Skip to content

Commit ea2e615

Browse files
committed
XWIKI-19757: Improved translation macro parameters escaping in FlamingoThemesCode.WebHomeSheet
1 parent edffc5c commit ea2e615

File tree

4 files changed

+202
-1
lines changed

4 files changed

+202
-1
lines changed

Diff for: xwiki-platform-core/xwiki-platform-flamingo/xwiki-platform-flamingo-theme/xwiki-platform-flamingo-theme-ui/pom.xml

+38
Original file line numberDiff line numberDiff line change
@@ -85,6 +85,44 @@
8585
<type>xar</type>
8686
<scope>runtime</scope>
8787
</dependency>
88+
<dependency>
89+
<groupId>org.xwiki.rendering</groupId>
90+
<artifactId>xwiki-rendering-macro-message</artifactId>
91+
<version>${rendering.version}</version>
92+
<scope>runtime</scope>
93+
</dependency>
94+
<dependency>
95+
<groupId>org.xwiki.platform</groupId>
96+
<artifactId>xwiki-platform-localization-macro</artifactId>
97+
<version>${project.version}</version>
98+
<scope>runtime</scope>
99+
</dependency>
100+
<dependency>
101+
<groupId>org.xwiki.platform</groupId>
102+
<artifactId>xwiki-platform-rendering-xwiki</artifactId>
103+
<version>${project.version}</version>
104+
<scope>runtime</scope>
105+
</dependency>
106+
<!-- Test dependencies. -->
107+
<dependency>
108+
<groupId>org.xwiki.platform</groupId>
109+
<artifactId>xwiki-platform-test-page</artifactId>
110+
<version>${project.version}</version>
111+
<scope>test</scope>
112+
</dependency>
113+
<dependency>
114+
<groupId>org.xwiki.platform</groupId>
115+
<artifactId>xwiki-platform-web-templates</artifactId>
116+
<version>${project.version}</version>
117+
<scope>test</scope>
118+
</dependency>
119+
<dependency>
120+
<groupId>org.xwiki.platform</groupId>
121+
<artifactId>xwiki-platform-rendering-xwiki</artifactId>
122+
<version>${project.version}</version>
123+
<type>test-jar</type>
124+
<scope>test</scope>
125+
</dependency>
88126
</dependencies>
89127

90128
<build>

Diff for: xwiki-platform-core/xwiki-platform-flamingo/xwiki-platform-flamingo-theme/xwiki-platform-flamingo-theme-ui/src/main/resources/FlamingoThemesCode/WebHomeSheet.xml

+2-1
Original file line numberDiff line numberDiff line change
@@ -280,7 +280,8 @@
280280
#creationForm()
281281
#elseif(!$services.csrf.isTokenValid($request.form_token))
282282
{{error}}
283-
{{translation key="platform.flamingo.themes.home.create.csrf" parameters="$request.newThemeName" /}}
283+
#set ($newThemeName = $services.rendering.escape($escapetool.java($request.newThemeName), 'xwiki/2.1'))
284+
{{translation key="platform.flamingo.themes.home.create.csrf" parameters="~"$newThemeName~""/}}
284285
{{/error}}
285286

286287
{{html}}
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,72 @@
1+
/*
2+
* See the NOTICE file distributed with this work for additional
3+
* information regarding copyright ownership.
4+
*
5+
* This is free software; you can redistribute it and/or modify it
6+
* under the terms of the GNU Lesser General Public License as
7+
* published by the Free Software Foundation; either version 2.1 of
8+
* the License, or (at your option) any later version.
9+
*
10+
* This software is distributed in the hope that it will be useful,
11+
* but WITHOUT ANY WARRANTY; without even the implied warranty of
12+
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
13+
* Lesser General Public License for more details.
14+
*
15+
* You should have received a copy of the GNU Lesser General Public
16+
* License along with this software; if not, write to the Free
17+
* Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
18+
* 02110-1301 USA, or see the FSF site: http://www.fsf.org.
19+
*/
20+
package org.xwiki.flamingo;
21+
22+
import java.util.List;
23+
24+
import javax.inject.Inject;
25+
import javax.inject.Named;
26+
import javax.inject.Singleton;
27+
28+
import org.slf4j.Logger;
29+
import org.xwiki.component.annotation.Component;
30+
import org.xwiki.rendering.block.Block;
31+
import org.xwiki.rendering.macro.AbstractMacro;
32+
import org.xwiki.rendering.transformation.MacroTransformationContext;
33+
34+
import static java.util.Collections.emptyList;
35+
36+
/**
37+
* This script prints an error log when it is interpreted, making the test fail.
38+
*
39+
* @version $Id$
40+
* @since 13.10.10
41+
* @since 14.4.6
42+
* @since 14.9RC1
43+
*/
44+
@Component
45+
@Named("noscript")
46+
@Singleton
47+
public class TestNoScriptMacro extends AbstractMacro<Object>
48+
{
49+
@Inject
50+
private Logger logger;
51+
52+
/**
53+
* Default constructor.
54+
*/
55+
public TestNoScriptMacro()
56+
{
57+
super("NoScript", "No Script!");
58+
}
59+
60+
@Override
61+
public boolean supportsInlineMode()
62+
{
63+
return true;
64+
}
65+
66+
@Override
67+
public List<Block> execute(Object parameters, String content, MacroTransformationContext context)
68+
{
69+
this.logger.error("SHOULD NOT BE CALLED");
70+
return emptyList();
71+
}
72+
}
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,90 @@
1+
/*
2+
* See the NOTICE file distributed with this work for additional
3+
* information regarding copyright ownership.
4+
*
5+
* This is free software; you can redistribute it and/or modify it
6+
* under the terms of the GNU Lesser General Public License as
7+
* published by the Free Software Foundation; either version 2.1 of
8+
* the License, or (at your option) any later version.
9+
*
10+
* This software is distributed in the hope that it will be useful,
11+
* but WITHOUT ANY WARRANTY; without even the implied warranty of
12+
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
13+
* Lesser General Public License for more details.
14+
*
15+
* You should have received a copy of the GNU Lesser General Public
16+
* License along with this software; if not, write to the Free
17+
* Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
18+
* 02110-1301 USA, or see the FSF site: http://www.fsf.org.
19+
*/
20+
package org.xwiki.flamingo;
21+
22+
import java.util.Locale;
23+
24+
import org.jsoup.nodes.Document;
25+
import org.junit.jupiter.api.Test;
26+
import org.xwiki.localization.Translation;
27+
import org.xwiki.localization.TranslationBundle;
28+
import org.xwiki.localization.TranslationBundleContext;
29+
import org.xwiki.localization.macro.internal.TranslationMacro;
30+
import org.xwiki.model.reference.DocumentReference;
31+
import org.xwiki.rendering.RenderingScriptServiceComponentList;
32+
import org.xwiki.rendering.block.WordBlock;
33+
import org.xwiki.rendering.internal.configuration.DefaultExtendedRenderingConfiguration;
34+
import org.xwiki.rendering.internal.configuration.RenderingConfigClassDocumentConfigurationSource;
35+
import org.xwiki.rendering.internal.macro.message.ErrorMessageMacro;
36+
import org.xwiki.test.annotation.ComponentList;
37+
import org.xwiki.test.page.HTML50ComponentList;
38+
import org.xwiki.test.page.PageTest;
39+
import org.xwiki.test.page.XWikiSyntax21ComponentList;
40+
41+
import static org.junit.jupiter.api.Assertions.assertEquals;
42+
import static org.mockito.ArgumentMatchers.eq;
43+
import static org.mockito.Mockito.any;
44+
import static org.mockito.Mockito.mock;
45+
import static org.mockito.Mockito.when;
46+
47+
/**
48+
* Test of the {@code FlamingoThemesCode.WebHomeSheet} page.
49+
*
50+
* @version $Id$
51+
* @since 13.10.10
52+
* @since 14.4.6
53+
* @since 14.9RC1
54+
*/
55+
@HTML50ComponentList
56+
@XWikiSyntax21ComponentList
57+
@RenderingScriptServiceComponentList
58+
@ComponentList({
59+
ErrorMessageMacro.class,
60+
TranslationMacro.class,
61+
TestNoScriptMacro.class,
62+
DefaultExtendedRenderingConfiguration.class,
63+
RenderingConfigClassDocumentConfigurationSource.class
64+
})
65+
class WebHomeSheetPageTest extends PageTest
66+
{
67+
@Test
68+
void createAction() throws Exception
69+
{
70+
this.request.put("newThemeName", "some content\"/}}{{noscript/}}");
71+
this.request.put("form_token", "1");
72+
this.request.put("action", "create");
73+
74+
TranslationBundleContext translationBundleContext = this.componentManager
75+
.getInstance(TranslationBundleContext.class);
76+
TranslationBundle translationBundle = mock(TranslationBundle.class);
77+
Translation translation = mock(Translation.class);
78+
when(translation.getLocale()).thenReturn(Locale.ENGLISH);
79+
when(translation.render(any(), any())).thenAnswer(invocationOnMock -> new WordBlock(
80+
"platform.flamingo.themes.home.create.csrf " + invocationOnMock.getArgument(1)));
81+
when(translationBundle.getTranslation(eq("platform.flamingo.themes.home.create.csrf"), any()))
82+
.thenReturn(translation);
83+
translationBundleContext.addBundle(translationBundle);
84+
85+
Document document = this.renderHTMLPage(new DocumentReference("xwiki", "FlamingoThemesCode", "WebHomeSheet"));
86+
87+
assertEquals("platform.flamingo.themes.home.create.csrf some content\"/}}{{noscript/}}",
88+
document.select(".box.errormessage").text());
89+
}
90+
}

0 commit comments

Comments
 (0)