XWIKI-17374: Fix escaping in property displayer

xwiki · Aug 26, 2020 · f0a446f · f0a446f
1 parent 8ceb9cc
commit f0a446f
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 10 deletions.
diff --git a/xwiki-platform-core/xwiki-platform-web/src/main/webapp/resources/js/xwiki/xwiki.js b/xwiki-platform-core/xwiki-platform-web/src/main/webapp/resources/js/xwiki/xwiki.js
@@ -252,11 +252,9 @@ Object.extend(XWiki, {
                         }
                       });
 
-                      // jQuery's html() is used instead of prototype's update to avoid the undesired
-                      // interpretation of the innerHTML during the dom update.  
-                      require(['jquery'], function ($) {
-                        $("#" + extraID + "pane").html(container.innerHTML);
-                      });
+                      // Replace the element's content with the temporary container's content, while also evaluating any inline scripts.
+                      // Note: This also allows script tag defined in the update html to be loaded.
+                      $(extraID + "pane").update(container.descendants()[0]);
 
                       // Notify the others that the DOM has been updated.
                       document.fire('xwiki:dom:updated', {elements: [$(extraID + 'pane')]});

diff --git a/xwiki-platform-core/xwiki-platform-web/src/main/webapp/templates/macros.vm b/xwiki-platform-core/xwiki-platform-web/src/main/webapp/templates/macros.vm
@@ -387,19 +387,18 @@ $xwiki.getUserName("xwiki:${username}")
   #end
   #if(!$picturelist.containsKey("${username}--${size}"))
     #getUserAvatarURL($username $avatarURL $size)
-    #set ($userName = $xwiki.getUserName($username, false))
     #if ($avatarURL.specified)
       #set ($picture = "<img src='")
       #set ($picture = $picture.concat($escapetool.xml($avatarURL.url)))
       #set ($picture = $picture.concat("' alt='"))
-      #set ($picture = $picture.concat($userName))
+      #set ($picture = $picture.concat(${xwiki.getUserName($username, false)}))
       #set ($picture = $picture.concat("' title='"))
-      #set ($picture = $picture.concat($userName))
+      #set ($picture = $picture.concat(${xwiki.getUserName($username, false)}))
       #set ($picture = $picture.concat("'/>"))
     #else
       #set ($picture = "<img class='avatar avatar_${escapetool.xml(${size})}' src='")
       #set ($picture = $picture.concat($avatarURL.url))
-      #set ($picture = $picture.concat("' alt='$userName' title='$userName'/>"))
+      #set ($picture = $picture.concat("' alt='${xwiki.getUserName($username, false)}' title='${xwiki.getUserName($username, false)}'/>"))
     #end
     #set ($discard = $!picturelist.put("${username}--${size}", $picture))
   #end
@@ -2911,4 +2910,4 @@ Recursive title display detected!##
     </span>
     <a href="$xwiki.getURL($docReference)">$escapetool.xml($docReference.name)</a>
   </div>
-#end
+#end