Uploaded image for project: 'XWiki Commons'
  1. XWiki Commons
  2. XCOMMONS-3371

$jsontool and $escapetool should escape { to increase compatibility with XWiki syntax rendering

    XMLWordPrintable

Details

    • Bug
    • Resolution: Unresolved
    • Major
    • None
    • 16.10.0
    • Velocity
    • None
    • Unknown

    Description

      The output of $jsontool and $escapetool.javascript is frequently used in HTML macros. To prevent that their output could interfere with the closing of the surrounding HTML macro, both should escape {. This also prevents accidental escaping of such output with HTML escaping that would alter the meaning of the content.

      Steps to reproduce:

      Put one of the following two wiki syntaxes in a document:

      {{velocity}}
      {{html clean="false"}}
      $jsontool.serialize('{{html}}')
      {{/html}}
      {{/velocity}}
      
      {{velocity}}
      {{html clean="false"}}
      $escapetool.javascript('{{html}}')
      {{/html}}
      {{/velocity}}
      

      Expected result:

      The text

      {{html}}

       is displayed (in quotes for the json tool).

      Actual result:

      For the first version

      "{{html}}" {{/html}} 

      is displayed, the second version produces

      {{html}} {{/html}}

      This shows that due to the extra opening HTML macro syntax, the parser considers the closing HTML macro syntax as content, leading to the unwanted output. This is in particular a problem when the printed text contains user-controlled strings. Both tools already escape "/" so their output cannot close the HTML macro.

      Attachments

        Activity

          People

            MichaelHamann Michael Hamann
            MichaelHamann Michael Hamann
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated: