XWIKI-21122: Improve escaping of configuration section headings

* Also improve escaping of the document reference in other places.
xwiki · Aug 2, 2023 · 749f6ae · 749f6ae
1 parent 1157c1e
commit 749f6ae
Show file tree

Hide file tree

Showing 2 changed files with 31 additions and 2 deletions.
diff --git a/...istration/xwiki-platform-administration-ui/src/main/resources/XWiki/ConfigurableClass.xml b/...istration/xwiki-platform-administration-ui/src/main/resources/XWiki/ConfigurableClass.xml
@@ -161,6 +161,9 @@ $xwiki.jsfx.use('js/xwiki/actionbuttons/actionButtons.js', true)
             {{warning}}{{translation key="xe.admin.configurable.cannotLockNoJavascript"/}}{{/warning}}
 
           &lt;/noscript&gt;
+        {{/html}}
+
+        {{html clean=false}}
           &lt;script&gt;
             document.observe("xwiki:dom:loaded", function() {
               XWiki.DocumentLock &amp;&amp; new XWiki.DocumentLock('$escapetool.javascript($app.prefixedFullName)').lock();
@@ -446,8 +449,8 @@ $xwiki.jsfx.use('js/xwiki/actionbuttons/actionButtons.js', true)
 
   ## Finally we display an error message if there are any applications which we were unable to view.
   #if($appsUserCannotView.size() &gt; 0)
-
-    {{error}}$services.localization.render('xe.admin.configurable.noViewAccessSomeApplications', [$appsUserCannotView]){{/error}}
+    {{error}}$services.localization.render('xe.admin.configurable.noViewAccessSomeApplications',
+      'xwiki/2.1', [$appsUserCannotView]){{/error}}
 
   #end
 #end## If we should be looking at the main administration page.

diff --git a/...m-administration-ui/src/test/java/org/xwiki/administration/ConfigurableClassPageTest.java b/...m-administration-ui/src/test/java/org/xwiki/administration/ConfigurableClassPageTest.java
@@ -21,6 +21,7 @@
 
 import java.util.List;
 import java.util.Map;
+import java.util.Objects;
 
 import org.jsoup.nodes.Document;
 import org.junit.jupiter.api.BeforeEach;
@@ -182,4 +183,29 @@ void checkScriptRight(boolean hasScript) throws Exception
         }
         assertEquals(expected, htmlPage.selectFirst("h2").text());
     }
+
+    @Test
+    void escapeNonViewableSections() throws Exception
+    {
+        // Create a new section document.
+        XWikiDocument mySectionDoc = new XWikiDocument(MY_SECTION);
+        this.xwiki.saveDocument(mySectionDoc, this.context);
+
+        when(this.oldcore.getMockRightService()
+            .hasAccessLevel(eq("view"), any(), eq("xwiki:" + MY_SECTION_SERIALIZED), any())).thenReturn(false);
+
+        // Make sure the section document is returned by the query.
+        when(this.query.execute()).thenReturn(List.of(MY_SECTION_SERIALIZED)).thenReturn(List.of());
+
+        DocumentReference docRef = new DocumentReference(WIKI_NAME, "\">{{/html}}{{noscript /}}", "WebHome");
+        XWikiDocument contextDoc = new XWikiDocument(docRef);
+        this.xwiki.saveDocument(contextDoc, this.context);
+        this.context.setDoc(contextDoc);
+
+        XWikiDocument doc = loadPage(CONFIGURABLE_CLASS);
+        Document htmlPage = renderHTMLPage(doc);
+        String errorMessage = Objects.requireNonNull(htmlPage.selectFirst("div.errormessage p")).text();
+        assertEquals(String.format("xe.admin.configurable.noViewAccessSomeApplications [[%s]]", MY_SECTION_SERIALIZED),
+            errorMessage);
+    }
 }