org.xwiki.platform:xwiki-platform-wiki-ui-mainwiki Eval Injection vulnerability

@@ -61,6 +61,7 @@
 import org.xwiki.test.page.HTML50ComponentList;
 import org.xwiki.test.page.IconSetup;
 import org.xwiki.test.page.PageTest;
+import org.xwiki.test.page.TestNoScriptMacro;
 import org.xwiki.test.page.XWikiSyntax21ComponentList;
 import org.xwiki.xml.internal.html.filter.ControlCharactersFilter;
 

@@ -1,72 +0,0 @@
-/*
- * See the NOTICE file distributed with this work for additional
- * information regarding copyright ownership.
- *
- * This is free software; you can redistribute it and/or modify it
- * under the terms of the GNU Lesser General Public License as
- * published by the Free Software Foundation; either version 2.1 of
- * the License, or (at your option) any later version.
- *
- * This software is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * Lesser General Public License for more details.
- *
- * You should have received a copy of the GNU Lesser General Public
- * License along with this software; if not, write to the Free
- * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
- * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
- */
-package org.xwiki.flamingo;
-
-import java.util.List;
-
-import javax.inject.Inject;
-import javax.inject.Named;
-import javax.inject.Singleton;
-
-import org.slf4j.Logger;
-import org.xwiki.component.annotation.Component;
-import org.xwiki.rendering.block.Block;
-import org.xwiki.rendering.macro.AbstractMacro;
-import org.xwiki.rendering.transformation.MacroTransformationContext;
-
-import static java.util.Collections.emptyList;
-
-/**
- * This script prints an error log when it is interpreted, making the test fail.
- *
- * @version $Id$
- * @since 13.10.10
- * @since 14.4.6
- * @since 14.9RC1
- */
-@Component
-@Named("noscript")
-@Singleton
-public class TestNoScriptMacro extends AbstractMacro<Object>
-{
-    @Inject
-    private Logger logger;
-
-    /**
-     * Default constructor.
-     */
-    public TestNoScriptMacro()
-    {
-        super("NoScript", "No Script!");
-    }
-
-    @Override
-    public boolean supportsInlineMode()
-    {
-        return true;
-    }
-
-    @Override
-    public List<Block> execute(Object parameters, String content, MacroTransformationContext context)
-    {
-        this.logger.error("SHOULD NOT BE CALLED");
-        return emptyList();
-    }
-}

@@ -19,30 +19,21 @@
  */
 package org.xwiki.flamingo;
 
-import java.util.Locale;
-
 import org.jsoup.nodes.Document;
 import org.junit.jupiter.api.Test;
-import org.xwiki.localization.Translation;
-import org.xwiki.localization.TranslationBundle;
-import org.xwiki.localization.TranslationBundleContext;
 import org.xwiki.localization.macro.internal.TranslationMacro;
 import org.xwiki.model.reference.DocumentReference;
 import org.xwiki.rendering.RenderingScriptServiceComponentList;
-import org.xwiki.rendering.block.WordBlock;
 import org.xwiki.rendering.internal.configuration.DefaultExtendedRenderingConfiguration;
 import org.xwiki.rendering.internal.configuration.RenderingConfigClassDocumentConfigurationSource;
 import org.xwiki.rendering.internal.macro.message.ErrorMessageMacro;
 import org.xwiki.test.annotation.ComponentList;
 import org.xwiki.test.page.HTML50ComponentList;
 import org.xwiki.test.page.PageTest;
+import org.xwiki.test.page.TestNoScriptMacro;
 import org.xwiki.test.page.XWikiSyntax21ComponentList;
 
 import static org.junit.jupiter.api.Assertions.assertEquals;
-import static org.mockito.ArgumentMatchers.eq;
-import static org.mockito.Mockito.any;
-import static org.mockito.Mockito.mock;
-import static org.mockito.Mockito.when;
 
 /**
  * Test of the {@code FlamingoThemesCode.WebHomeSheet} page.
@@ -71,20 +62,9 @@ void createAction() throws Exception
         this.request.put("form_token", "1");
         this.request.put("action", "create");
 
