From 0386d712b36e44bf07cbb57903b1ed6434bdb366 Mon Sep 17 00:00:00 2001
From: Sergey <sergey.gorbaty@salesforce.com>
Date: Wed, 26 Apr 2017 15:35:53 -0700
Subject: [PATCH 1/2] Adding AST Negation expression

---
 pmd-visualforce/etc/grammar/VfParser.jjt      | 19 +++++++++--------
 .../lang/vf/ast/ASTNegationExpression.java    | 21 +++++++++++++++++++
 .../lang/vf/ast/VfParserVisitorAdapter.java   |  5 +++++
 .../pmd/lang/vf/rule/AbstractVfRule.java      |  5 +++++
 .../vf/rule/security/VfUnescapeElRule.java    |  9 ++++++--
 5 files changed, 48 insertions(+), 11 deletions(-)
 create mode 100644 pmd-visualforce/src/main/java/net/sourceforge/pmd/lang/vf/ast/ASTNegationExpression.java

diff --git a/pmd-visualforce/etc/grammar/VfParser.jjt b/pmd-visualforce/etc/grammar/VfParser.jjt
index f92958a36b..5e1bbf20d1 100644
--- a/pmd-visualforce/etc/grammar/VfParser.jjt
+++ b/pmd-visualforce/etc/grammar/VfParser.jjt
@@ -146,7 +146,7 @@ PARSER_END(VfParser)
 	| <GE: ">=" >
 	| <LT: "<" >
 	| <GT: ">" >
-	| <EXCL: ("!"|"~") >
+	| <EXCL: ("!"|"~"|"NOT") >
 	| <PIPE_PIPE: "||" >
 	| <STRING_LITERAL: <QUOTED_STRING> >
 	| <DIGITS: (<NUM_CHAR>)+ (<DOT> (<NUM_CHAR>)+)? >
@@ -496,14 +496,7 @@ void UnaryExpression()  #void :
 {}
 {
 	  ( <PLUS> | <MINUS> ) UnaryExpression()
-	|  NegationExpression()
-}
-
-void NegationExpression() #void :
-{}
-{
-  ( <EXCL> ) UnaryExpression()
-|  PrimaryExpression()
+	|  PrimaryExpression()
 }
 
 void PrimaryExpression() #void :
@@ -537,6 +530,7 @@ void PrimaryPrefix() #void :
 	| Identifier()	
 	| <LPAREN> Expression() <RPAREN>
 	| <LSQUARE> Expression() (<COMMA> Expression())*   <RSQUARE>
+	| NegationExpression()
 }
 
 void PrimarySuffix() #void :
@@ -547,6 +541,13 @@ void PrimarySuffix() #void :
 	| Arguments()
 }
 
+void NegationExpression() :
+{}
+{
+  ( <EXCL> ) Expression()
+}
+
+
 void DotExpression() :
 {}
 {
diff --git a/pmd-visualforce/src/main/java/net/sourceforge/pmd/lang/vf/ast/ASTNegationExpression.java b/pmd-visualforce/src/main/java/net/sourceforge/pmd/lang/vf/ast/ASTNegationExpression.java
new file mode 100644
index 0000000000..6bd638c3e9
--- /dev/null
+++ b/pmd-visualforce/src/main/java/net/sourceforge/pmd/lang/vf/ast/ASTNegationExpression.java
@@ -0,0 +1,21 @@
+/**
+ * BSD-style license; for more info see http://pmd.sourceforge.net/license.html
+ */
+
+package net.sourceforge.pmd.lang.vf.ast;
+
+public class ASTNegationExpression extends AbstractVFNode {
+    public ASTNegationExpression(int id) {
+        super(id);
+    }
+
+    public ASTNegationExpression(VfParser p, int id) {
+        super(p, id);
+    }
+
+    /** Accept the visitor. **/
+    public Object jjtAccept(VfParserVisitor visitor, Object data) {
+
+        return visitor.visit(this, data);
+    }
+}
diff --git a/pmd-visualforce/src/main/java/net/sourceforge/pmd/lang/vf/ast/VfParserVisitorAdapter.java b/pmd-visualforce/src/main/java/net/sourceforge/pmd/lang/vf/ast/VfParserVisitorAdapter.java
index 92f3b78f47..8600cc48ac 100644
--- a/pmd-visualforce/src/main/java/net/sourceforge/pmd/lang/vf/ast/VfParserVisitorAdapter.java
+++ b/pmd-visualforce/src/main/java/net/sourceforge/pmd/lang/vf/ast/VfParserVisitorAdapter.java
@@ -85,4 +85,9 @@ public class VfParserVisitorAdapter implements VfParserVisitor {
         return visit((VfNode) node, data);
     }
     
