Uploaded image for project: 'XWiki Commons'
  1. XWiki Commons
  2. XCOMMONS-3424

$jsontool and $escapetool does not escape < to allow safe usage in <script> tags on XWiki 16.10.11

    XMLWordPrintable

Details

    • Bug
    • Resolution: Unresolved
    • Major
    • None
    • 16.10.11
    • Velocity
    • None
    • Windows 11 Pro, Edge 140, using an instance of XWiki 16.10.11 on MySQL 9.3, Tomcat 9.0.108
    • Unknown

    Description

      Steps to reproduce

      1. Start an instance of XWiki 16.10.11
      2. Create a page with the following content: 
        {{velocity}}{{html}}
<script>$jsontool.serialize({
  'closeComment': '-->',
  'closeScript': '</script>',
  'openComment': '<!--',
  'openScript': '<script>'
});
'$escapetool.javascript('<!--')';
</script>
<h1>Success! 🎉</h1>
{{/html}}{{/velocity}}
      3. Save the page

      Expected results

      The text "Success! 🎉" is displayed on the page, the XWiki UI is normally displayed.

      Actual results

      Nothing is displayed on the page. Both Panels and footer is missing as well.

      The issue could not be reproduced on XWiki 17.8.0 RC1, one of the Fix Versions of XCOMMONS-3410.

      Attachments

        Issue Links

          relates to

          Bug - A problem which impairs or prevents the functions of the product. XCOMMONS-3410 $jsontool and $escapetool should escape < to allow safe usage in <script> tags

          • Major - Major loss of function.
          • Closed

          Activity

            People

              Unassigned Unassigned
              iandriuta Ilie Andriuta
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated: