You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@wicket.apache.org by "Emond Papegaaij (Jira)" <ji...@apache.org> on 2020/02/03 20:44:00 UTC

[jira] [Resolved] (WICKET-6732) CSP: inline JS in Link and ExternalLink

     [ https://issues.apache.org/jira/browse/WICKET-6732?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Emond Papegaaij resolved WICKET-6732.
-------------------------------------
    Fix Version/s: 9.0.0-M5
         Assignee: Emond Papegaaij
       Resolution: Fixed

> CSP: inline JS in Link and ExternalLink
> ---------------------------------------
>
>                 Key: WICKET-6732
>                 URL: https://issues.apache.org/jira/browse/WICKET-6732
>             Project: Wicket
>          Issue Type: Improvement
>          Components: wicket-core
>    Affects Versions: 9.0.0-M4
>            Reporter: Emond Papegaaij
>            Assignee: Emond Papegaaij
>            Priority: Major
>             Fix For: 9.0.0-M5
>
>
> {{org.apache.wicket.markup.html.link.Link}} uses a lot of inline JS, like:
> {code:java}
> tag.put("onclick", popupSettings.getPopupJavaScript());
> {code}
> {code:java}
> tag.put(
> 	"onclick",
> 	"var win = this.ownerDocument.defaultView || this.ownerDocument.parentWindow; " +
> 		"if (win == window) { window.location.href='" +
> 		url + "'; } ;return false");
> {code}
> {code:java}
> // If the subclass specified javascript, use that
> final CharSequence onClickJavaScript = getOnClickScript(url);
> if (onClickJavaScript != null)
> {
> 	tag.put("onclick", onClickJavaScript);
> }
> {code}
> Similar code can be found in {{ExternalLink}}.
> Also take a look at {{AjaxFallbackLink}}. This class removes the onclick attribute from the {{Link}}, but that will not work if they are not added in the first place.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)