[jira] [Created] (WICKET-6687) Cleanup the code from attribute inline styles and attribute inline scripts

Tue, 16 Jul 2019 19:30:05 -0700 

Andrew Kondratev created WICKET-6687:
----------------------------------------

             Summary: Cleanup the code from attribute inline styles and 
attribute inline scripts
                 Key: WICKET-6687
                 URL: https://issues.apache.org/jira/browse/WICKET-6687
             Project: Wicket
          Issue Type: Improvement
          Components: wicket-core
            Reporter: Andrew Kondratev


Another issue for improving Wicket's Content Security Policy(CSP) compatibility 
is an  abundance of attribute inline styles and scripts, such as 
style="display: none", onclick="doSomething()", and 
href="javascript:doSomething();" all these could be easily replaced with 
appropriate nonced inline scripts and styles or references to predefined css 
classes and js functions.

h2. Examples

org.apache.wicket.ajax.markup.html.*AjaxLink*#onComponentTag : should rather 
completely remove the href, potentially some css class like `wicket-ajax-link` 
could be added
{code:java}
if (tagName.equalsIgnoreCase("a") || tagName.equalsIgnoreCase("link") ||
        tagName.equalsIgnoreCase("area"))
{
        // disable any href attr in markup
        tag.put("href", "javascript:;");
}
{code}

org.apache.wicket.*Component*#renderPlaceholderTag : should rather add some 
special css class, or javascript which can set display none programmatically 
(and can also be nonced)
{code:java}
response.write("<");
response.write(name);
response.write(" id=\"");
response.write(getAjaxRegionMarkupId());
response.write("\" style=\"display:none\" data-wicket-placeholder=\"\"></");
response.write(name);
response.write(">");
{code}
(org.apache.wicket.extensions.ajax.markup.html.AjaxIndicatorAppender#afterRender
 has the same issue)

org.apache.wicket.markup.html.form.Form#appendDefaultButtonField : this piece 
is just ridiculous to have in 2019
{code:java}
buffer.append(String.format("<div 
style=\"width:0px;height:0px;position:absolute;left:-100px;top:-100px;overflow:hidden\"
 class=\"%s\">", cssClass));
{code}

org.apache.wicket.markup.html.form.Form#appendDefaultButtonField
{code:java}
buffer.append(defaultSubmittingComponent.getInputName());
buffer.append("\" onclick=\" var b=document.getElementById('");
buffer.append(submittingComponent.getMarkupId());
{code}






--
This message was sent by Atlassian JIRA
(v7.6.14#76016)

Reply via email to