XWiki2.0 syntax injection possible everywhere xwiki2 code generates a page with user input.

To repeat:
Make sure Registration has PR.

http://127.0.0.1:8081/xwikiTrunk/bin/view/XWiki/Registration?register_first_name={{/html}}{{groovy}}new Random().unsafe.putAddress(0,0);{{/groovy}}

The troubling thing is Registration does everything "right", xml is escaped so there can be no script injection (so quotes cannot be injected), but the xml escaping does not escape '{' so the html macro can simply be ended.

This is not an issue with syntax 1.0 because groovy is started with a <% which is xml escaped, also the output from the velocity renderer cannot be interpreted as more velocity.

A possible quick solution would be the add html escaping of '{'.