You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@wicket.apache.org by "Sven Meier (JIRA)" <ji...@apache.org> on 2012/05/15 21:13:09 UTC
[jira] [Resolved] (WICKET-4219) Enable markup escaping of
WizardStep's labels by default due to security aspects
[ https://issues.apache.org/jira/browse/WICKET-4219?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Sven Meier resolved WICKET-4219.
--------------------------------
Resolution: Fixed
Fix Version/s: 6.0.0-beta2
Assignee: Sven Meier
For security reasons the models are now escaped in Wicket 6 by default.
For 1.4.x and 1.5.x we can't change this, as this would break existing applications.
Developers needing to disable escaping of the labels (or more customization with a MultiLineLabel) can provide their own header component, see WizardStep#getHeader().
> Enable markup escaping of WizardStep's labels by default due to security aspects
> --------------------------------------------------------------------------------
>
> Key: WICKET-4219
> URL: https://issues.apache.org/jira/browse/WICKET-4219
> Project: Wicket
> Issue Type: Improvement
> Components: wicket-extensions
> Affects Versions: 1.4.19, 1.5.3
> Reporter: Thomas Aulinger
> Assignee: Sven Meier
> Fix For: 6.0.0-beta2
>
>
> Markup escaping of the title and summary label in org.apache.wicket.extensions.wizard.WizardStep are disabled by default. This fact is not documented, an therefore there could be some security risk, when their Models are generated from user input.
> An improvement would be to enable markup escaping and let the user disable this on demand.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira