You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@wicket.apache.org by "Andrew Kondratev (JIRA)" <ji...@apache.org> on 2019/07/17 02:30:00 UTC

[jira] [Created] (WICKET-6687) Cleanup the code from attribute inline styles and attribute inline scripts

Andrew Kondratev created WICKET-6687:
----------------------------------------

             Summary: Cleanup the code from attribute inline styles and attribute inline scripts
                 Key: WICKET-6687
                 URL: https://issues.apache.org/jira/browse/WICKET-6687
             Project: Wicket
          Issue Type: Improvement
          Components: wicket-core
            Reporter: Andrew Kondratev


Another issue for improving Wicket's Content Security Policy(CSP) compatibility is an  abundance of attribute inline styles and scripts, such as style="display: none", onclick="doSomething()", and href="javascript:doSomething();" all these could be easily replaced with appropriate nonced inline scripts and styles or references to predefined css classes and js functions.

h2. Examples

org.apache.wicket.ajax.markup.html.*AjaxLink*#onComponentTag : should rather completely remove the href, potentially some css class like `wicket-ajax-link` could be added
{code:java}
if (tagName.equalsIgnoreCase("a") || tagName.equalsIgnoreCase("link") ||
	tagName.equalsIgnoreCase("area"))
{
	// disable any href attr in markup
	tag.put("href", "javascript:;");
}
{code}

org.apache.wicket.*Component*#renderPlaceholderTag : should rather add some special css class, or javascript which can set display none programmatically (and can also be nonced)
{code:java}
response.write("<");
response.write(name);
response.write(" id=\"");
response.write(getAjaxRegionMarkupId());
response.write("\" style=\"display:none\" data-wicket-placeholder=\"\"></");
response.write(name);
response.write(">");
{code}
(org.apache.wicket.extensions.ajax.markup.html.AjaxIndicatorAppender#afterRender has the same issue)

org.apache.wicket.markup.html.form.Form#appendDefaultButtonField : this piece is just ridiculous to have in 2019
{code:java}
buffer.append(String.format("<div style=\"width:0px;height:0px;position:absolute;left:-100px;top:-100px;overflow:hidden\" class=\"%s\">", cssClass));
{code}

org.apache.wicket.markup.html.form.Form#appendDefaultButtonField
{code:java}
buffer.append(defaultSubmittingComponent.getInputName());
buffer.append("\" onclick=\" var b=document.getElementById('");
buffer.append(submittingComponent.getMarkupId());
{code}






--
This message was sent by Atlassian JIRA
(v7.6.14#76016)