From 604868033ebd191cf2d1e94db336f0c4d9096427 Mon Sep 17 00:00:00 2001 From: Michael Hamann Date: Fri, 20 May 2022 18:02:47 +0200 Subject: [PATCH] XWIKI-19747: Escape tag names * Escape tag names for XWiki syntax --- .../src/main/resources/Main/Tags.xml | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) diff --git a/xwiki-platform-core/xwiki-platform-tag/xwiki-platform-tag-ui/src/main/resources/Main/Tags.xml b/xwiki-platform-core/xwiki-platform-tag/xwiki-platform-tag-ui/src/main/resources/Main/Tags.xml index ead325ebf553..3b30f590ddd7 100644 --- a/xwiki-platform-core/xwiki-platform-tag/xwiki-platform-tag-ui/src/main/resources/Main/Tags.xml +++ b/xwiki-platform-core/xwiki-platform-tag/xwiki-platform-tag-ui/src/main/resources/Main/Tags.xml @@ -51,6 +51,7 @@ $xwiki.ssx.use('Main.Tags')## ## #set ($do = "$!{request.get('do')}") #set ($tag = "$!{request.get('tag')}") +#set ($wikiEscapedTag = $services.rendering.escape($tag, 'xwiki/2.1')) #set ($urlEscapedTag = $escapetool.url($tag)) #set ($htmlEscapedTag = $escapetool.xml($tag)) ## @@ -58,7 +59,7 @@ $xwiki.ssx.use('Main.Tags')## ## #macro (displayTagAppTitle $urlEscapedTag $htmlEscapedTag $displayButtons) (% class="xapp" %) - = (% class="highlight tag" %)${tag}## + = (% class="highlight tag" %)${wikiEscapedTag}## #if ($xwiki.hasAdminRights() && $displayButtons) ## [[$services.localization.render('xe.tag.rename.link')>>||queryString="do=prepareRename&tag=${urlEscapedTag}" class="button rename" rel="nofollow"]] [[$services.localization.render('xe.tag.delete.link')>>||queryString="do=prepareDelete&tag=${urlEscapedTag}" class="button delete" rel="nofollow"]]## #end @@ -74,14 +75,14 @@ $xwiki.ssx.use('Main.Tags')## ## #displayTagAppTitle($urlEscapedTag $htmlEscapedTag true) #if ("$!{request.get('renamedTag')}" != '') - {{info}}$services.localization.render('xe.tag.rename.success', ["//${request.get('renamedTag')}//"]){{/info}} + {{info}}$services.localization.render('xe.tag.rename.success', ["//${services.rendering.escape(${request.get('renamedTag')}, 'xwiki/2.1')}//"]){{/info}} #end #set ($list = $xwiki.tag.getDocumentsWithTag($tag)) {{container layoutStyle="columns"}} ((( (% class="xapp" %) - === $services.localization.render('xe.tag.alldocs', ["//${tag}//"]) === + === $services.localization.render('xe.tag.alldocs', ["//${wikiEscapedTag}//"]) === #if ($list.size()> 0) {{html}}#displayDocumentList($list false $blacklistedSpaces){{/html}} @@ -91,8 +92,8 @@ $xwiki.ssx.use('Main.Tags')## ))) ((( (% class="xapp" %) - === $services.localization.render('xe.tag.activity', ["//${tag}//"]) === - {{notifications useUserPreferences="false" displayOwnEvents="true" tags="$tag" displayRSSLink="true" /}} + === $services.localization.render('xe.tag.activity', ["//${wikiEscapedTag}//"]) === + {{notifications useUserPreferences="false" displayOwnEvents="true" tags="$wikiEscapedTag" displayRSSLink="true" /}} ))) {{/container}} #elseif ($do == 'prepareRename') @@ -123,7 +124,7 @@ $xwiki.ssx.use('Main.Tags')## #set ($urlEscapedRenameTo = $escapetool.url($renameTo)) $response.sendRedirect($doc.getURL('view', "do=viewTag&tag=${urlEscapedRenameTo}&renamedTag=${urlEscapedTag}")) #else - {{error}}$services.localization.render('xe.tag.rename.failure', ["//${tag}//", "//${renameTo}//"]){{/error}} + {{error}}$services.localization.render('xe.tag.rename.failure', ["//${wikiEscapedTag}//", "//${services.rendering.escape($renameTo, 'xwiki/2.1')}//"]){{/error}} #end #elseif ($do == 'prepareDelete') ## @@ -148,7 +149,7 @@ $xwiki.ssx.use('Main.Tags')## #if ($success == true || $success == 'OK') $response.sendRedirect($doc.getURL('view', "deletedTag=${urlEscapedTag}")) #else - {{error}}$services.localization.render('xe.tag.delete.failure', ["//${tag}//"]){{/error}} + {{error}}$services.localization.render('xe.tag.delete.failure', ["//${wikiEscapedTag}//"]){{/error}} #end #else ## @@ -156,7 +157,7 @@ $xwiki.ssx.use('Main.Tags')## ## #set ($title = 'All Tags') #if ("$!{request.get('deletedTag')}" != '') - {{info}}$services.localization.render('xe.tag.delete.success', ["//${request.get('deletedTag')}//"]){{/info}} + {{info}}$services.localization.render('xe.tag.delete.success', ["//${services.rendering.escape($request.get('deletedTag'), 'xwiki/2.1')}//"]){{/info}} #end {{tagcloud/}}