LabKey · labkey-jeckels · May 23, 2026
diff --git a/api/src/org/labkey/api/security/SecurityManager.java b/api/src/org/labkey/api/security/SecurityManager.java
@@ -90,6 +90,7 @@
 import org.labkey.api.security.roles.ReaderRole;
 import org.labkey.api.security.roles.Role;
 import org.labkey.api.security.roles.RoleManager;
+import org.labkey.api.settings.AppProps;
 import org.labkey.api.settings.LenientStartupPropertyHandler;
 import org.labkey.api.settings.StartupProperty;
 import org.labkey.api.settings.StartupPropertyEntry;
@@ -558,6 +559,9 @@ public static Pair<User, HttpServletRequest> attemptAuthentication(HttpServletRe
                     {
                         Cookie sessionCookie = new Cookie(JSESSIONID, session.getId());
                         sessionCookie.setPath("/");
+                        sessionCookie.setHttpOnly(true);
+                        if (AppProps.getInstance().isSSLRequired() || request.isSecure())
+                            sessionCookie.setSecure(true);
                         response.addCookie(sessionCookie);
                         request = new SessionReplacingRequest(request, session);
                     }

diff --git a/api/src/org/labkey/api/util/ExceptionUtil.java b/api/src/org/labkey/api/util/ExceptionUtil.java
@@ -1020,7 +1020,7 @@
                     response.getWriter().println();
                     response.getWriter().println();
                     response.getWriter().println("<pre>");
-                    ex.printStackTrace(response.getWriter());
+                    response.getWriter().println(PageFlowUtil.filter(ex.toString()));
                     response.getWriter().println("</pre>");
                 }
                 catch (IOException | IllegalStateException e)
@@ -1232,7 +1232,7 @@
             {
                 PrintWriter out = response.getWriter();
                 out.println("\"'>--></script><script type=\"text/javascript\" nonce=\"" + PageFlowUtil.filter(HttpView.currentPageConfig().getScriptNonce()) + "\">");
-                out.println("window.location = '" + PageFlowUtil.filter(url) + "';");
+                out.println("window.location = " + PageFlowUtil.jsString(url) + ";");
                 out.println("</script>");
             }
         }

diff --git a/api/src/org/labkey/api/util/PageFlowUtil.java b/api/src/org/labkey/api/util/PageFlowUtil.java
@@ -449,6 +449,12 @@ public static String jsString(String s)
                 case '\"':
                     js.append("\\\"");
                     break;
+                case '\u2028':
+                    js.append("\\u2028");
+                    break;
+                case '\u2029':
+                    js.append("\\u2029");
+                    break;
                 default:
                     js.append(c);
                     break;
@@ -1403,12 +1409,12 @@ public static HtmlString generateBackButton(String text)
     }
 
     /* Renders text and a drop down arrow image wrapped in a link not of type labkey-button */
-    public static HtmlString generateDropDownTextLink(String text, String href, String onClick, boolean bold, String offset,
+    public static HtmlString generateDropDownTextLink(String text, String href, boolean bold,
                                                   String id, Map<String, String> properties)
     {
         if (StringUtils.isBlank(id))
             id = HttpView.currentPageConfig().makeId("dropdown_");
-        String onclick = "if (this.className.indexOf('labkey-disabled-button') != -1) return false; " + (onClick == null ? "" :onClick);
+        String onclick = "if (this.className.indexOf('labkey-disabled-button') != -1) return false; ";
         HttpView.currentPageConfig().addHandler(id+"PopupLink", "click", onclick);
         return DOM.createHtmlFragment(
             A(at(properties).id(id+"PopupLink").cl("labkey-menu-text-link","dropdown-toggle").at(bold, style, "font-weight:bold;").at(DOM.Attribute.href, href),
@@ -1419,13 +1425,13 @@ public static HtmlString generateDropDownTextLink(String text, String href, Stri
     }
 
     /* Renders image and a drop down wrapped in an unstyled link */
-    public static HtmlString generateDropDownImage(String text, String href, String onClick, String imageSrc, String imageId,
+    public static HtmlString generateDropDownImage(String text, String href, String imageSrc, String imageId,
                                                Integer imageHeight, Integer imageWidth, Map<String, String> properties)
     {
         var page = HttpView.currentPageConfig();
 
         String anchorId = page.makeId("A_");
-        String onclick="if (this.className.indexOf('labkey-disabled-button') != -1) return false; " + (onClick == null ? "" : onClick);
+        String onclick="if (this.className.indexOf('labkey-disabled-button') != -1) return false; ";
         page.addHandler(anchorId, "click", onclick);
         return DOM.createHtmlFragment(
             A(at(properties).id(anchorId).at(DOM.Attribute.href,href),
@@ -1434,8 +1440,8 @@ public static HtmlString generateDropDownImage(String text, String href, String
     }
 
