From ed8ec747967f8a16434806e727a57214a8843581 Mon Sep 17 00:00:00 2001
From: Michael Hamann <michael.hamann@xwiki.com>
Date: Mon, 5 Jun 2023 12:03:05 +0200
Subject: [PATCH] XWIKI-20961: Improve escaping for document exists error

* Add escaping for the document reference and add a test.
---
 .../main/resources/templates/createinline.vm  |  2 +-
 .../org/xwiki/web/CreateInlinePageTest.java   | 43 ++++++++++++++++---
 2 files changed, 38 insertions(+), 7 deletions(-)

diff --git a/xwiki-platform-core/xwiki-platform-web/xwiki-platform-web-templates/src/main/resources/templates/createinline.vm b/xwiki-platform-core/xwiki-platform-web/xwiki-platform-web-templates/src/main/resources/templates/createinline.vm
index 728a7535f8b5..60ed5dd40f29 100644
--- a/xwiki-platform-core/xwiki-platform-web/xwiki-platform-web-templates/src/main/resources/templates/createinline.vm
+++ b/xwiki-platform-core/xwiki-platform-web/xwiki-platform-web-templates/src/main/resources/templates/createinline.vm
@@ -79,7 +79,7 @@
   <div class='box errormessage'>
       ## Use the 'existingDocumentReference' context binding set by the create action for this case.
       $services.localization.render('core.create.page.error.docalreadyexists',
-        ["${existingDocumentReference}",
+        [$escapetool.xml("${existingDocumentReference}"),
          $xwiki.getURL($existingDocumentReference, 'view', ''),
          $xwiki.getURL($existingDocumentReference, 'edit', '')
         ]
diff --git a/xwiki-platform-core/xwiki-platform-web/xwiki-platform-web-templates/src/test/java/org/xwiki/web/CreateInlinePageTest.java b/xwiki-platform-core/xwiki-platform-web/xwiki-platform-web-templates/src/test/java/org/xwiki/web/CreateInlinePageTest.java
index c5e7c0f7d51f..565a315c46c1 100644
--- a/xwiki-platform-core/xwiki-platform-web/xwiki-platform-web-templates/src/test/java/org/xwiki/web/CreateInlinePageTest.java
+++ b/xwiki-platform-core/xwiki-platform-web/xwiki-platform-web-templates/src/test/java/org/xwiki/web/CreateInlinePageTest.java
@@ -51,6 +51,12 @@ class CreateInlinePageTest extends PageTest
      */
     private static final String CREATE_INLINE_VM = "createinline.vm";
 
+    private static final String DOCUMENT_REFERENCE = "xwiki:space.</div>page";
+
+    private static final String CREATE_EXCEPTION_VELOCITY_KEY = "createException";
+
+    private static final String ERROR_MESSAGE_CLASS = "errormessage";
+
     private VelocityManager velocityManager;
 
     @Inject
@@ -71,20 +77,45 @@ void setup() throws Exception
     void testNameValidationError() throws Exception
     {
         // Set "createException" to an XWikiException to simulate a validation error.
-        String documentReference = "xwiki:space.</div>page";
-        Object[] args = { documentReference };
+        Object[] args = { DOCUMENT_REFERENCE };
         XWikiException invalidNameException = new XWikiException(XWikiException.MODULE_XWIKI_STORE,
             XWikiException.ERROR_XWIKI_APP_DOCUMENT_NAME_INVALID,
             "Cannot create document {0} because its name does not respect the name strategy of the wiki.", null,
             args);
-        this.velocityManager.getVelocityContext().put("createException", invalidNameException);
-        this.velocityManager.getVelocityContext().put("invalidNameReference", documentReference);
+        this.velocityManager.getVelocityContext().put(CREATE_EXCEPTION_VELOCITY_KEY, invalidNameException);
+        this.velocityManager.getVelocityContext().put("invalidNameReference", DOCUMENT_REFERENCE);
+
+        // Render the template.
+        Document document = Jsoup.parse(this.templateManager.render(CREATE_INLINE_VM));
+        Element errormessage = document.getElementsByClass(ERROR_MESSAGE_CLASS).first();
+        assertNotNull(errormessage);
+        String expectedMessage = String.format("entitynamevalidation.create.invalidname [%s]", DOCUMENT_REFERENCE);
+        assertEquals(expectedMessage, errormessage.text());
+    }
+
+    /**
+     * Test that when there is an exception about the document already existing, the name is correctly escaped.
+     */
+    @Test
+    void testDocumentAlreadyExistsError() throws Exception
+    {
+        // Set "createException" to an XWikiException to simulate a document exists already error.
+        String urlToDocument = "space/%3C%2Fdiv%3Epage";
+        Object[] args = { DOCUMENT_REFERENCE };
+        XWikiException documentAlreadyExistsException = new XWikiException(XWikiException.MODULE_XWIKI_STORE,
+            XWikiException.ERROR_XWIKI_APP_DOCUMENT_NOT_EMPTY,
+            "Cannot create document {0} because it already has content", null, args);
+        this.velocityManager.getVelocityContext().put(CREATE_EXCEPTION_VELOCITY_KEY, documentAlreadyExistsException);
+        this.velocityManager.getVelocityContext().put("existingDocumentReference", DOCUMENT_REFERENCE);
 
         // Render the template.
         Document document = Jsoup.parse(this.templateManager.render(CREATE_INLINE_VM));
-        Element errormessage = document.getElementsByClass("errormessage").first();
+        Element errormessage = document.getElementsByClass(ERROR_MESSAGE_CLASS).first();
         assertNotNull(errormessage);
-        String expectedMessage = String.format("entitynamevalidation.create.invalidname [%s]", documentReference);
+        String viewURL = String.format("/xwiki/bin/view/%s", urlToDocument);
+        String editURL = String.format("/xwiki/bin/edit/%s", urlToDocument);
+        String expectedMessage = String.format("core.create.page.error.docalreadyexists [%s, %s, %s]",
+            DOCUMENT_REFERENCE, viewURL, editURL);
         assertEquals(expectedMessage, errormessage.text());
     }
 }