You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@wicket.apache.org by "Thomas Aulinger (Created) (JIRA)" <ji...@apache.org> on 2011/11/11 15:14:51 UTC

[jira] [Created] (WICKET-4219) Enable markup escaping of WizardStep's labels by default due to security aspects

Enable markup escaping of WizardStep's labels by default due to security aspects
--------------------------------------------------------------------------------

                 Key: WICKET-4219
                 URL: https://issues.apache.org/jira/browse/WICKET-4219
             Project: Wicket
          Issue Type: Improvement
          Components: wicket-extensions
    Affects Versions: 1.5.3, 1.4.19
            Reporter: Thomas Aulinger


Markup escaping of  the title and summary label in org.apache.wicket.extensions.wizard.WizardStep are disabled by default. This fact is not documented, an therefore there could be some security risk, when their Models are generated from user input. 
An improvement would be to enable markup escaping and let the user disable this on demand.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

[jira] [Resolved] (WICKET-4219) Enable markup escaping of WizardStep's labels by default due to security aspects

Posted by "Sven Meier (JIRA)" <ji...@apache.org>.

     [ https://issues.apache.org/jira/browse/WICKET-4219?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Sven Meier resolved WICKET-4219.
--------------------------------

       Resolution: Fixed
    Fix Version/s: 6.0.0-beta2
         Assignee: Sven Meier

For security reasons the models are now escaped in Wicket 6 by default.

For 1.4.x and 1.5.x we can't change this, as this would break existing applications.

Developers needing to disable escaping of the labels (or more customization with a MultiLineLabel) can provide their own header component, see WizardStep#getHeader().
                
> Enable markup escaping of WizardStep's labels by default due to security aspects
> --------------------------------------------------------------------------------
>
>                 Key: WICKET-4219
>                 URL: https://issues.apache.org/jira/browse/WICKET-4219
>             Project: Wicket
>          Issue Type: Improvement
>          Components: wicket-extensions
>    Affects Versions: 1.4.19, 1.5.3
>            Reporter: Thomas Aulinger
>            Assignee: Sven Meier
>             Fix For: 6.0.0-beta2
>
>
> Markup escaping of  the title and summary label in org.apache.wicket.extensions.wizard.WizardStep are disabled by default. This fact is not documented, an therefore there could be some security risk, when their Models are generated from user input. 
> An improvement would be to enable markup escaping and let the user disable this on demand.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira