XWiki Platform contains Reflected XSS vulnerability in two templates

@@ -184,5 +184,12 @@
       <version>${commons.version}</version>
       <scope>test</scope>
     </dependency>
+    <!-- Extension manager script service -->
+    <dependency>
+      <groupId>org.xwiki.platform</groupId>
+      <artifactId>xwiki-platform-extension-script</artifactId>
+      <version>${project.version}</version>
+      <scope>test</scope>
+    </dependency>
   </dependencies>
 </project>

@@ -175,7 +175,7 @@
 #set ($name = $name.substring($mathtool.add($name.indexOf(':'), 1)))
 #end
 #end
-${name}##
+${escapetool.xml($name)}##
 #end
 
 #macro (displayExtensionActionButtons $extension $readOnly)
@@ -604,21 +604,22 @@ $namespace##
   #end
   #set ($dependencyStatus = 'unknown')
   #set ($dependencyStatusMessage = $NULL)
-  #set ($dependencyName = $dependencyId)
+  #set ($dependencyName = $escapetool.xml($dependencyId))
   #if ($dependencyExtension)
     ## The extension status is determined for the $extensionNamespace . The name of this parameter is very important
     ## because it has to overwrite the global variable with the same name.
     #determineExtensionStatus($dependencyExtension $dependencyStatus $dependencyStatusMessage $dependencyOrExtension.versionConstraint)
     #set ($dependencyURL = "#getExtensionURL($dependencyId $dependencyVersion)")
-    #set ($dependencyName = "<a href=""$dependencyURL"" class=""extension-link"">#displayExtensionName($dependencyExtension)</a>")
+    #set ($dependencyName = "<a href=""$escapetool.xml($dependencyURL)"" class=""extension-link"">#displayExtensionName($dependencyExtension)</a>")
   #end
-  <div class="dependency-item extension-item-$dependencyStatus">
-    <span class="extension-name">${dependencyName}</span><span class="extension-version">$!dependencyVersion</span>
+  <div class="dependency-item extension-item-$escapetool.xml($dependencyStatus)">
+    <span class="extension-name">${dependencyName}</span><span
+          class="extension-version">$!escapetool.xml($dependencyVersion)</span>
     #if ($extensionNamespace.startsWith('wiki:'))
       <span class="extension-namespace">$services.localization.render('extensions.info.dependency.wiki', ["#wikiHomePageLink($extensionNamespace)"])</span>
     #end
     #if ("$!dependencyStatusMessage" != '')
-      <span class="extension-status">$dependencyStatusMessage</span>
+      <span class="extension-status">$escapetool.xml($dependencyStatusMessage)</span>
     #end
   </div>
 #end

@@ -29,6 +29,6 @@
 #else
   $response.setStatus(404)
   <div class="box errormessage">
-    $services.localization.render("${translationPrefix}.notFound")
+    $escapetool.xml($services.localization.render("${translationPrefix}.notFound"))
   </div>
 #end
\ No newline at end of file

@@ -0,0 +1,81 @@
+/*
+ * See the NOTICE file distributed with this work for additional
+ * information regarding copyright ownership.
+ *
+ * This is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU Lesser General Public License as
+ * published by the Free Software Foundation; either version 2.1 of
+ * the License, or (at your option) any later version.
+ *
+ * This software is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this software; if not, write to the Free
+ * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+ * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
+ */
+package org.xwiki.web;
+
+import javax.inject.Inject;
+import javax.inject.Named;
+
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
+import org.xwiki.extension.DefaultExtensionDependency;
+import org.xwiki.extension.ExtensionDependency;
+import org.xwiki.extension.script.ExtensionManagerScriptService;
+import org.xwiki.extension.version.internal.DefaultVersionConstraint;
+import org.xwiki.script.service.ScriptService;
+import org.xwiki.template.TemplateManager;
+import org.xwiki.test.junit5.mockito.MockComponent;
+import org.xwiki.test.page.PageTest;
+
+import static org.hamcrest.MatcherAssert.assertThat;
+import static org.hamcrest.Matchers.containsString;
+import static org.mockito.Mockito.doReturn;
+import static org.mockito.Mockito.when;
+
+/**
+ * Page test for {@code distribution.vm}.
+ *
+ * @version $Id$
+ */
+class DistributionPageTest extends PageTest
+{
+    @MockComponent(classToMock = ExtensionManagerScriptService.class)
+    @Named("extension")
+    private ScriptService extensionManagerScriptService;
+
+    @Inject
+    private TemplateManager templateManager;
+
+    @BeforeEach
+    void setUp() throws Exception
+    {
+        doReturn("test").when(this.oldcore.getSpyXWiki()).getUserPreference("colorTheme", this.context);
+    }
+
+    @Test
+    void nonExistingExtensionRequest() throws Exception
+    {
+        String testValue = "<test>";
+        this.stubRequest.put("extensionId", testValue);
+        this.stubRequest.put("extensionVersionConstraint", testValue);
+
+        ExtensionDependency dependency =
+            new DefaultExtensionDependency(testValue, new DefaultVersionConstraint(testValue));
+
+        ExtensionManagerScriptService service = (ExtensionManagerScriptService) this.extensionManagerScriptService;
+        when(service.createExtensionDependency(testValue, testValue)).thenReturn(dependency);
+
+        String output = this.templateManager.render("distribution.vm");
+
+        assertThat(output, containsString("""
+            <div class="dependency-item extension-item-unknown">
+                <span class="extension-name">&#60;test&#62;</span><span
+                      class="extension-version">&#60;test&#62;</span>"""));
+    }
+}

@@ -0,0 +1,54 @@
+/*
+ * See the NOTICE file distributed with this work for additional
+ * information regarding copyright ownership.
+ *
+ * This is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU Lesser General Public License as
+ * published by the Free Software Foundation; either version 2.1 of
+ * the License, or (at your option) any later version.
+ *
+ * This software is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this software; if not, write to the Free
+ * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+ * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
+ */
+package org.xwiki.web;
+
+import javax.inject.Inject;
+
+import org.junit.jupiter.api.Test;
+import org.xwiki.template.TemplateManager;
+import org.xwiki.test.page.PageTest;
+
+import static org.hamcrest.MatcherAssert.assertThat;
+import static org.hamcrest.Matchers.equalToCompressingWhiteSpace;
+
+/**
+ * Page test for {@code job_status_json.vm}.
+ *
+ * @version $Id$
+ */
+class JobStatusJSONPageTest extends PageTest
+{
+    @Inject
+    private TemplateManager templateManager;
+
+    @Test
+    void nonExistingJob() throws Exception
+    {
+        this.stubRequest.put("jobId", "<test>");
+        this.stubRequest.put("translationPrefix", "<test>");
+
+        String output = this.templateManager.render("job_status_json.vm");
+
+        assertThat(output, equalToCompressingWhiteSpace("""
+            <div class="box errormessage">
+            &#60;test&#62;.notFound
+            </div>"""));
+    }
+}