LabKey · labkey-jeckels · May 8, 2026
diff --git a/api/src/org/labkey/api/security/GroupManager.java b/api/src/org/labkey/api/security/GroupManager.java
@@ -205,7 +205,9 @@ private static void appendDotAttribute(StringBuilder sb, boolean prependComma, S
         if (prependComma)
             sb.append(", ");
 
-        sb.append(name).append("=\"").append(value).append("\"");
+        // Escape backslashes first, then quotes, to produce a valid DOT quoted string
+        String escaped = value.replace("\\", "\\\\").replace("\"", "\\\"");
+        sb.append(name).append("=\"").append(escaped).append("\"");
     }
 
     public static void exportGroupMembers(Group group, List<Group> memberGroups, List<User> memberUsers, GroupType xmlGroupType)

diff --git a/core/src/org/labkey/core/CoreController.java b/core/src/org/labkey/core/CoreController.java
@@ -487,7 +487,7 @@ else if (form.getSchemaName() != null && form.getQueryName() != null && form.get
                 {
                     throw new NotFoundException("The file '" + file.getName() + "' attached to the object '" + identifiable.getName() + "' cannot be found. It may have been deleted.");
                 }
-                throw new NotFoundException("File " + file.getPath() + " does not exist on the server file system. It may have been deleted.");
+                throw new NotFoundException("File " + file.getName() + " does not exist on the server file system. It may have been deleted.");
             }
 
             if (file.isDirectory())
@@ -654,6 +654,7 @@ private static byte[] compressCSS(String s)
         catch (StackOverflowError e)
         {
             // replaceAll() can blow up
+            _log.error("StackOverflowError compressing CSS");
         }
         return Compress.compressGzip(c.trim());
     }
@@ -935,6 +936,11 @@ public void validateForm(SimpleApiJsonForm form, Errors errors)
                 errors.reject(ERROR_MSG, "The container '" + parentIdentifier + "' is not a valid parent folder.");
                 return;
             }
+
+            if (!target.hasPermission(getUser(), AdminPermission.class))
+            {
+                throw new UnauthorizedException("You must be an administrator for the target container");
+            }
         }
 
         @Override
@@ -2390,6 +2396,10 @@ public Object execute(Object o, BindException errors)
         }
     }
 
+    /**
+     * This action doesn't require any permissions, as the call to WarningService.getWarnings()
+     * only returns warnings appropriate for the user/guest
+     */
     @RequiresNoPermission
     @AllowedDuringUpgrade
     public static class DisplayWarningsAction extends MutatingApiAction<Object>
@@ -2721,7 +2731,7 @@ public void setToFormat(String toFormat)
     }
 
     @SuppressWarnings("unused") // Called from JavaScript: discuss.js, wikiEdit.js
-    @RequiresNoPermission
+    @RequiresPermission(ReadPermission.class)
     public static class TransformWikiAction extends MutatingApiAction<TransformWikiForm>
     {
         @Override