Details
-
Bug
-
Resolution: Won't Fix
-
Minor
-
None
-
17.10.2
-
None
-
Unknown
-
Description
There are some utility $services.localization.render(...) which are rarely used, and which also perform syntax escapes. The resulting string differs from the behavior of $services.rendering.escape(string, syntax), and I'm not sure if it is intended that the behaviors are different.
Example:
##translationKey=Test"> <script class="xss">alert('hi!')</script> [[link]] <span data-attr="全 $services.localization.render('translationKey') ## Result: Test"> <script class="xss">alert('hi!')</script> [[link]] <span data-attr="全 loc: $services.localization.render('translationKey', 'xwiki/2.1', []) ## Result: Test"> <script class="xss">alert('hi!')</script> ~[~[link]] <span data-attr="全 render/loc: $services.rendering.escape($services.localization.render('translationKey'), 'xwiki/2.1') ## Result: ~T~e~s~t~"~>~ ~<~s~c~r~i~p~t~ ~c~l~a~s~s~=~"~x~s~s~"~>~a~l~e~r~t~(~'~h~i~!~'~)~<~/~s~c~r~i~p~t~>~ ~[~[~l~i~n~k~]~]~ ~<~s~p~a~n~ ~d~a~t~a~-~a~t~t~r~=~"~全
I don't think this is a big issue, as my primary motive for discovering this was trying to get shorter velocity code for escapes.
I would have expected that $services.rendering.escape($services.localization.render('translationKey'), 'xwiki/2.1') and $services.localization.render('translationKey', 'xwiki/2.1', []) are equivalent, but I'm not sure if that was a good assumption. (Feel free to close this issue if this behavior is expected)