Implement new macros whose content are HTML and XWiki syntax that are extended to support short scripts in certain places like parameters similar to [Thymeleaf|https://www.thymeleaf.org/]. The main difference to the existing Velocity macro is that these new macros automatically escape the result of the scripts depending on the context which is possible as the HTML or XWiki syntax is parsed before the scripts are executed and thus the context is known. This makes the new templates easier to use and prevents security issues.
More details and discussions can be found on the [forum|https://forum.xwiki.org/t/secure-by-default-templates/10420]. A summary of the proposal can be found on [the design page|https://design.xwiki.org/xwiki/bin/view/Proposal/SecurebyDefaultScripting]. |
|
