From aca1d677c58563bbe6e35c9e1c29fd8b12ebb996 Mon Sep 17 00:00:00 2001 From: Manuel Leduc Date: Fri, 2 Dec 2022 13:22:16 +0100 Subject: [PATCH] XWIKI-20275: Improved escaping on XWiki.AttachmentSelector --- .../main/resources/XWiki/AttachmentSelector.xml | 4 +++- .../attachment/AttachmentSelectorPageTest.java | 16 +++++++++++++++- 2 files changed, 18 insertions(+), 2 deletions(-) diff --git a/xwiki-platform-core/xwiki-platform-attachment/xwiki-platform-attachment-ui/src/main/resources/XWiki/AttachmentSelector.xml b/xwiki-platform-core/xwiki-platform-attachment/xwiki-platform-attachment-ui/src/main/resources/XWiki/AttachmentSelector.xml index d39e265e68a2..a79736611053 100644 --- a/xwiki-platform-core/xwiki-platform-attachment/xwiki-platform-attachment-ui/src/main/resources/XWiki/AttachmentSelector.xml +++ b/xwiki-platform-core/xwiki-platform-attachment/xwiki-platform-attachment-ui/src/main/resources/XWiki/AttachmentSelector.xml @@ -371,8 +371,10 @@ $xwiki.jsx.use($attachmentPickerDocName) $!targetDocument.use($targetDocument.getObject($options.classname, $options.object))## #attachmentPicker_displayAttachmentGallery($targetDocument, $targetAttachDocument, $options) + #set ($cancelLinkName = $services.rendering.escape($services.rendering.escape($services.localization.render("${translationPrefix}.cancel"), 'xwiki/2.1'), 'xwiki/2.1')) + #set ($cancelLinkTarget = $services.rendering.escape($services.model.serialize($targetDocument), 'xwiki/2.1')) (% class="gallery_buttons buttons" %)((( - (% class="buttonwrapper secondary" %)[[$services.localization.render("${translationPrefix}.cancel")>>${targetDocument}||class="button secondary" id="attachment-picker-close"]] + (% class="buttonwrapper secondary" %)[[$cancelLinkName>>$cancelLinkTarget||class="button secondary" id="attachment-picker-close"]] ))) #end {{/velocity}} diff --git a/xwiki-platform-core/xwiki-platform-attachment/xwiki-platform-attachment-ui/src/test/java/org/xwiki/attachment/AttachmentSelectorPageTest.java b/xwiki-platform-core/xwiki-platform-attachment/xwiki-platform-attachment-ui/src/test/java/org/xwiki/attachment/AttachmentSelectorPageTest.java index 392dadb4754d..cb6db380a11f 100644 --- a/xwiki-platform-core/xwiki-platform-attachment/xwiki-platform-attachment-ui/src/test/java/org/xwiki/attachment/AttachmentSelectorPageTest.java +++ b/xwiki-platform-core/xwiki-platform-attachment/xwiki-platform-attachment-ui/src/test/java/org/xwiki/attachment/AttachmentSelectorPageTest.java @@ -40,6 +40,7 @@ import org.xwiki.component.wiki.internal.bridge.DefaultContentParser; import org.xwiki.icon.IconManagerScriptService; import org.xwiki.icon.internal.DefaultIconManagerComponentList; +import org.xwiki.model.internal.reference.converter.EntityReferenceConverter; import org.xwiki.model.reference.AttachmentReference; import org.xwiki.model.reference.DocumentReference; import org.xwiki.model.script.ModelScriptService; @@ -110,7 +111,9 @@ // End WikiMacroEventListener TemporaryAttachmentsScriptService.class, IconManagerScriptService.class, - DocumentReferenceConverter.class + DocumentReferenceConverter.class, + EntityReferenceConverter.class, + ModelScriptService.class, }) class AttachmentSelectorPageTest extends PageTest { @@ -336,6 +339,17 @@ void withTemporaryAttachment() throws Exception + "be found"); } + @Test + void cancelButton() throws Exception + { + commonFixup("test.png"); + + this.request.put("docname", "xwiki:Space.]] {{noscript/}}"); + + Document document = renderHTMLPage(new DocumentReference("xwiki", "XWiki", "AttachmentSelector")); + assertEquals("Space.]] {{noscript/}}", document.getElementById("attachment-picker-close").attr("href")); + } + private void attachmentSelectorMacroFixup() throws Exception { DocumentReference attachmentSelectorDocumentReference =