-        TranslationBundleContext translationBundleContext = this.componentManager
-            .getInstance(TranslationBundleContext.class);
-        TranslationBundle translationBundle = mock(TranslationBundle.class);
-        Translation translation = mock(Translation.class);
-        when(translation.getLocale()).thenReturn(Locale.ENGLISH);
-        when(translation.render(any(), any())).thenAnswer(invocationOnMock -> new WordBlock(
-            "platform.flamingo.themes.home.create.csrf " + invocationOnMock.getArgument(1)));
-        when(translationBundle.getTranslation(eq("platform.flamingo.themes.home.create.csrf"), any()))
-            .thenReturn(translation);
-        translationBundleContext.addBundle(translationBundle);
-
         Document document = this.renderHTMLPage(new DocumentReference("xwiki", "FlamingoThemesCode", "WebHomeSheet"));
 
-        assertEquals("platform.flamingo.themes.home.create.csrf some content\"/}}{{noscript/}}",
+        assertEquals("platform.flamingo.themes.home.create.csrf [some content\"/}}{{noscript/}}]",
             document.select(".box.errormessage").text());
     }
 }

@@ -144,7 +144,7 @@ void renderTable() throws Exception
         assertEquals("help.macroList.description", includeMacroRowTds.get(3).text());
         assertEquals("help.macroList.visibility", includeMacroRowTds.get(4).text());
         assertWikiMacro(trs.get(1), "mymacro", "/xwiki/bin/view/XWiki/MyMacro", "My Macro",
-            Set.of("Category1", "Category2"), "My Macro Description", "WIKI");
+            Set.of("Category1", "Category2"), "My Macro Description", "XWiki.WikiMacroClass_visibility_WIKI");
         assertJavaMacro(trs.get(2), "velocity", "Velocity", "Development", "Executes a Velocity script.",
             "XWiki.WikiMacroClass_visibility_Global");
         assertJavaMacro(trs.get(3), "translation", "Translation", "Content",

@@ -19,14 +19,21 @@
  */
 package org.xwiki.test.page;
 
+import java.util.Arrays;
 import java.util.Collection;
+import java.util.Locale;
 import java.util.stream.Collectors;
 
-import org.mockito.stubbing.Answer;
+import org.mockito.invocation.InvocationOnMock;
+import org.xwiki.localization.Translation;
+import org.xwiki.localization.TranslationBundle;
+import org.xwiki.localization.TranslationBundleContext;
 import org.xwiki.localization.script.LocalizationScriptService;
+import org.xwiki.rendering.block.WordBlock;
 import org.xwiki.script.service.ScriptService;
 import org.xwiki.test.TestComponentManager;
 
