[
https://issues.apache.org/jira/browse/WICKET-4219?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Sven Meier resolved WICKET-4219.
--------------------------------
Resolution: Fixed
Fix Version/s: 6.0.0-beta2
Assignee: Sven Meier
For security reasons the models are now escaped in Wicket 6 by default.
For 1.4.x and 1.5.x we can't change this, as this would break existing
applications.
Developers needing to disable escaping of the labels (or more customization
with a MultiLineLabel) can provide their own header component, see
WizardStep#getHeader().
> Enable markup escaping of WizardStep's labels by default due to security
> aspects
> --------------------------------------------------------------------------------
>
> Key: WICKET-4219
> URL: https://issues.apache.org/jira/browse/WICKET-4219
> Project: Wicket
> Issue Type: Improvement
> Components: wicket-extensions
> Affects Versions: 1.4.19, 1.5.3
> Reporter: Thomas Aulinger
> Assignee: Sven Meier
> Fix For: 6.0.0-beta2
>
>
> Markup escaping of the title and summary label in
> org.apache.wicket.extensions.wizard.WizardStep are disabled by default. This
> fact is not documented, an therefore there could be some security risk, when
> their Models are generated from user input.
> An improvement would be to enable markup escaping and let the user disable
> this on demand.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira