Enabling Nested Scripts

anubis2k9 · August 12, 2024, 7:55pm

I stumbled upon some documentation on the xwiki site that says if you can in fact enable nested scripts:

" Nested scripts present a serious security risk, because they can be used to bypass security checks. We strongly advise to write your scripts so that the data is passed through variables. If you really need the old behavior, you can remove NestedScriptMacroValidator from components.txt in xwiki-rendering-macro-script component."

from:

https://extensions.xwiki.org/xwiki/bin/view/Extension/Script%20Macro#HNestedscripts

I could not find a “components.txt” file; the only reference I could discover was in the github for xwiki

github.com

xwiki/xwiki-platform/blob/master/xwiki-platform-core/xwiki-platform-rendering/xwiki-platform-rendering-macros/xwiki-platform-rendering-macro-script/src/main/resources/META-INF/components.txt

org.xwiki.rendering.internal.macro.script.DefaultAttachmentClassLoaderFactory
org.xwiki.rendering.internal.macro.script.DefaultScriptMacro
org.xwiki.rendering.internal.macro.script.NestedScriptMacroValidatorListener
org.xwiki.rendering.internal.macro.script.PermissionCheckerListener
org.xwiki.rendering.internal.macro.script.ScriptClassLoaderHandlerListener
org.xwiki.rendering.internal.macro.script.DefaultScriptMacroPermissionPolicy
org.xwiki.rendering.internal.macro.script.source.ScriptMacroContentWikiSourceFactory

Is the nested script validator still something you can disable? Or is this an outdated post?

Thanks.

vmassol · December 24, 2024, 3:29pm

Yes it can be disabled but it’s not very easy. It’s there indeed: xwiki-platform/xwiki-platform-core/xwiki-platform-rendering/xwiki-platform-rendering-macros/xwiki-platform-rendering-macro-script/src/main/resources/META-INF/components.txt at master · xwiki/xwiki-platform · GitHub

I’ve updated the doc a bit, let me know if it’s more clear now. Thx