AbstractSxExportURLFactoryActionHandler#processSx does not escape anything from SSX document reference when serializing it on filesystem, so it's easy to mess up the HTML or PDF export process with reference elements containing filesystem syntax like "../", "./". or "/" in general (the last two not causing any security threat, but can cause conflicts with others serialized files).
- create a page containing
- export the page as HTML (you don't need to download the resulting zip package)
-> you should find a file named something like ssx5447337823533494579.css at the root of the temporary work directory. While you don't have much control over the name of the file (which limit the impact) you can put it anywhere XWiki has access to, and it can contain anything you want.