[
https://issues.apache.org/jira/browse/WICKET-6553?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Sven Meier closed WICKET-6553.
------------------------------
Resolution: Fixed
Fix Version/s: 6.30.0
8.1.0
7.11.0
I assume that most people will use SelectOptions to render non-user-input.
But I agree that it should be the other way around: Escape markup by default
and allow people to configure the opposite if they need it. For this
SelectOptions will adher to #getEscapeModelStrings() in the future.
> SelectOptions doesn't html-encode option values
> -----------------------------------------------
>
> Key: WICKET-6553
> URL: https://issues.apache.org/jira/browse/WICKET-6553
> Project: Wicket
> Issue Type: Bug
> Components: wicket-extensions
> Reporter: Jyri-Matti Lähteenmäki
> Assignee: Sven Meier
> Priority: Major
> Fix For: 7.11.0, 8.1.0, 6.30.0
>
> Attachments: myproject.zip
>
>
> This will show a javascript alert dialog (jetty:run the attached example app):
> {code:java}
> add(new Select<String>("select")
> .add(new SelectOptions<String>("selectOptions",
> Arrays.asList("<script>alert('hello');</script>"), new
> IOptionRenderer<String>() {
> @Override
> public String getDisplayValue(String arg0) {
> return arg0;
> }
> @Override
> public IModel<String> getModel(String arg0) {
> return Model.of(arg0);
> }
> })));{code}
>
> If I understand correctly, IOptionRenderer is for the user to provide the
> human-readable representation of the object (in this example just a String),
> and shouldn't be responsible for any kind of html encoding.
> Should
> org.apache.wicket.extensions.markup.html.form.select.SelectOptions.SimpleSelectOption
> do the encoding?
>
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