+    @Override
+    public Object visit(ASTNegationExpression node, Object data) {
+        return visit((VfNode) node, data);
+    }
+    
 }
diff --git a/pmd-visualforce/src/main/java/net/sourceforge/pmd/lang/vf/rule/AbstractVfRule.java b/pmd-visualforce/src/main/java/net/sourceforge/pmd/lang/vf/rule/AbstractVfRule.java
index 1aae4e465f..ae0d0362e2 100644
--- a/pmd-visualforce/src/main/java/net/sourceforge/pmd/lang/vf/rule/AbstractVfRule.java
+++ b/pmd-visualforce/src/main/java/net/sourceforge/pmd/lang/vf/rule/AbstractVfRule.java
@@ -28,6 +28,7 @@ import net.sourceforge.pmd.lang.vf.ast.ASTExpression;
 import net.sourceforge.pmd.lang.vf.ast.ASTHtmlScript;
 import net.sourceforge.pmd.lang.vf.ast.ASTIdentifier;
 import net.sourceforge.pmd.lang.vf.ast.ASTLiteral;
+import net.sourceforge.pmd.lang.vf.ast.ASTNegationExpression;
 import net.sourceforge.pmd.lang.vf.ast.ASTText;
 import net.sourceforge.pmd.lang.vf.ast.VfNode;
 import net.sourceforge.pmd.lang.vf.ast.VfParserVisitor;
@@ -127,4 +128,8 @@ public abstract class AbstractVfRule extends AbstractRule implements VfParserVis
         return visit((VfNode) node, data);
     }
 
+    public Object visit(ASTNegationExpression node, Object data) {
+        return visit((VfNode) node, data);
+    }
+
 }
diff --git a/pmd-visualforce/src/main/java/net/sourceforge/pmd/lang/vf/rule/security/VfUnescapeElRule.java b/pmd-visualforce/src/main/java/net/sourceforge/pmd/lang/vf/rule/security/VfUnescapeElRule.java
index 9687b54175..89145c4ff2 100644
--- a/pmd-visualforce/src/main/java/net/sourceforge/pmd/lang/vf/rule/security/VfUnescapeElRule.java
+++ b/pmd-visualforce/src/main/java/net/sourceforge/pmd/lang/vf/rule/security/VfUnescapeElRule.java
@@ -21,6 +21,7 @@ import net.sourceforge.pmd.lang.vf.ast.ASTExpression;
 import net.sourceforge.pmd.lang.vf.ast.ASTHtmlScript;
 import net.sourceforge.pmd.lang.vf.ast.ASTIdentifier;
 import net.sourceforge.pmd.lang.vf.ast.ASTLiteral;
+import net.sourceforge.pmd.lang.vf.ast.ASTNegationExpression;
 import net.sourceforge.pmd.lang.vf.ast.ASTText;
 import net.sourceforge.pmd.lang.vf.ast.AbstractVFNode;
 import net.sourceforge.pmd.lang.vf.rule.AbstractVfRule;
@@ -245,6 +246,11 @@ public class VfUnescapeElRule extends AbstractVfRule {
     private boolean startsWithSafeResource(final ASTElExpression el) {
         final ASTExpression expression = el.getFirstChildOfType(ASTExpression.class);
         if (expression != null) {
+            final ASTNegationExpression negation = expression.getFirstChildOfType(ASTNegationExpression.class);
+            if (negation != null) {
+                return true;
+            }
+            
             final ASTIdentifier id = expression.getFirstChildOfType(ASTIdentifier.class);
             if (id != null) {
                 List<ASTArguments> args = expression.findChildrenOfType(ASTArguments.class);
@@ -254,8 +260,7 @@ public class VfUnescapeElRule extends AbstractVfRule {
                     case "casesafeid":
                     case "begins":
                     case "contains":
-                    case "len":
-                    case "not":
+                    case "len":                    
                     case "getrecordids":
                     case "linkto":
                     case "sqrt":

From 74199a0d9b014a45a95c222cd673cb1ff08b290d Mon Sep 17 00:00:00 2001
From: Sergey <sergey.gorbaty@salesforce.com>
Date: Wed, 26 Apr 2017 15:39:42 -0700
Subject: [PATCH 2/2] Additional test case

---
 .../sourceforge/pmd/lang/vf/rule/security/xml/VfUnescapeEl.xml   | 1 +
 1 file changed, 1 insertion(+)

diff --git a/pmd-visualforce/src/test/resources/net/sourceforge/pmd/lang/vf/rule/security/xml/VfUnescapeEl.xml b/pmd-visualforce/src/test/resources/net/sourceforge/pmd/lang/vf/rule/security/xml/VfUnescapeEl.xml
index 4637e4de4d..1c45dc52b4 100644
--- a/pmd-visualforce/src/test/resources/net/sourceforge/pmd/lang/vf/rule/security/xml/VfUnescapeEl.xml
+++ b/pmd-visualforce/src/test/resources/net/sourceforge/pmd/lang/vf/rule/security/xml/VfUnescapeEl.xml
@@ -567,6 +567,7 @@ NOT method evaluates to safe boolean
 <apex:page>
 	<script>
 		if({!NOT(yes)}) { maskFormEls(); }
+		if({!NOT foo(yes)}) { maskFormEls(); }
 	</script>
 </apex:page>
 ]]></code>