You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@wicket.apache.org by "ASF subversion and git services (Jira)" <ji...@apache.org> on 2020/02/02 18:56:00 UTC

[jira] [Commented] (WICKET-6731) CSP: inline JS in SubmitLink

    [ https://issues.apache.org/jira/browse/WICKET-6731?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17028517#comment-17028517 ] 

ASF subversion and git services commented on WICKET-6731:
---------------------------------------------------------

Commit a0d0101c610998dc1139ab3e04133dd3aa59625e in wicket's branch refs/heads/csp from Emond Papegaaij
[ https://gitbox.apache.org/repos/asf?p=wicket.git;h=a0d0101 ]

WICKET-6731: Use OnEventHeaderItem to render event bindings


> CSP: inline JS in SubmitLink
> ----------------------------
>
>                 Key: WICKET-6731
>                 URL: https://issues.apache.org/jira/browse/WICKET-6731
>             Project: Wicket
>          Issue Type: Improvement
>          Components: wicket-core
>    Affects Versions: 9.0.0-M4
>            Reporter: Emond Papegaaij
>            Assignee: Emond Papegaaij
>            Priority: Major
>             Fix For: 9.0.0-M5
>
>
> {{org.apache.wicket.markup.html.formSubmitLink}} uses inline Javascript in two places.
> The href attribute is replaced with empty JS. This will cause a CSP violation. A different solution needs to be found. Probably via a JS event handler that calls {{event.preventDefault()}}.
> {code:java}
> tag.put("href", "javascript:;");
> {code}
> The trigger javascript is rendered as onclick. This needs to be an event handler.
> {code:java}
> tag.put("onclick", getTriggerJavaScript());
> {code}



--
This message was sent by Atlassian Jira
(v8.3.4#803005)