Stored XSS via the user account and displaycontent/rendercontent template

Steps to reproduce:

1. Open your user profile (without script or programming rights) with the wiki editor (needs advanced mode).
2. Set the content to <script>alert(1)</script>.
3. Open <xwiki-host>/xwiki/bin/view/XWiki/<username>?viewer=displaycontent&sheet=&outputSyntax=plain and <xwiki-host>/xwiki/bin/view/XWiki/<username>?viewer=rendercontent&sheet=&outputSyntax=plain where <xwiki-host> is the URL of your XWiki installation and <username> is the name of the user.

Expected result:

The text <script>alert(1)</script> is displayed.

Actual result:

An alert with content "1" is displayed in both cases.

This demonstrates stored XSS via the user profile. The syntax of the user profile can also be set to plain/1.0 to avoid that the entered HTML is interpreted as XWiki syntax. A similar vulnerability can also be triggered with xpage=displaycontent or xpage=rendercontent but the "advantage" of the viewer parameter is that the main HTML document contains the CSRF token and thus allows much more powerful attacks. The victim could be tricked to visit such a document via a crafted internal link or by sending the victim the link via another communication channel.