You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@wicket.apache.org by "Alexandre (Jira)" <ji...@apache.org> on 2021/12/01 15:07:00 UTC

[jira] [Created] (WICKET-6938) wicket-autocomplete.js not CSP compliant

Alexandre created WICKET-6938:
---------------------------------

             Summary: wicket-autocomplete.js not CSP compliant
                 Key: WICKET-6938
                 URL: https://issues.apache.org/jira/browse/WICKET-6938
             Project: Wicket
          Issue Type: Bug
          Components: wicket-extensions
    Affects Versions: 9.6.0
            Reporter: Alexandre


While upgrading from wicket 8 to 9.6 we are trying to implement CSP. We also use the autocompletebehavior. This in turn call wicket-autocomplete.js (wicket-extensions\src\main\java\org\apache\wicket\extensions\ajax\markup\html\autocomplete).

This js file contains "handleSelection" function trying to "eval(attr.value)" throwing a CSP 'unsafe-eval' exception.

So the autocomplete textfield will display choices, but won't handle user selection.



--
This message was sent by Atlassian Jira
(v8.20.1#820001)