You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@wicket.apache.org by "Alexandre (Jira)" <ji...@apache.org> on 2021/12/02 16:06:00 UTC
[jira] [Comment Edited] (WICKET-6938) wicket-autocomplete.js not CSP compliant
[ https://issues.apache.org/jira/browse/WICKET-6938?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17452443#comment-17452443 ]
Alexandre edited comment on WICKET-6938 at 12/2/21, 4:05 PM:
-------------------------------------------------------------
[~mgrigorov] The use case is the following : the choices list are fully develop names (i.e. title, first name, last name), but when user click we call an "AbstractDefaultAjaxBehavior" with Wicket.Ajax.get (defined in getOnSelectJavaScriptExpression) to set the textfield value with the username instead.
This scenario is pretty much what the examples are describing.
I understand now that this will break because the unsafe eval is there.
You can close this issue, i will try moving this logic to an event handler like suggested.
Thank you
EDIT:after reading Emond Papegaaij would it be possible to provide the nonce to the ajax call or the simple fact of calling "eval" (from return attr ? eval(attr.value) : input;) would prevent that too?
was (Author: JIRAUSER281063):
[~mgrigorov] The use case is the following : the choices list are fully develop names (i.e. title, first name, last name), but when user click we call an "AbstractDefaultAjaxBehavior" with Wicket.Ajax.get (defined in getOnSelectJavaScriptExpression) to set the textfield value with the username instead.
This scenario is pretty much what the examples are describing.
I understand now that this will break because the unsafe eval is there.
You can close this issue, i will try moving this logic to an event handler like suggested.
Thank you
> wicket-autocomplete.js not CSP compliant
> ----------------------------------------
>
> Key: WICKET-6938
> URL: https://issues.apache.org/jira/browse/WICKET-6938
> Project: Wicket
> Issue Type: Bug
> Components: wicket-extensions
> Affects Versions: 9.6.0
> Reporter: Alexandre
> Priority: Major
>
> While upgrading from wicket 8 to 9.6 we are trying to implement CSP. We also use the autocompletebehavior. This in turn call wicket-autocomplete.js (wicket-extensions\src\main\java\org\apache\wicket\extensions\ajax\markup\html\autocomplete).
> This js file contains "handleSelection" function trying to "eval(attr.value)" throwing a CSP 'unsafe-eval' exception.
> So the autocomplete textfield will display choices, but won't handle user selection.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)