XSS with edit right in the create document form for existing pages

Steps to reproduce:

1. Go to <xwiki-host>/xwiki/bin/create/Main/WebHome?parent=&templateprovider=&spaceReference=&name=%3Cimg%20onerror=%22alert(1)%22%20src=%22test%22 where <xwiki-host> is the URL of your XWiki installation.
2. Create the page and add some content.
3. Go again to <xwiki-host>/xwiki/bin/create/Main/WebHome?parent=&templateprovider=&spaceReference=&name=%3Cimg%20onerror=%22alert(1)%22%20src=%22test%22 where <xwiki-host> is the URL of your XWiki installation.

Expected result:
An error is displayed that the page <img onerror="alert(1)" src="test" already exists.

Actual result:
Two alerts with content "1" are displayed, showing that the JavaScript has been executed.

Note that the URL in the last step can be forwarded to any user with edit right, there is no need for this to be the same user who created the page, so the attacker can create the page and then send the victim to the URL.

This is due to missing escaping in the create template. This escaping has been missing since the feature has been introduced in XWIKI-6559. However, before 7.2, all users with edit right had script right, so this was not really a security issue.