+import static org.mockito.ArgumentMatchers.any;
 import static org.mockito.ArgumentMatchers.anyCollection;
 import static org.mockito.ArgumentMatchers.anyString;
 import static org.mockito.Mockito.mock;
@@ -51,7 +58,6 @@ private LocalizationSetup()
      * <p>
      * For instance, calling {@code $services.localization.render('my.key')} returns {@code "my.key"}, and calling
      * {@code $services.localization.render('my.key2', 'a', 1)} returns {@code "my.key2 [a, 1]"}.
-     * 
      *
      * @param tcm the stubbed Component Manager for the test
      * @throws Exception when a setup error occurs
@@ -60,26 +66,77 @@ public static void setUp(TestComponentManager tcm) throws Exception
     {
         LocalizationScriptService lss = mock(LocalizationScriptService.class);
         tcm.registerComponent(ScriptService.class, "localization", lss);
-        
+
         // The translations are mocked by returning the translation, suffixed with the list of the String.valueOf
         // values of the translation parameters if they exist.
         // We mock the translations instead of using their actual values because they are subject to change from
         // Weblate, possibly making the build fail unexpectedly.
-        when(lss.render(anyString())).thenAnswer(
-            (Answer<String>) invocationOnMock -> {
+        when(lss.render(anyString())).thenAnswer(invocationOnMock -> {
                 // Return the translation key as the value
-                return invocationOnMock.getArgument(0);
+                return renderString(invocationOnMock.getArgument(0), new Object[] {});
             }
         );
-        when(lss.render(anyString(), anyCollection())).thenAnswer((Answer<String>) invocationOnMock -> {
+        when(lss.render(anyString(), anyCollection())).thenAnswer(invocationOnMock -> {
             // Displays the comma-separated list of parameters between squared brackets after the translation key as
             // the value, so that they can be verified in tests.
             // For instance: my.key [paramA, paramB]
-            Object key = invocationOnMock.getArgument(0);
             Collection<?> parameters = invocationOnMock.getArgument(1);
-            return parameters.stream()
-                .map(String::valueOf)
-                .collect(Collectors.joining(", ", key + " [", "]"));
+            return renderString(invocationOnMock.getArgument(0), parameters.toArray());
         });
+
+        TranslationBundleContext translationBundleContext = tcm.getInstance(TranslationBundleContext.class);
+        TranslationBundle translationBundle = mock(TranslationBundle.class);
+        when(translationBundle.getTranslation(any(), any()))
+            .thenAnswer(invocationOnMockTranslation -> {
+                Translation translation = mock(Translation.class);
+                when(translation.getLocale()).thenReturn(Locale.ENGLISH);
+                String translationKey = invocationOnMockTranslation.getArgument(0);
+                when(translation.getKey()).thenReturn(translationKey);
+                when(translation.render(any())).thenAnswer(invocationOnMockRender -> {
+                    Object[] parameters = getVarArgs(invocationOnMockRender, 0);
+                    return renderBlock(translationKey, parameters);
+                });
+                when(translation.render(any(), any())).thenAnswer(invocationOnMockRender -> {
+                    Object[] parameters = getVarArgs(invocationOnMockRender, 1);
+                    return renderBlock(translationKey, parameters);
+                });
+                return translation;
+            });
+        translationBundleContext.addBundle(translationBundle);
+    }
+
+    private static WordBlock renderBlock(String translationKey, Object[] parameters)
+    {
+        return new WordBlock(renderString(translationKey, parameters));
+    }
+
+    private static String renderString(String translationKey, Object[] parameters)
+    {
+        String word;
+        if (parameters.length == 0) {
+            word = translationKey;
+        } else {
+            String parametersString = Arrays.stream(parameters)
+                .map(String::valueOf)
+                .collect(Collectors.joining(", ", "[", "]"));
+            word = String.format("%s %s", translationKey, parametersString);
+        }
+        return word;
+    }
+
+    private static Object[] getVarArgs(InvocationOnMock invocationOnMockRender, int i)
+    {
+        Object[] parameters;
+        if (invocationOnMockRender.getArguments().length > i) {
+            Object argument = invocationOnMockRender.getArgument(i);
+            if (argument instanceof String) {
+                parameters = new Object[] { argument };
+            } else {
+                parameters = (Object[]) argument;
+            }
+        } else {
+            parameters = new Object[] {};
+        }
+        return parameters;
     }
 }

@@ -17,7 +17,7 @@
  * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
  * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
  */
-package org.xwiki.attachment;
+package org.xwiki.test.page;
 
 import java.util.List;
 
@@ -34,12 +34,12 @@
 import static java.util.Collections.emptyList;
 
 /**
- * This script prints an error log when it is interpreted, making the test fail.
+ * This macro prints an error log when it is executed, making the page test fail.
  *
  * @version $Id$
- * @since 14.5
- * @since 14.4.2
- * @since 13.10.7
+ * @since 13.10.11
+ * @since 14.4.7
+ * @since 14.10RC1
  */
 @Component
 @Named("noscript")

@@ -1 +1,2 @@
 org.xwiki.test.page.StubRenderingConfiguration
+org.xwiki.test.page.TestNoScriptMacro

@@ -59,14 +59,14 @@ class DisplayPageTest extends PageTest
 
     private static final String FIELD_PRETTY_NAME = "Test Field";
 
-    private static final String DEFAULT_LABEL = "defaultValue";
+    private static final String DEFAULT_LABEL = "space.page_testField_";
 
     private static final String VALUE_1 = "value1";
 
     private static final String DEFAULT_SELECT =
         "<select id='space.page_0_testField' name='space.page_0_testField' size='1'>"
-        + "<option selected='selected' value='' label='defaultValue'>defaultValue</option>"
-        + "<option value='value1' label='value1'>value1</option></select>"
+        + "<option selected='selected' value='' label='space.page_testField_'>space.page_testField_</option>"
+        + "<option value='value1' label='space.page_testField_value1'>space.page_testField_value1</option></select>"
         + "<input name='space.page_0_testField' type='hidden' value=''/>";
 
     private TemplateManager templateManager;

