Details
-
Bug
-
Resolution: Solved By
-
Major
-
12.6.1, 11.10.10
-
Unknown
-
N/A
-
N/A
-
Description
The Rating Script Service defines a method not protected by programming rights with the following signature:
public AverageRatingApi getAverageRating(String fromsql, String wheresql)
Those two parameters are then used directly in AbstractRatingManager to produce an SQL request without any escaping.
Attachments
Issue Links
- depends on
-
XWIKI-17761 Provide a new API for Ratings to allow create a RatingManager with a dedicated scale
-
- Closed
-
- links to