xwiki.platform:xwiki-platform-panels-ui Eval Injection vulnerability

@@ -148,6 +148,14 @@
       <version>${project.version}</version>
       <scope>test</scope>
     </dependency>
+    <!-- Provides the component list for RenderingScriptService. -->
+    <dependency>
+      <groupId>org.xwiki.platform</groupId>
+      <artifactId>xwiki-platform-rendering-xwiki</artifactId>
+      <version>${project.version}</version>
+      <type>test-jar</type>
+      <scope>test</scope>
+    </dependency>
   </dependencies>
   <build>
     <plugins>

@@ -37,43 +37,6 @@
   <syntaxId>xwiki/2.1</syntaxId>
   <hidden>true</hidden>
   <content/>
-  <object>
-    <name>Panels.IncludedPagesDocumentInformation</name>
-    <number>0</number>
-    <className>NumberedHeadings.Code.NumberedHeadingsClass</className>
-    <guid>1ca27444-5837-4d6b-8e07-2fff6a8b46ed</guid>
-    <class>
-      <name>NumberedHeadings.Code.NumberedHeadingsClass</name>
-      <customClass/>
-      <customMapping/>
-      <defaultViewSheet/>
-      <defaultEditSheet/>
-      <defaultWeb/>
-      <nameField/>
-      <validationScript/>
-      <status>
-        <cache>0</cache>
-        <disabled>0</disabled>
-        <displayType>select</displayType>
-        <freeText>forbidden</freeText>
-        <largeStorage>0</largeStorage>
-        <multiSelect>0</multiSelect>
-        <name>status</name>
-        <number>1</number>
-        <prettyName>Status</prettyName>
-        <relationalStorage>0</relationalStorage>
-        <separator> </separator>
-        <separators>|, </separators>
-        <size>1</size>
-        <unmodifiable>0</unmodifiable>
-        <values>|activated|deactivated</values>
-        <classType>com.xpn.xwiki.objects.classes.StaticListClass</classType>
-      </status>
-    </class>
-    <property>
-      <status/>
-    </property>
-  </object>
   <object>
     <name>Panels.IncludedPagesDocumentInformation</name>
     <number>0</number>
@@ -248,7 +211,10 @@
 #if($pages.size() != 0)
   {{html clean="false"}}&lt;dt&gt;{{/html}}$services.localization.render('panels.documentInformation.includesCount', [$pages.size()]){{html clean="false"}}&lt;/dt&gt;{{/html}}
   #foreach ($page in $pages)
-  {{html clean="false"}}&lt;dd&gt;{{/html}}[[$page&gt;&gt;$page]] [[[[image:icon:page_white_edit||alt="$services.localization.render('panels.documentInformation.editIncluded', [$page])"]]&gt;&gt;path:$xwiki.getURL($page, 'edit')]]{{html clean="false"}}&lt;/dd&gt;{{/html}}
+    #set ($pageLink = $services.rendering.escape($page, 'xwiki/2.1'))
+    #set ($pageName = $services.rendering.escape($services.rendering.escape($page, 'xwiki/2.1'), 'xwiki/2.1'))
+    #set ($alt = $services.rendering.escape($services.localization.render('panels.documentInformation.editIncluded', [$page]), 'xwiki/2.1'))
+    {{html clean="false"}}&lt;dd&gt;{{/html}}[[$pageName&gt;&gt;$pageLink]] [[[[image:icon:page_white_edit||alt="$alt"]]&gt;&gt;path:$xwiki.getURL($page, 'edit')]]{{html clean="false"}}&lt;/dd&gt;{{/html}}
   #end
 #end
 ##--------------------------------------------------------------------------

