You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@wicket.apache.org by "Andrew Kondratev (JIRA)" <ji...@apache.org> on 2019/07/17 22:40:00 UTC
[jira] [Comment Edited] (WICKET-6687) Cleanup the code from
attribute inline styles and attribute inline scripts
[ https://issues.apache.org/jira/browse/WICKET-6687?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16887476#comment-16887476 ]
Andrew Kondratev edited comment on WICKET-6687 at 7/17/19 10:39 PM:
--------------------------------------------------------------------
[~mgrigorov] whenever you remove 'unsafe-inline' from the style-src directive of CSP all inline scripts including style="display: none" simply stop working.
Why it's unsafe? In short: attackers can modify the style of the page similarly with JS XSS injections, also, under some circumstances code evaluation is possible inside of style definitions. I'll just drop a few links for more details:
[https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet]
[https://www.mediawiki.org/wiki/Preventing_XSS_Attacks_through_CSS_Whitelisting]
Also some of our huge clients from US and Australia require the CSP to be applied without any "unsafe" things. Unsafe inline scripts it's just one little thing on the way to clean CSP. These requirements is a trend rather than a random deviation. I suppose other wicket users/developers are likely to have a similar issue.
"um-ajax-link" is just a custom styles to mark unrefined links, so styles to which users are accustomed can be applied. It's here just as an example. I suppose the href can be removed without adding anything instead.
was (Author: kondratev):
[~mgrigorov] whenever you remove 'unsafe-inline' from the style-src directive of CSP all inline scripts including style="display: none" simply stop working.
Why it's unsafe? In short: attackers can modify the style of the page similarly with JS XSS injections, also, under some circumstances code evaluation is possible inside of style definitions. I'll just drop a few links for more details:
[https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet]
[https://www.mediawiki.org/wiki/Preventing_XSS_Attacks_through_CSS_Whitelisting
]Also some of our huge clients from US and Australia require the CSP to be applied without any "unsafe" things. Unsafe inline scripts it's just one little thing on the way to clean CSP. These requirements is a trend rather than a random deviation. I suppose other wicket users/developers are likely to have a similar issue.
"um-ajax-link" is just a custom styles to mark unrefined links, so styles to which users are accustomed can be applied. It's here just as an example. I suppose the href can be removed without adding anything instead.
> Cleanup the code from attribute inline styles and attribute inline scripts
> --------------------------------------------------------------------------
>
> Key: WICKET-6687
> URL: https://issues.apache.org/jira/browse/WICKET-6687
> Project: Wicket
> Issue Type: Improvement
> Components: wicket-core
> Reporter: Andrew Kondratev
> Priority: Minor
>
> Another issue for improving Wicket's Content Security Policy(CSP) compatibility is an abundance of attribute inline styles and scripts, such as style="display: none", onclick="doSomething()", and href="javascript:doSomething();" all these could be easily replaced with appropriate nonced inline scripts and styles or references to predefined css classes and js functions.
> h2. Examples
> org.apache.wicket.ajax.markup.html.*AjaxLink*#onComponentTag : should rather completely remove the href, potentially some css class like `wicket-ajax-link` could be added
> {code:java}
> if (tagName.equalsIgnoreCase("a") || tagName.equalsIgnoreCase("link") ||
> tagName.equalsIgnoreCase("area"))
> {
> // disable any href attr in markup
> tag.put("href", "javascript:;");
> }
> {code}
> org.apache.wicket.*Component*#renderPlaceholderTag : should rather add some special css class, or javascript which can set display none programmatically (and can also be nonced)
> {code:java}
> response.write("<");
> response.write(name);
> response.write(" id=\"");
> response.write(getAjaxRegionMarkupId());
> response.write("\" style=\"display:none\" data-wicket-placeholder=\"\"></");
> response.write(name);
> response.write(">");
> {code}
> (org.apache.wicket.extensions.ajax.markup.html.AjaxIndicatorAppender#afterRender has the same issue)
> org.apache.wicket.markup.html.form.Form#appendDefaultButtonField : this piece is just ridiculous to have in 2019
> {code:java}
> buffer.append(String.format("<div style=\"width:0px;height:0px;position:absolute;left:-100px;top:-100px;overflow:hidden\" class=\"%s\">", cssClass));
> {code}
> org.apache.wicket.markup.html.form.Form#appendDefaultButtonField
> {code:java}
> buffer.append(defaultSubmittingComponent.getInputName());
> buffer.append("\" onclick=\" var b=document.getElementById('");
> buffer.append(submittingComponent.getMarkupId());
> {code}
--
This message was sent by Atlassian JIRA
(v7.6.14#76016)