From 2fc20891e6c6b0ca05ee07e315e7f435e8919f8d Mon Sep 17 00:00:00 2001
From: Michael Hamann <michael.hamann@xwiki.com>
Date: Wed, 29 Jun 2022 17:07:39 +0200
Subject: [PATCH] XWIKI-19857: Modernize the menu macro and add escaping
---
.../src/main/resources/Menu/MenuMacro.xml | 53 +++++++++++++------
1 file changed, 38 insertions(+), 15 deletions(-)
diff --git a/xwiki-platform-core/xwiki-platform-menu/xwiki-platform-menu-ui/src/main/resources/Menu/MenuMacro.xml b/xwiki-platform-core/xwiki-platform-menu/xwiki-platform-menu-ui/src/main/resources/Menu/MenuMacro.xml
index c3a7279b035..40dcff19d23 100755
--- a/xwiki-platform-core/xwiki-platform-menu/xwiki-platform-menu-ui/src/main/resources/Menu/MenuMacro.xml
+++ b/xwiki-platform-core/xwiki-platform-menu/xwiki-platform-menu-ui/src/main/resources/Menu/MenuMacro.xml
@@ -20,7 +20,7 @@
* 02110-1301 USA, or see the FSF site: http://www.fsf.org.
-->
-<xwikidoc version="1.3" reference="Menu.MenuMacro" locale="">
+<xwikidoc version="1.5" reference="Menu.MenuMacro" locale="">
<web>Menu</web>
<name>MenuMacro</name>
<language/>
@@ -41,15 +41,21 @@
= Horizontal Menu =
{{velocity}}
+#set ($menuTemplateDoc = $xwiki.getDocument('MenuTemplate'))
{{code language="none"}}
{{menu type="horizontal fixedWidth"}}
-$xwiki.getDocument('MenuTemplate').content
+## No way to escape content in the code macro, so just remove {, see https://jira.xwiki.org/browse/XRENDERING-13.
+$menuTemplateDoc.content.replace('{', '')
{{/menu}}
{{/code}}
{{/velocity}}
{{menu type="horizontal fixedWidth"}}
-{{include reference="MenuTemplate" /}}
+{{velocity}}
+## Include the content of the menu template.
+## Escape {{ in the rendered content to be sure that the HTML macro is not closed unintentionally.
+{{html}}$menuTemplateDoc.displayDocument().replace('{{', '&amp;#123;&amp;#123;'){{/html}}
+{{/velocity}}
{{/menu}}
= Vertical Menu =
@@ -63,7 +69,11 @@
{{/velocity}}
{{menu type="vertical"}}
-{{include reference="MenuTemplate" /}}
+{{velocity}}
+## Include the content of the menu template.
+## Escape {{ in the rendered content to be sure that the HTML macro is not closed unintentionally.
+{{html}}$menuTemplateDoc.displayDocument().replace('{{', '&amp;#123;&amp;#123;'){{/html}}
+{{/velocity}}
{{/menu}}</content>
<object>
<name>Menu.MenuMacro</name>
@@ -962,7 +972,7 @@
<displayFormType>select</displayFormType>
<displayType/>
<name>async_cached</name>
- <number>12</number>
+ <number>13</number>
<prettyName>Cached</prettyName>
<unmodifiable>0</unmodifiable>
<classType>com.xpn.xwiki.objects.classes.BooleanClass</classType>
@@ -975,14 +985,14 @@
<largeStorage>0</largeStorage>
<multiSelect>1</multiSelect>
<name>async_context</name>
- <number>13</number>
+ <number>14</number>
<prettyName>Context elements</prettyName>
<relationalStorage>0</relationalStorage>
- <separator> </separator>
+ <separator>, </separator>
<separators>|, </separators>
<size>5</size>
<unmodifiable>0</unmodifiable>
- <values>doc.reference=Document|icon.theme=Icon theme|locale=Language|request.base=Request base URL|request.parameters=Request parameters|request.url=Request URL|request.wiki=Request wiki|user=User|wiki=Wiki</values>
+ <values>action=Action|doc.reference=Document|icon.theme=Icon theme|locale=Language|rendering.defaultsyntax=Default syntax|rendering.restricted=Restricted|rendering.targetsyntax=Target syntax|request.base=Request base URL|request.cookies|request.parameters=Request parameters|request.url=Request URL|request.wiki=Request wiki|user=User|wiki=Wiki</values>
<classType>com.xpn.xwiki.objects.classes.StaticListClass</classType>
</async_context>
<async_enabled>
@@ -991,7 +1001,7 @@
<displayFormType>select</displayFormType>
<displayType/>
<name>async_enabled</name>
- <number>11</number>
+ <number>12</number>
<prettyName>Asynchronous rendering</prettyName>
<unmodifiable>0</unmodifiable>
<classType>com.xpn.xwiki.objects.classes.BooleanClass</classType>
@@ -1096,6 +1106,16 @@
<unmodifiable>0</unmodifiable>
<classType>com.xpn.xwiki.objects.classes.StringClass</classType>
</name>
+ <priority>
+ <disabled>0</disabled>
+ <name>priority</name>
+ <number>11</number>
+ <numberType>integer</numberType>
+ <prettyName>Priority</prettyName>
+ <size>10</size>
+ <unmodifiable>0</unmodifiable>
+ <classType>com.xpn.xwiki.objects.classes.NumberClass</classType>
+ </priority>
<supportsInlineMode>
<disabled>0</disabled>
<displayFormType>select</displayFormType>
@@ -1149,7 +1169,7 @@
(% role="navigation" class="menu-horizontal-toggle" %)(((
(% class="navbar-header" %)(((
{{html}}
- <button type="button" class="navbar-toggle collapsed" data-toggle="collapse" data-target="#$!{id}" aria-expanded="false">
+ <button type="button" class="navbar-toggle collapsed" data-toggle="collapse" data-target="#$!{escapetool.xml($id)}" aria-expanded="false">
<span class="sr-only"></span>
<span class="icon-bar"></span>
<span class="icon-bar"></span>
@@ -1157,13 +1177,13 @@
</button>
{{/html}}
)))
- (% id="${id}" class="menu menu-$!type collapse navbar-collapse" %)(((
- $xcontext.macro.content
+ (% id="$!{services.rendering.escape($id, 'xwiki/2.1')}" class="menu menu-${services.rendering.escape($!type, 'xwiki/2.1')} collapse navbar-collapse" %)(((
+ {{wikimacrocontent/}}
)))
)))
#else
- (% #if ("$!id" != '') id="$id"#end class="menu menu-$!type" %)(((
- $xcontext.macro.content
+ (% #if ("$!id" != '') id="${services.rendering.escape($id, 'xwiki/2.1')}"#end class="menu menu-${services.rendering.escape($!type, 'xwiki/2.1')}" %)(((
+ {{wikimacrocontent/}}
)))
#end
{{/velocity}}</code>
@@ -1172,7 +1192,7 @@
<contentDescription>Define the menu structure using wiki syntax. Each menu item should be a list item and should contain the menu item label or link. You can use nested lists for sub-menu items.</contentDescription>
</property>
<property>
- <contentJavaType/>
+ <contentJavaType>Wiki</contentJavaType>
</property>
<property>
<contentType>Mandatory</contentType>
@@ -1189,6 +1209,9 @@
<property>
<name>Menu</name>
</property>
+ <property>
+ <priority/>
+ </property>
<property>
<supportsInlineMode>0</supportsInlineMode>
</property>
--
GitLab