@@ -0,0 +1,134 @@
+/*
+ * See the NOTICE file distributed with this work for additional
+ * information regarding copyright ownership.
+ *
+ * This is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU Lesser General Public License as
+ * published by the Free Software Foundation; either version 2.1 of
+ * the License, or (at your option) any later version.
+ *
+ * This software is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this software; if not, write to the Free
+ * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+ * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
+ */
+package org.xwiki.panels;
+
+import org.jsoup.nodes.Document;
+import org.jsoup.select.Elements;
+import org.junit.jupiter.api.Test;
+import org.xwiki.bridge.event.DocumentCreatedEvent;
+import org.xwiki.component.manager.ComponentManager;
+import org.xwiki.component.wiki.internal.DefaultWikiComponentManager;
+import org.xwiki.component.wiki.internal.DefaultWikiComponentManagerContext;
+import org.xwiki.component.wiki.internal.WikiComponentManagerEventListenerHelper;
+import org.xwiki.component.wiki.internal.bridge.DefaultContentParser;
+import org.xwiki.component.wiki.internal.bridge.DefaultWikiObjectComponentManagerEventListener;
+import org.xwiki.component.wiki.internal.bridge.WikiObjectComponentManagerEventListenerProxy;
+import org.xwiki.model.reference.DocumentReference;
+import org.xwiki.observation.EventListener;
+import org.xwiki.rendering.RenderingScriptServiceComponentList;
+import org.xwiki.rendering.async.internal.block.DefaultBlockAsyncRenderer;
+import org.xwiki.rendering.internal.configuration.DefaultExtendedRenderingConfiguration;
+import org.xwiki.rendering.internal.configuration.RenderingConfigClassDocumentConfigurationSource;
+import org.xwiki.rendering.syntax.Syntax;
+import org.xwiki.security.authorization.AuthorizationManager;
+import org.xwiki.test.annotation.ComponentList;
+import org.xwiki.test.page.HTML50ComponentList;
+import org.xwiki.test.page.PageTest;
+import org.xwiki.test.page.TestNoScriptMacro;
+import org.xwiki.test.page.XWikiSyntax21ComponentList;
+import org.xwiki.uiextension.internal.DefaultUIExtensionManager;
+import org.xwiki.uiextension.internal.WikiUIExtensionComponentBuilder;
+import org.xwiki.uiextension.script.UIExtensionScriptService;
+
+import com.xpn.xwiki.doc.XWikiDocument;
+
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.mockito.ArgumentMatchers.any;
+import static org.mockito.Mockito.when;
+import static org.xwiki.component.wiki.internal.bridge.DefaultWikiObjectComponentManagerEventListener.EVENT_LISTENER_NAME;
+
+/**
+ * Test of {@code Panels.IncludedPagesDocumentInformation}.
+ *
+ * @version $Id$
+ * @since 14.10RC1
+ * @since 14.4.7
+ */
+@XWikiSyntax21ComponentList
+@HTML50ComponentList
+@RenderingScriptServiceComponentList
+@ComponentList({
+    UIExtensionScriptService.class,
+    DefaultUIExtensionManager.class,
+    DefaultWikiObjectComponentManagerEventListener.class,
+    WikiObjectComponentManagerEventListenerProxy.class,
+    WikiComponentManagerEventListenerHelper.class,
+    DefaultWikiComponentManager.class,
+    DefaultWikiComponentManagerContext.class,
+    WikiUIExtensionComponentBuilder.class,
+    DefaultContentParser.class,
+    // Start - Required in addition of RenderingScriptServiceComponentList
+    DefaultExtendedRenderingConfiguration.class,
+    RenderingConfigClassDocumentConfigurationSource.class,
+    // End - Required in additional of RenderingScriptServiceComponentList
+    DefaultBlockAsyncRenderer.class,
+    TestNoScriptMacro.class
+})
+class IncludedPagesDocumentInformationPageTest extends PageTest
+{
+    @Test
+    void render() throws Exception
+    {
+        // Load the UIX.
+        XWikiDocument includedPagesDoc =
+            loadPage(new DocumentReference("xwiki", "Panels", "IncludedPagesDocumentInformation"));
+        this.componentManager.registerComponent(ComponentManager.class, "wiki", this.componentManager);
+        AuthorizationManager authorizationManager =
+            this.componentManager.registerMockComponent(AuthorizationManager.class);
+        when(authorizationManager.hasAccess(any(), any(), any())).thenReturn(true);
+        // The listeners are not registered by default. We trigger it manually so that the UIX is registered and can be
+        // found and rendered.
+        this.componentManager.<EventListener>getInstance(EventListener.class, EVENT_LISTENER_NAME)
+            .onEvent(new DocumentCreatedEvent(), includedPagesDoc, null);
+
+        // We initialize a document with an include macro, so that the UIX has something to render. 
+        this.context.setDoc(initDocWithInclude());
+        // Create the UIXP so that the UIX can be rendered.
+        Document document = renderHTMLPage(initUIXPDoc());
+        Elements as = document.select("a");
+        assertEquals("XWiki.{{noscript}}\">]]<strong>bold</strong>\"", as.get(0).attr("href"));
+        assertEquals("path:/xwiki/bin/edit/XWiki/%7B%7Bnoscript%7D%7D%22%3E%5D%5D%3Cstrong%3Ebold%3C%2Fstrong%3E%22",
+            as.get(1).attr("href"));
+        assertEquals("panels.documentInformation.editIncluded [XWiki.{{noscript}}\">]]<strong>bold</strong>\"]",
+            as.get(1).selectFirst("img").attr("alt"));
+    }
+
+    private XWikiDocument initDocWithInclude()
+    {
+        XWikiDocument document = new XWikiDocument(new DocumentReference("xwiki", "XWiki", "PageWithReference"));
+        document.setSyntax(Syntax.XWIKI_2_0);
+        document.setContent("{{display reference=\"{{noscript~}~}~\">]]<strong>bold</strong>~\"\"/}}");
+        return document;
+    }
+
+    private static XWikiDocument initUIXPDoc()
+    {
+        XWikiDocument document = new XWikiDocument(new DocumentReference("xwiki", "XWiki", "Test"));
+        document.setSyntax(Syntax.XWIKI_2_0);
+        document.setContent("{{velocity}}\n"
+            + "{{html}}\n"
+            + "#foreach ($extension in $services.uix.getExtensions('org.xwiki.platform.panels.documentInformation'))\n"
+            + "  $services.rendering.render($extension.execute(), 'html/5.0')\n"
+            + "#end\n"
+            + "{{/html}}"
+            + "{{/velocity}}");
+        return document;
+    }
+}