You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@wicket.apache.org by "Ramon van Sparrentak (JIRA)" <ji...@apache.org> on 2016/05/02 14:18:12 UTC

[jira] [Created] (WICKET-6155) Newline in ModalWindow title

Ramon van Sparrentak created WICKET-6155:
--------------------------------------------

             Summary: Newline in ModalWindow title 
                 Key: WICKET-6155
                 URL: https://issues.apache.org/jira/browse/WICKET-6155
             Project: Wicket
          Issue Type: Bug
          Components: wicket-extensions
    Affects Versions: 6.22.0
            Reporter: Ramon van Sparrentak
            Priority: Minor


Setting a newline (\n) in the title of ModalWindow crashes, because the newline is used unescaped in JavaScript (only HTML is escaped) and breaks the generated string literal.

Reproduction steps:

Create the modal-window example project.
Change the title:
 
    add(modal1 = new ModalWindow("modal1"));
    modal1.setTitle("modal title\n with newline");

Start the application and open the modal window.

    Exception evaluating javascript: SyntaxError: unterminated string literal, text: (function(){var settings = new Object();
    ...
    settings.cookieId="modal-1";
    settings.title="modal title
 with newline";
    ...

Note that the newline ends up unescaped. The string literal generation code is in getWindowOpenJavaScript#getWindowOpenJavaScript()

    String title = getTitle() != null ? getTitle().getObject() : null;
    if (title != null)
    {
        String escaped = getDefaultModelObjectAsString(title);
        appendAssignment(buffer, "settings.title", escaped);
    }

getDefaultModelObjectAsString does escape HTML (if flag is set), but does not escape the JavaScript.

Perhaps #appendAssignment() should escape the value?

Same for the characters \ and \r





--
This message was sent by Atlassian JIRA
(v6.3.4#6332)