Re: [xwiki-devs] new rendering syntax concerning Groovy

Hi Pascal, Let's analyse the way it currently works in the new rendering. Let's take velocity first: {{velocity}} ... velocity code here... {{include document="..."/}} ... velocity code here... {{/velocity}} These are the steps that are executed: 1/ The whole text is parsed using the wiki syntax parser. This generates an XDOM object containing a single MacroBlock wrapping the velocity macro. 2/ When it's rendered, the Macroblock executes, finds the velocity macro and executes it. 3/ velocity is run on the part inside the velocity macro. 4/ the wiki syntax parser is then executed on the part on which velocity has been executed. This means that the macros inside the velocity block are now executed. This means the include macro is executed. If it contains velocity code it'll be parsed as a standard paragraph text and all special characters are escaped. So if you have velocity script in the document you're including for example it'll be displayed as is without being executed. You'd need to have the velocity macro wrapping it in the document to include for it to be executed. Thus I don't think we have any security issue here. Now let's look at groovy. The macro is not written yet but I think it'll work like what is described below. First the following is NOT valid: {{groovy}} ... groovy code here... {{include document="..."/}} ... groovy code here... {{/velocity}} Groovy will execute on the part inside the groovy macro and will fail on the {{include}} part I think since it's not valid groovy syntax. Now the groovy code could do something like out.println("{{include document='...'/}}") In this case the resulting macro will get executed (since the logic is that the new rendering uses the MacroTransformation to execute the macros and this transformation continues to execute till there's no more macro to execute). Now if the included document contains groovy code not inside a groovy macro nothing will happen and the code will be printed as standard text (no groovy execution). If it's inside a groovy macro then it'll get executed but only once since the groovy macro in the page doing the include will have already executed. To summarize, I think the fact that outside macros execute before nested macros prevents dangerous things to happen in general. Now I haven't analysed all cases yet so if you see something dangerous please let me know so that I can fix it while it's possible. To answer your question Pascal, you would write: {{groovy}} ... some groovy code... {{/groovy}} {{include document="... page containing a groovy macro..." context="current"/}} Let me know if I missed something. Thanks -Vincent On Aug 5, 2008, at 9:36 AM, Pascal Voitot wrote: