XWIKI-20259: Improve escaping in Notification Preferences Macros

xwiki-platform-core/xwiki-platform-notifications/xwiki-platform-notifications-ui/src/main/resources/XWiki/Notifications/Code/NotificationsApplicationsPreferencesMacro.xml

@@ -982,7 +982,7 @@ require(['jquery', 'xwiki-meta', 'ApplicationWidget', 'xwiki-bootstrap-switch',
     #set ($targetUser = $xcontext.userReference)
     #set ($targetUserReference = $services.user.currentUserReference)
   #end
-  #set ($divData = "data-user=""$services.model.serialize($targetUser)""")
+  #set ($divData = "data-user=""$escapetool.xml($services.model.serialize($targetUser))""")
 #end
 #set ($userDoc = $xwiki.getDocument($targetUser))
 ######################################################

xwiki-platform-core/xwiki-platform-notifications/xwiki-platform-notifications-ui/src/main/resources/XWiki/Notifications/Code/NotificationsAutoWatchPreferencesMacro.xml

@@ -391,7 +391,7 @@
   {{/error}}
 #elseif ($wikimacro.parameters.target == 'user' && "$!wikimacro.parameters.user" != "" && !$services.security.authorization.hasAccess('admin', $wikimacro.parameters.user.reference) && !$xcontext.userReference.equals($wikimacro.parameters.user.reference))
   {{error}}
-    {{translation key="notifications.settings.error.userReferenceAdminForbidden" parameters="$wikimacro.parameters.user" /}}
+    {{translation key="notifications.settings.error.userReferenceAdminForbidden" parameters="~"${services.rendering.escape($escapetool.java($wikimacro.parameters.user), 'xwiki/2.1')}~"" /}}
   {{/error}}
 #else
 #set ($discard = $xwiki.jsx.use('XWiki.Notifications.Code.NotificationsAutoWatchPreferencesMacro'))
@@ -403,7 +403,7 @@
 #set ($dataUser = "")
 #if ($wikimacro.parameters.target == 'user')
   #set ($mode = $services.notification.watch.getAutomaticWatchMode($targetUser))
-  #set ($dataUser = "data-user=""$services.model.serialize($targetUser)""")
+  #set ($dataUser = "data-user=""$escapetool.xml($services.model.serialize($targetUser))""")
 #else
   #set ($mode = $services.notification.watch.defaultAutomaticWatchMode)
 #end

xwiki-platform-core/xwiki-platform-notifications/xwiki-platform-notifications-ui/src/main/resources/XWiki/Notifications/Code/NotificationsCustomFiltersPreferencesMacro.xml

@@ -1083,7 +1083,7 @@ require(['jquery', 'AddCustomNotificationFilterPreferenceLivetable', 'xwiki-boot
   #else
     #set ($targetUser = $xcontext.userReference)
   #end
-  #set ($divData = "data-doc-url=""$escapetool.xml($services.rest.url($targetUser))"" data-user=""$services.model.serialize($targetUser)""")
+  #set ($divData = "data-doc-url=""$escapetool.xml($services.rest.url($targetUser))"" data-user=""$escapetool.xml($services.model.serialize($targetUser))""")
 #end
 ######################################################
 ### CSS and JAVASCRIPTS

xwiki-platform-core/xwiki-platform-notifications/xwiki-platform-notifications-ui/src/main/resources/XWiki/Notifications/Code/NotificationsEmailPreferencesMacro.xml

@@ -423,7 +423,7 @@
   {{/error}}
 #elseif ($wikimacro.parameters.target == 'user' && "$!wikimacro.parameters.user" != "" && !$services.security.authorization.hasAccess('admin', $wikimacro.parameters.user.reference) && !$xcontext.userReference.equals($wikimacro.parameters.user.reference))
   {{error}}
-    {{translation key="notifications.settings.error.userReferenceAdminForbidden" parameters="$wikimacro.parameters.user" /}}
+    {{translation key="notifications.settings.error.userReferenceAdminForbidden" parameters="$~"${services.rendering.escape($escapetool.java($wikimacro.parameters.user), 'xwiki/2.1')}~"" /}}
   {{/error}}
 #else
 
@@ -434,7 +434,7 @@
   #end
   #set ($dataUser = "")
   #if ($wikimacro.parameters.target == 'user')
-    #set ($dataUser = "data-user=""$services.model.serialize($targetUser)""")
+    #set ($dataUser = "data-user=""$escapetool.xml($services.model.serialize($targetUser))""")
   #end
   #set ($discard = $xwiki.jsx.use('XWiki.Notifications.Code.NotificationsEmailPreferencesMacro'))
   {{html clean="false"}}

xwiki-platform-core/xwiki-platform-notifications/xwiki-platform-notifications-ui/src/main/resources/XWiki/Notifications/Code/NotificationsFiltersPreferencesMacro.xml

@@ -1050,11 +1050,11 @@ require(['jquery', 'AddNotificationFilterPreferenceLivetable', 'xwiki-bootstrap-
 ## This should be improved later with such API.
 #elseif ("$!wikimacro.parameters.user" != "" && $wikimacro.parameters.user.class.simpleName != 'DocumentUserReference')
   {{error}}
-    This macro only allows to handle DocumentUserReference references and you specified a $wikimacro.parameters.user.class.simpleName reference.
+    This macro only allows to handle DocumentUserReference references and you specified a $services.rendering.escape($wikimacro.parameters.user.class.simpleName, 'xwiki/2.1') reference.
   {{/error}}
 #elseif ("$!wikimacro.parameters.user" != "" && !$services.security.authorization.hasAccess('admin', $wikimacro.parameters.user.reference) && !$xcontext.userReference.equals($wikimacro.parameters.user.reference))
   {{error}}
-    You don't have administration right on  $wikimacro.parameters.user.
+    You don't have administration right on $services.rendering.escape($wikimacro.parameters.user, 'xwiki/2.1').
   {{/error}}
 #else
 #set ($discard = $services.logging.deprecate("NotificationsFiltersPreferencesMacro", "This macro should not be used anymore in favor of SystemNotificationsFiltersPreferencesMacro and CustomNotificationsFiltersPreferencesMacro."))
@@ -1075,7 +1075,8 @@ require(['jquery', 'AddNotificationFilterPreferenceLivetable', 'xwiki-bootstrap-
 ### MACRO CONTENT
 ######################################################
 {{html clean="false"}}
-<div class="filterPreferences xform" data-user-url="$escapetool.xml($services.rest.url($targetUser))" data-user="$services.model.serialize($targetUser)">
+<div class="filterPreferences xform" data-user-url="$escapetool.xml($services.rest.url($targetUser))"
+  data-user="$escapetool.xml($services.model.serialize($targetUser))">
   <div class="row">
     <p class="xHint col-xs-12 col-sm-9 col-md-8 col-lg-9">
       $escapetool.xml($services.localization.render('notifications.settings.filters.preferences.hint'))
@@ -1109,7 +1110,8 @@ require(['jquery', 'AddNotificationFilterPreferenceLivetable', 'xwiki-bootstrap-
 ######################################################
 ### ADD FILTER MODAL
 ######################################################
-<div class="modal fade" tabindex="-1" role="dialog" id="modal-add-filter-preference" data-user="$services.model.serialize($targetUser)">
+<div class="modal fade" tabindex="-1" role="dialog" id="modal-add-filter-preference"
+  data-user="$escapetool.xml($services.model.serialize($targetUser))">
   <div class="modal-dialog" role="document">
     <div class="modal-content">
       <div class="modal-header">

xwiki-platform-core/xwiki-platform-notifications/xwiki-platform-notifications-ui/src/main/resources/XWiki/Notifications/Code/NotificationsSystemFiltersPreferencesMacro.xml

@@ -845,7 +845,7 @@ require(['jquery', 'xwiki-bootstrap-switch', 'xwiki-events-bridge'], function ($
   #else
     #set ($targetUser = $xcontext.userReference)
   #end
-  #set ($divData = "data-doc-url=""$escapetool.xml($services.rest.url($targetUser))"" data-user=""$services.model.serialize($targetUser)""")
+  #set ($divData = "data-doc-url=""$escapetool.xml($services.rest.url($targetUser))"" data-user=""$escapetool.xml($services.model.serialize($targetUser))""")
 #end
 ######################################################
 ### CSS and JAVASCRIPTS