XWIKI-21167: Improve escaping of space parameter in ConfigurableClass

xwiki · Aug 2, 2023 · 5e14c8d · 5e14c8d
1 parent 749f6ae
commit 5e14c8d
Show file tree

Hide file tree

Showing 2 changed files with 40 additions and 1 deletion.
diff --git a/...istration/xwiki-platform-administration-ui/src/main/resources/XWiki/ConfigurableClass.xml b/...istration/xwiki-platform-administration-ui/src/main/resources/XWiki/ConfigurableClass.xml
@@ -407,7 +407,7 @@ $xwiki.jsfx.use('js/xwiki/actionbuttons/actionButtons.js', true)
   #if($globaladmin)
     #set($queryString = "editor=globaladmin&amp;amp;section=")
   #else
-    #set($queryString = "space=${currentSpace}&amp;amp;section=")
+    #set($queryString = "space=$escapetool.url($currentSpace)&amp;amp;section=")
     #if($request.getParameter('editor'))
       #set($queryString = "editor=$escapetool.url($request.getParameter('editor'))&amp;amp;$queryString")
     #end

diff --git a/...m-administration-ui/src/test/java/org/xwiki/administration/ConfigurableClassPageTest.java b/...m-administration-ui/src/test/java/org/xwiki/administration/ConfigurableClassPageTest.java
@@ -19,10 +19,13 @@
  */
 package org.xwiki.administration;
 
+import java.net.URI;
+import java.nio.charset.StandardCharsets;
 import java.util.List;
 import java.util.Map;
 import java.util.Objects;
 
+import org.apache.http.client.utils.URLEncodedUtils;
 import org.jsoup.nodes.Document;
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;
@@ -54,6 +57,7 @@
 import com.xpn.xwiki.objects.BaseObject;
 
 import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.fail;
 import static org.mockito.ArgumentMatchers.any;
 import static org.mockito.ArgumentMatchers.anyInt;
 import static org.mockito.ArgumentMatchers.anyString;
@@ -208,4 +212,39 @@ void escapeNonViewableSections() throws Exception
         assertEquals(String.format("xe.admin.configurable.noViewAccessSomeApplications [[%s]]", MY_SECTION_SERIALIZED),
             errorMessage);
     }
+
+    @Test
+    void escapeSectionLink() throws Exception
+    {
+        // Create a new section document.
+        XWikiDocument mySectionDoc = new XWikiDocument(MY_SECTION);
+        BaseObject object = mySectionDoc.newXObject(CONFIGURABLE_CLASS, this.context);
+        object.setStringValue("displayInCategory", "other");
+        object.setStringValue("displayInSection", "other");
+        object.set("scope", "WIKI+ALL_SPACES", this.context);
+        this.xwiki.saveDocument(mySectionDoc, this.context);
+
+        // Make sure the section document is returned by the query and the user has access to edit.
+        when(this.query.execute()).thenReturn(List.of(MY_SECTION_SERIALIZED)).thenReturn(List.of());
+        when(this.oldcore.getMockRightService()
+            .hasAccessLevel(eq("edit"), any(), any(), any())).thenReturn(true);
+
+        // Set a new document with space ">{{/html}}{{noscript /}} as context document to check escaping of the
+        // current space.
+        String spaceName = "\">{{/html}}{{noscript /}}";
+        DocumentReference docRef = new DocumentReference(WIKI_NAME, spaceName, "WebHome");
+        XWikiDocument contextDoc = new XWikiDocument(docRef);
+        this.xwiki.saveDocument(contextDoc, this.context);
+        this.context.setDoc(contextDoc);
+
+        XWikiDocument doc = loadPage(CONFIGURABLE_CLASS);
+        Document htmlPage = renderHTMLPage(doc);
+        String link = Objects.requireNonNull(htmlPage.selectFirst("li.other a")).attr("href");
+        URI uri = new URI(link);
+        // Parse the query parameters and check the space name.
+        URLEncodedUtils.parse(uri, StandardCharsets.UTF_8).stream()
+            .filter(pair -> pair.getName().equals("space"))
+            .findFirst()
+            .ifPresentOrElse(pair -> assertEquals(spaceName, pair.getValue()), () -> fail("No space parameter in URL"));
+    }
 }