[
https://issues.apache.org/jira/browse/WICKET-3946?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13079788#comment-13079788
]
Mikhail Fedko commented on WICKET-3946:
---------------------------------------
Sorry, we had setEscapeModelStrings(false) for feedback panel (we add some hint
links in errors and errors markup belongs to us, no user input here).
Is it possible to escape the input in advance?
regarding to component events I added
@Override
protected void init() {
super.init();
++ mountBookmarkablePage("myhome", HomePage.class);
mount(new QueryStringUrlCodingStrategy("3921", Wicket3921.class));
}
and updated HomePage.java:
++ @Override
++ protected void onBeforeRender() {
++ get("form").setVisible(false); // a lot of bussiness logic here
++ super.onBeforeRender();
++ }
Now, if I go to
"http://localhost:8080/myproject/myhome?wicket:interface=:-1:form::IFormSubmitListener::&xss=abc";
form is invisible, but event was processed:
Wicket Quickstart Archetype Homepage
If you see this message wicket is properly configured and running
'abc' должно соответствовать типу Integer. (is not a valid Integer in English
locale)
> input is not escaped in validation errors
> ------------------------------------------
>
> Key: WICKET-3946
> URL: https://issues.apache.org/jira/browse/WICKET-3946
> Project: Wicket
> Issue Type: Bug
> Components: wicket-core
> Affects Versions: 1.4.17
> Reporter: Mikhail Fedko
> Attachments: wicket-3946.tgz
>
>
> hi,
> when I add TextField<Integer>("field", Model.of(0), Integer.class)
> and input inside field something like <script>alert('XSS')</script> the input
> is not escaped, I just get
> '' is not a valid Integer. + alert
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
