Changes for page LiveTable View Sheet

Summary

• Page properties (2 modified, 0 added, 0 removed)

Details

Page properties

Author

...	...	@@ -1,1 +1,1 @@
1		-XWiki.xwikiadm
	1	+XWiki.superadmin

Content

...	...	@@ -11,8 +11,16 @@
11	11	## Display the live table only if it was generated.
12	12	#if ($doc.content.length() > 0)
13	13	= $services.localization.render('platform.appwithinminutes.appLiveTableHeading') =
14		-
15		- {{include reference="" author="target"/}}
	14	+ ## We don't use the Include macro (with empty reference) because we want the content to be executed with the rights
	15	+ ## of the current document rather than the rights of the sheet. This is important because the user can modify the
	16	+ ## content of the application home page which means we could execute untrusted content with the rights of the sheet.
	17	+ ## Ideally we should use the Display macro with a parameter to disable the sheet, but we don't have this parameter.
	18	+ ## We don't clean the HTML content because getRenderedContent() should produce clean HTML, unless the user has
	19	+ ## disabled the HTML cleaning, in which case he will get what he asked for. Note that one good reason to disable
	20	+ ## HTML cleaning is to preserve the whitespaces in the attribute values.
	21	+ ## Escape {{ in the rendered content to be sure that the HTML macro is not closed unintentionally.
	22	+ {{html clean="false"}}$doc.getRenderedContent($doc.content,
	23	+ $doc.syntax.toIdString()).replace('{{', '{{'){{/html}}
16	16	#end
17	17	#end
18	18
...	...	@@ -60,7 +60,6 @@
60	60	#end
61	61	## We need to set the title if we want to be able to sort or filter the doc.title live table column.
62	62	#set ($params = {
63		- 'form_token': $services.csrf.token,
64	64	'template': "${className}Template",
65	65	'title': '__entryName__',
66	66	'parent': $services.model.serialize($doc.documentReference, 'local')