XWIKI-20268: Improve escaping in AdminTemplatesSheet

xwiki · Dec 1, 2022 · 7bf7094 · 7bf7094
1 parent 07af26f
commit 7bf7094
Show file tree

Hide file tree

Showing 2 changed files with 25 additions and 1 deletion.
diff --git a/...inistration-test-docker/src/test/it/org/xwiki/administration/test/ui/PageTemplatesIT.java b/...inistration-test-docker/src/test/it/org/xwiki/administration/test/ui/PageTemplatesIT.java
@@ -25,6 +25,7 @@
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Order;
 import org.junit.jupiter.api.Test;
+import org.openqa.selenium.WebElement;
 import org.xwiki.administration.test.po.TemplateProviderInlinePage;
 import org.xwiki.administration.test.po.TemplatesAdministrationSectionPage;
 import org.xwiki.model.reference.DocumentReference;
@@ -358,6 +359,29 @@ void createPageFromForbiddenTemplate(TestUtils setup, TestReference testReferenc
         assertEquals("Some content in that page", viewPage.getContent());
     }
 
+    /**
+     * The goal of this test is to check that the template provider's title is correctly escaped.
+     */
+    @Test
+    @Order(5)
+    void templateProviderTitleEscaping(TestUtils setup, TestReference testReference) throws Exception
+    {
+        cleanUp(setup, testReference);
+
+        // Create a template
+        String templateContent = "Templates are fun";
+        String providerName = "{{html}}<span>HTML</span>{{/html}}";
+        LocalDocumentReference templateProviderReference = new LocalDocumentReference(providerName,
+            testReference.getLocalDocumentReference().getParent());
+        createTemplateAndTemplateProvider(setup, templateProviderReference, templateContent,
+            "Funny templates", true);
+
+        TemplatesAdministrationSectionPage adminPage = TemplatesAdministrationSectionPage.gotoPage();
+        List<WebElement> links = adminPage.getExistingTemplatesLinks();
+        assertFalse(links.stream().anyMatch(element -> element.getText().equals("HTML")));
+        assertTrue(links.stream().anyMatch(element -> providerName.equals(element.getText())));
+    }
+
     /**
      * Helper function to Create both a Template and a Template Provider for the tests in this class.
      */

diff --git a/...tration/xwiki-platform-administration-ui/src/main/resources/XWiki/AdminTemplatesSheet.xml b/...tration/xwiki-platform-administration-ui/src/main/resources/XWiki/AdminTemplatesSheet.xml
@@ -112,7 +112,7 @@
   == {{translation key="admin.templates.providerslist"/}} ==
 
     #foreach($providerFullname in $availableProviders)
-      * [[$services.rendering.escape($xwiki.getDocument($providerFullname).plainTitle, $xwiki.currentContentSyntaxId)&gt;&gt;$providerFullname]]
+      * [[$services.rendering.escape($services.rendering.escape($xwiki.getDocument($providerFullname).plainTitle, $xwiki.currentContentSyntaxId), $xwiki.currentContentSyntaxId)&gt;&gt;$services.rendering.escape($providerFullname, $xwiki.currentContentSyntaxId)]]
     #end
   )))
 #end