This issue has been created
There are 7 updates.
This issue has been moved to XWiki Commons project.
 
 
XWiki Commons / cid:jira-generated-image-avatar-5ce2abbb-12fc-4d1f-becc-e60b61d21743 XCOMMONS-3424 Open

$jsontool and $escapetool does not escape < to allow safe usage in <script> tags on XWiki 16.10.11
 
View issue   ยท   Add comment
 

Issue created

 
cid:jira-generated-image-avatar-04e2f864-8a6f-46b5-a624-07b12bb455df Ilie Andriuta created this issue on 17/Sep/25 12:31
 
Summary: $jsontool and $escapetool does not escape < to allow safe usage in <script> tags on XWiki 16.10.11
Issue Type: cid:jira-generated-image-avatar-5ce2abbb-12fc-4d1f-becc-e60b61d21743 Bug
Affects Versions: 16.10.11
Assignee: Unassigned
Attachments: XWiki_16_10_11_no_text_displayed.png
Components: Velocity
Created: 17/Sep/25 12:31
Environment: Windows 11 Pro, Edge 140, using an instance of XWiki 16.10.11 on MySQL 9.3, Tomcat 9.0.108
Priority: cid:jira-generated-image-static-major-528aeb11-dc98-472b-a5b0-c6e00d87e5b1 Major
Reporter: Ilie Andriuta
Description:

Steps to reproduce

  1. Start an instance of XWiki 16.10.11
  2. Create a page with the following content: 
    {{velocity}}{{html}}
<script>$jsontool.serialize({
  'closeComment': '-->',
  'closeScript': '</script>',
  'openComment': '<!--',
  'openScript': '<script>'
});
'$escapetool.javascript('<!--')';
</script>
<h1>Success! ๐ŸŽ‰</h1>
{{/html}}{{/velocity}}
  1. Save the page

Expected results

The text "Success! ๐ŸŽ‰" is displayed on the page, the XWiki UI is normally displayed.

Actual results

Nothing is displayed on the page. Both Panels and footer is missing as well.

The issue could not be reproduced on XWiki 17.8.0 RC1, one of the Fix Versions of XCOMMONS-3410.
 
 

7 updates

 
cid:jira-generated-image-avatar-04e2f864-8a6f-46b5-a624-07b12bb455df Changes by Ilie Andriuta on 17/Sep/25 12:32
 
Version: 16.10.11
Version: 16.10.11
Description: *Steps to reproduce*
# Start an instance of XWiki 16.10.11
# Create a page with the following content:
{code:java}
{{velocity}}{{html}}
<script>$jsontool.serialize({
  'closeComment': '-->',
  'closeScript': '</script>',
  'openComment': '<!--',
  'openScript': '<script>'
});
'$escapetool.javascript('<!--')';
</script>
<h1>Success! ๐ŸŽ‰</h1>
{{/html}}{{/velocity}}{code}
# Save the page

*Expected results*

The text "Success! ๐ŸŽ‰" is displayed on the page, the XWiki UI is normally displayed.

*Actual results*

Nothing is displayed on the page. Both Panels and footer is missing as well.

The issue could not be reproduced on XWiki 17.8.0 RC1, one of the Fix Versions of XCOMMONS-3410.
Project: XWiki Platform Commons
Component: Velocity
Component: Velocity
Key: XWIKI XCOMMONS - 23533 3424
 
 
This message was sent by Atlassian Jira (v9.3.0#930000-sha1:287aeb6) Atlassian logo
If image attachments aren't displayed, see this article.