributeNames() throws IllegalAccessException {
 
       final String extension = value.substring("aria-".length());
       final String name = field.getName();
-      Assertions.assertEquals(name, extension.toUpperCase());
+      Assertions.assertEquals(name, extension.toUpperCase(Locale.ROOT));
     }
   }