Velocity execution without script right through tree macro

Steps to reproduce:

1. As a user without script right, create a document, e.g., named Nasty Title
2. Set the document's title to $request.requestURI
3. Click "Save & View"
4. Reload the page in the browser

Expected result:

A document named $request.requestURI is displayed in the navigation panel.

Actual result:

A document /xwiki/bin/get/Nasty%20Title/WebHome is displayed, showing that the Velocity code has been executed even though the user doesn't have script right.

This is because the document tree macro sets the title which changes the document's author to the author of XWiki.DocumentTreeMacros and thus the title is executed. It's only because of XWIKI-20624 that the context document and author is unchanged during the actual execution of the title, once XWIKI-20624 has been fixed this is an escalation to programming rights.

As long as XWIKI-20624 hasn't been fixed, the context author is still the current user so any APIs that check author rights are safe. However, we have several privilege escalation vulnerabilities from script right and I can confirm that at least some of them can be exploited from this like XWIKI-19790 (requires admin interaction) or XWIKI-19858 (no interaction required), both allow gaining programming rights. I'm therefore still marking this as escalation attack as we can use features only available with script right.