[
https://issues.apache.org/jira/browse/WICKET-3098?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12922089#action_12922089
]
Pedro Santos commented on WICKET-3098:
--------------------------------------
Why silent return the call rather then throw page expired exception? The only
use case that I can imagine now is:
- add an enabled component + ajax behavior
- processing some ajax request, disable the component and don't add it to target
Result: page is presenting an expired component state, the current one is
disable.
> AjaxEventBehavior#onEvent is invoked on disabled behavior
> ---------------------------------------------------------
>
> Key: WICKET-3098
> URL: https://issues.apache.org/jira/browse/WICKET-3098
> Project: Wicket
> Issue Type: Bug
> Components: wicket
> Affects Versions: 1.4.9
> Reporter: Stanislav Dvorscak
> Assignee: Igor Vaynberg
> Fix For: 1.4.13, 1.5-M3
>
> Attachments: BehaviorRequestTarget.java.patch
>
>
> Security bug AjaxEventBehavior#onEvent is invoked on disabled behavior. It
> should not be - it is really dangerous, can you fix it.
> I think it is security bug.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
