Changes for page Release Notes for XWiki Enterprise 2.4
Last modified by Thomas Mortagne on 2023/10/13
From version 19.1
edited by Sergiu Dumitriu
on 2010/07/22
on 2010/07/22
Change comment:
Warn about defered scripts
To version 20.1
edited by Sergiu Dumitriu
on 2010/07/22
on 2010/07/22
Change comment:
Warn about nested script macros
Summary
-
Page properties (1 modified, 0 added, 0 removed)
Details
- Page properties
-
- Content
-
... ... @@ -210,6 +210,26 @@ 210 210 211 211 This might break custom scripts, please check the correct behavior before upgrading a production server. Use Firebug in Firefox to catch errors, watch the error console, configure IE to notify all script errors. 212 212 213 +=== Nested script macros are forbidden === 214 + 215 +Now it's impossible to nest scripting macros, which is a good protection against many potential attacks. While the obvious case of direct nesting is easy to notice, there are other cases which are not as obvious: 216 + 217 +{{code}} 218 +{{velocity}} 219 +{{include document="Some Document With Scripts" /}} 220 +{{/velocity}} 221 +{{/code}} 222 + 223 +If the included document contains script macros, they will no longer be executed. 224 + 225 +{{code}} 226 +{{velocity}} 227 +$doc.display('someProperty') 228 +{{/velocity}} 229 +{{/code}} 230 + 231 +If the property contains script macros, for example the content of a blog post, they will no longer be executed. 232 + 213 213 == General Notes == 214 214 215 215 {{warning}}