[
https://issues.apache.org/jira/browse/WICKET-6155?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Sven Meier resolved WICKET-6155.
--------------------------------
Resolution: Fixed
Fix Version/s: 7.4.0
6.23.0
8.0.0-M1
All JavaScript string values are now properly escaped, in 8.x ModalWindow uses
a JSONObject for the settings now.
> Newline in ModalWindow title
> -----------------------------
>
> Key: WICKET-6155
> URL: https://issues.apache.org/jira/browse/WICKET-6155
> Project: Wicket
> Issue Type: Bug
> Components: wicket-extensions
> Affects Versions: 7.2.0, 8.0.0-M1, 6.22.0
> Reporter: Ramon van Sparrentak
> Assignee: Sven Meier
> Priority: Minor
> Fix For: 8.0.0-M1, 6.23.0, 7.4.0
>
>
> Setting a newline (\n) in the title of ModalWindow crashes, because the
> newline is used unescaped in JavaScript (only HTML is escaped) and breaks the
> generated string literal.
> Reproduction steps:
> Create the modal-window example project.
> Change the title:
>
> add(modal1 = new ModalWindow("modal1"));
> modal1.setTitle("modal title\n with newline");
> Start the application and open the modal window.
> Exception evaluating javascript: SyntaxError: unterminated string
> literal, text: (function(){var settings = new Object();
> ...
> settings.cookieId="modal-1";
> settings.title="modal title
> with newline";
> ...
> Note that the newline ends up unescaped. The string literal generation code
> is in getWindowOpenJavaScript#getWindowOpenJavaScript()
> String title = getTitle() != null ? getTitle().getObject() : null;
> if (title != null)
> {
> String escaped = getDefaultModelObjectAsString(title);
> appendAssignment(buffer, "settings.title", escaped);
> }
> getDefaultModelObjectAsString does escape HTML (if flag is set), but does not
> escape the JavaScript.
> Perhaps #appendAssignment() should escape the value?
> Same for the characters \ and \r
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
