[
https://issues.apache.org/jira/browse/WICKET-3945?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13079324#comment-13079324
]
Mikhail Fedko commented on WICKET-3945:
---------------------------------------
in combination with https://issues.apache.org/jira/browse/WICKET-3946 and
enabled auto login with cookie there is a XSS vulnerability.
user can obtain a hidden link/iframe to a form and autoexecute a submit.
for now I disabled events processing on bookmarkable pages untill the page is
rendered.
for what reason this behaviour with autoprocessing componentPath in
bookmarkable page was made? Am I missing something?
> BookmarkableListenerInterfaceRequestTarget and component events
> ---------------------------------------------------------------
>
> Key: WICKET-3945
> URL: https://issues.apache.org/jira/browse/WICKET-3945
> Project: Wicket
> Issue Type: Bug
> Components: wicket-core
> Affects Versions: 1.4.17
> Reporter: Mikhail Fedko
> Priority: Critical
>
> Hi,
> why is it possible to invoke links on page mounted with
> mountBookmarkablePage() using something like
> "host/bookmarkable?wicket:interface=:-1:myPanel:securedlink::ILinkListener::"
> the securedLink set invisible in onBeforeRender method of a page, but event
> is processed just before onBeforeRender was called.
> For now I have to hack BookmarkableListenerInterfaceRequestTarget and disable
> "listenerInterface.invoke(page, component);"
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