@@ -129,6 +129,13 @@
       <version>${project.version}</version>
       <type>xar</type>
     </dependency>
+    <!-- Runtime dependencies. -->
+    <dependency>
+      <groupId>org.xwiki.platform</groupId>
+      <artifactId>xwiki-platform-rendering-xwiki</artifactId>
+      <version>${project.version}</version>
+      <scope>runtime</scope>
+    </dependency>
     <!-- Needed to display wiki activity in the user profile "Wiki" tab -->
     <dependency>
       <groupId>org.xwiki.platform</groupId>
@@ -164,6 +171,13 @@
       <type>test-jar</type>
       <scope>test</scope>
     </dependency>
+    <dependency>
+      <groupId>org.xwiki.platform</groupId>
+      <artifactId>xwiki-platform-rendering-xwiki</artifactId>
+      <version>${project.version}</version>
+      <type>test-jar</type>
+      <scope>test</scope>
+    </dependency>
   </dependencies>
   <build>
     <plugins>

@@ -60,7 +60,8 @@
   ##
   #if (!$wiki)
     #if (!$services.wiki.lastError)
-      {{error}}{{translation key="platform.wiki.error.wikidoesnotexist" parameters="$wikiId"/}}{{/error}}
+      #set ($escapedWikiId = $services.rendering.escape($escapetool.java($wikiId), 'xwiki/2.1'))
+      {{error}}{{translation key="platform.wiki.error.wikidoesnotexist" parameters="~"${escapedWikiId}~""/}}{{/error}}
     #else
       #printException($services.wiki.lastError)
     #end

@@ -0,0 +1,66 @@
+/*
+ * See the NOTICE file distributed with this work for additional
+ * information regarding copyright ownership.
+ *
+ * This is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU Lesser General Public License as
+ * published by the Free Software Foundation; either version 2.1 of
+ * the License, or (at your option) any later version.
+ *
+ * This software is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this software; if not, write to the Free
+ * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+ * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
+ */
+package org.xwiki.wiki;
+
+import org.jsoup.nodes.Document;
+import org.junit.jupiter.api.Test;
+import org.xwiki.localization.macro.internal.TranslationMacro;
+import org.xwiki.model.reference.DocumentReference;
+import org.xwiki.rendering.RenderingScriptServiceComponentList;
+import org.xwiki.rendering.internal.configuration.DefaultExtendedRenderingConfiguration;
+import org.xwiki.rendering.internal.configuration.RenderingConfigClassDocumentConfigurationSource;
+import org.xwiki.rendering.internal.macro.message.ErrorMessageMacro;
+import org.xwiki.test.annotation.ComponentList;
+import org.xwiki.test.page.HTML50ComponentList;
+import org.xwiki.test.page.PageTest;
+import org.xwiki.test.page.TestNoScriptMacro;
+import org.xwiki.test.page.XWikiSyntax21ComponentList;
+
+import static org.junit.jupiter.api.Assertions.assertEquals;
+
+/**
+ * Test of the {@code WikiManager.DeleteWiki} page.
+ *
+ * @version $Id$
+ * @since 13.10.11
+ * @since 14.4.7
+ * @since 14.10RC1
+ */
+@HTML50ComponentList
+@XWikiSyntax21ComponentList
+@RenderingScriptServiceComponentList
+@ComponentList({
+    ErrorMessageMacro.class,
+    TranslationMacro.class,
+    TestNoScriptMacro.class,
+    DefaultExtendedRenderingConfiguration.class,
+    RenderingConfigClassDocumentConfigurationSource.class
+})
+class DeleteWikiPageTest extends PageTest
+{
+    @Test
+    void unknownWikiId() throws Exception
+    {
+        this.request.put("wikiId", "\" /}}{{noscript/}}");
+        Document document = renderHTMLPage(new DocumentReference("xwiki", "WikiManager", "DeleteWiki"));
+        assertEquals("platform.wiki.error.wikidoesnotexist [\" /}}{{noscript/}}]",
+            document.select(".box.errormessage").text());
+    }
+}

@@ -58,7 +58,7 @@
 @ComponentList({
     ControlCharactersFilter.class,
 })
-class WikiManagerTest extends PageTest
+class WikiManagerPageTest extends PageTest
 {
     /**
      * Verify the resolved configuration of the Live Data macro (stored in the {@code data-config} attribute of the