XSS via the xdom+xml Syntax and RawBlock due to xdom+xml/current dependency

Steps to reproduce:

1. Open your user profile with the wiki editor.
2. Use the developer tools to select the syntax selection (name syntaxId) and then change the value of the selected entry to xdom+xml/current.
3. Click "Save & View".
4. Edit the user profile in the regular editor, switch the description to source mode and change the source to

   <document><p><metadata><metadata><entry><string>syntax</string><org.xwiki.rendering.syntax.Syntax><type><name>XHTML</name><id>xhtml</id><variants class="empty-list"></variants></type><version>5</version></org.xwiki.rendering.syntax.Syntax></entry></metadata></metadata></p><rawtext syntax="html/5.0" content="&lt;script&gt;alert(1);&lt;/script&gt;"></rawtext></document>

   The main part is the <rawtext syntax="html/5.0" content="<script>alert(1);</script>"></rawtext> but the metadata is necessary to avoid a null pointer access.

5. Click "Save & View"

Expected result

No alert is shown after saving.

Actual result

An alert with content "1" is shown after saving.

This demonstrates an XSS attack that is possible with just a regular, limited user account without edit access to the wiki content itself. Also, the xdom+xml syntax doesn't need to be enabled for this attack to work. As always, this allows privilege escalation when a user with more rights visits the user profile.

The list of affected versions is definitely not final, these are just the versions where I'm sure this reproduces. It is quite certain this reproduces on older versions, raw blocks were introduced in 1.8.3 and the xdom+xml syntax has been introduced in 3.3-milestone-1, see XRENDERING-25, this might be the actual affects version (to be confirmed).