Details
-
Bug
-
Resolution: Unresolved
-
Major
-
None
-
1.3
-
None
Description
The xwiki page name is used to build an html element id in macro displayFullRating. If the wiki page name contains html, it will be rendered directly into the page due to the line
<div class="rating-wrapper" id="rating-${rdoc.fullName}">
Visiting a page named for example "<script>alert("foo")</script>" would result in the alert javascript being executed (at least on firefox).
Escaping rdoc.fullName with escapetools appears to resolve the problem.