You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@wicket.apache.org by "ASF subversion and git services (Jira)" <ji...@apache.org> on 2020/02/02 18:56:00 UTC
[jira] [Commented] (WICKET-6731) CSP: inline JS in SubmitLink
[ https://issues.apache.org/jira/browse/WICKET-6731?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17028517#comment-17028517 ]
ASF subversion and git services commented on WICKET-6731:
---------------------------------------------------------
Commit a0d0101c610998dc1139ab3e04133dd3aa59625e in wicket's branch refs/heads/csp from Emond Papegaaij
[ https://gitbox.apache.org/repos/asf?p=wicket.git;h=a0d0101 ]
WICKET-6731: Use OnEventHeaderItem to render event bindings
> CSP: inline JS in SubmitLink
> ----------------------------
>
> Key: WICKET-6731
> URL: https://issues.apache.org/jira/browse/WICKET-6731
> Project: Wicket
> Issue Type: Improvement
> Components: wicket-core
> Affects Versions: 9.0.0-M4
> Reporter: Emond Papegaaij
> Assignee: Emond Papegaaij
> Priority: Major
> Fix For: 9.0.0-M5
>
>
> {{org.apache.wicket.markup.html.formSubmitLink}} uses inline Javascript in two places.
> The href attribute is replaced with empty JS. This will cause a CSP violation. A different solution needs to be found. Probably via a JS event handler that calls {{event.preventDefault()}}.
> {code:java}
> tag.put("href", "javascript:;");
> {code}
> The trigger javascript is rendered as onclick. This needs to be an event handler.
> {code:java}
> tag.put("onclick", getTriggerJavaScript());
> {code}
--
This message was sent by Atlassian Jira
(v8.3.4#803005)