From 81c67a5df2549554e6dde127c2fadbc614f4ff6e Mon Sep 17 00:00:00 2001
From: Sergey <sergey.gorbaty@salesforce.com>
Date: Thu, 2 Mar 2017 17:28:54 -0800
Subject: [PATCH] Fallback for JS arrays and defs

---
 .../vf/rule/security/VfUnescapeElRule.java    |  6 +++++
 .../vf/rule/security/xml/VfUnescapeEl.xml     | 24 +++++++++++++++++--
 2 files changed, 28 insertions(+), 2 deletions(-)

diff --git a/pmd-visualforce/src/main/java/net/sourceforge/pmd/lang/vf/rule/security/VfUnescapeElRule.java b/pmd-visualforce/src/main/java/net/sourceforge/pmd/lang/vf/rule/security/VfUnescapeElRule.java
index 0255fe2962..be0263f2d0 100644
--- a/pmd-visualforce/src/main/java/net/sourceforge/pmd/lang/vf/rule/security/VfUnescapeElRule.java
+++ b/pmd-visualforce/src/main/java/net/sourceforge/pmd/lang/vf/rule/security/VfUnescapeElRule.java
@@ -94,6 +94,10 @@ public class VfUnescapeElRule extends AbstractVfRule {
     private boolean isUnbalanced(String image, String pattern) {
         int occurance = 0;
         int index = image.indexOf("=");
+        if (index < 0) {
+            index = image.indexOf(":");
+        }
+        
         index = image.indexOf(pattern, index + 1);
         while (index >= 0) {
             occurance++;
@@ -227,6 +231,8 @@ public class VfUnescapeElRule extends AbstractVfRule {
                 case "$site":
                 case "$page":
                 case "$action":
+                case "casesafeid":
+                case "$remoteaction":
                     return true;
 
                 }
diff --git a/pmd-visualforce/src/test/resources/net/sourceforge/pmd/lang/vf/rule/security/xml/VfUnescapeEl.xml b/pmd-visualforce/src/test/resources/net/sourceforge/pmd/lang/vf/rule/security/xml/VfUnescapeEl.xml
index 1b32a95d80..6e49f6e617 100644
--- a/pmd-visualforce/src/test/resources/net/sourceforge/pmd/lang/vf/rule/security/xml/VfUnescapeEl.xml
+++ b/pmd-visualforce/src/test/resources/net/sourceforge/pmd/lang/vf/rule/security/xml/VfUnescapeEl.xml
@@ -3,7 +3,27 @@
 
 <test-code>
 		<description><![CDATA[
-No XSS in safe commands quoted context
+Safe escaped value in repeat
+     ]]></description>
+		<expected-problems>0</expected-problems>
+		<code><![CDATA[
+<apex:page>
+  <apex:repeat value="{!emailTemplates}" var="template">
+  	emailTemplates.push({
+  		id: '{!template.id}',
+  		name: "{!JSENCODE(HTMLENCODE(template.name))}"
+  	});
+  </apex:repeat>
+</apex:page>
+]]></code>
+		<source-type>vf</source-type>
+	</test-code> 
+
+
+
+<test-code>
+		<description><![CDATA[
+Safe case id in script
      ]]></description>
 		<expected-problems>0</expected-problems>
 		<code><![CDATA[
@@ -19,7 +39,7 @@ No XSS in safe commands quoted context
 
  	<test-code>
 		<description><![CDATA[
-No XSS in safe commands quoted context
+No XSS in safe script commands quoted context
      ]]></description>
 		<expected-problems>0</expected-problems>
 		<code><![CDATA[