     /* Renders image using font icon and a drop down wrapped in an unstyled link */
-    public static HtmlString generateDropDownFontIconImage(String text, String href, String onClick, String imageCls,
-                                                       String imageId, Map<String, String> properties)
+    public static HtmlString generateDropDownFontIconImage(String text, String href, String imageCls,
+                                                           String imageId, Map<String, String> properties)
     {
         PageConfig page = HttpView.currentPageConfig();
         String id = page.makeId("a_");

diff --git a/api/src/org/labkey/api/view/PopupMenu.java b/api/src/org/labkey/api/view/PopupMenu.java
@@ -49,7 +49,6 @@ public class PopupMenu extends DisplayElement
     private Align _align = Align.LEFT;
     private ButtonStyle _buttonStyle = ButtonStyle.MENUBUTTON;
     private String _imageId = "";
-    private String _offset = "-1";
     private String _safeID = "lk-menu-" + UniqueID.getServerSessionScopedUID();
 
     public PopupMenu()
@@ -69,11 +68,6 @@ public PopupMenu(NavTree navTree, Align align, ButtonStyle buttonStyle)
         _buttonStyle = buttonStyle;
     }
 
-    public void setOffset(String offset)
-    {
-        _offset = offset;
-    }
-
     public NavTree getNavTree()
     {
         return _navTree;
@@ -130,7 +124,6 @@ public void renderMenuButton(@Nullable RenderContext ctx, HtmlWriter out, boolea
             _safeID = _navTree.getId();
 
         Map<String, String> attributes = new HashMap<>();
-        String onClickScript = null;
 
         attributes.put("data-toggle", "dropdown");
 
@@ -148,7 +141,7 @@ public void renderMenuButton(@Nullable RenderContext ctx, HtmlWriter out, boolea
                 if (_buttonStyle == ButtonStyle.TEXTBUTTON)
                 {
                     assert !requiresSelection : "Only button-style popups can require selection.";
-                    out.write(LinkBuilder.labkeyLink(_navTree.getText()).onClick(onClickScript).attributes(attributes).addClass("dropdown-toggle"));
+                    out.write(LinkBuilder.labkeyLink(_navTree.getText()).attributes(attributes).addClass("dropdown-toggle"));
                 }
                 else if (_buttonStyle == ButtonStyle.MENUBUTTON)
                 {
@@ -157,7 +150,6 @@ else if (_buttonStyle == ButtonStyle.MENUBUTTON)
 
                     ButtonBuilder bldr = PageFlowUtil.button(_navTree.getText())
                         .dropdown(true)
-                        .onClick(onClickScript)
                         .attributes(attributes);
 
                     if (button != null)
@@ -174,14 +166,13 @@ else if (_buttonStyle == ButtonStyle.IMAGE || _buttonStyle == ButtonStyle.IMAGE_
                     assert !requiresSelection : "Only button-style popups can require selection.";
                     if (_navTree.getImageCls() != null && !_navTree.getImageCls().isEmpty())
                     {
-                        out.write(PageFlowUtil.generateDropDownFontIconImage(_navTree.getText(), "#",
-                            onClickScript, _navTree.getImageCls(), _imageId, attributes));
+                        out.write(PageFlowUtil.generateDropDownFontIconImage(_navTree.getText(), "#", _navTree.getImageCls(), _imageId, attributes));
                     }
                     else
                     {
                         assert _navTree.getImageSrc() != null && !_navTree.getImageSrc().isEmpty() : "Must provide an image source or image cls for image based popups.";
                         out.write(PageFlowUtil.generateDropDownImage(_navTree.getText(), "#",
-                            onClickScript, _navTree.getImageSrc(), _imageId, _navTree.getImageHeight(), _navTree.getImageWidth(), attributes));
+                             _navTree.getImageSrc(), _imageId, _navTree.getImageHeight(), _navTree.getImageWidth(), attributes));
                     }
 
                     if (_buttonStyle == ButtonStyle.IMAGE_AND_TEXT)
@@ -194,7 +185,7 @@ else if (_buttonStyle == ButtonStyle.IMAGE || _buttonStyle == ButtonStyle.IMAGE_
                 {
                     assert !requiresSelection : "Only button-style popups can require selection.";
                     out.write(PageFlowUtil.generateDropDownTextLink(_navTree.getText(), "#",
-                        onClickScript, _buttonStyle == ButtonStyle.BOLDTEXT, _offset, _navTree.getId(), attributes));
+                        _buttonStyle == ButtonStyle.BOLDTEXT, _navTree.getId(), attributes));
                 }
 
                 UL(

diff --git a/core/src/org/labkey/core/view/template/bootstrap/ViewServiceImpl.java b/core/src/org/labkey/core/view/template/bootstrap/ViewServiceImpl.java
@@ -526,9 +526,7 @@ else if (!config._isWebpart)
                         {
                             try
                             {
-                                link.setText(link.getText());  // Huh? Looks like a total no-op to me.
                                 PopupMenu more = new PopupMenu(link, PopupMenu.Align.RIGHT, PopupMenu.ButtonStyle.TEXT);
-                                more.setOffset("-7");
                                 more.render(out);
                             }
                             catch (Exception e)

diff --git a/experiment/src/org/labkey/experiment/XarExporter.java b/experiment/src/org/labkey/experiment/XarExporter.java
@@ -1532,8 +1532,7 @@ public void writeAsArchive(OutputStream out) throws IOException, ExperimentExcep
                 zOut.putNextEntry(errorEntry);
 
                 final PrintStream ps = new PrintStream(zOut, true);
-                ps.println("Failed to complete export of the XAR file: ");
-                e.printStackTrace(ps);
+                ps.println("Failed to complete export of the XAR file: " + e);
                 zOut.closeEntry();
                 throw e;
             }