[
https://issues.apache.org/jira/browse/WICKET-6687?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16887476#comment-16887476
]
Andrew Kondratev commented on WICKET-6687:
------------------------------------------
[~mgrigorov] whenever you remove 'unsafe-inline' from the style-src directive
of CSP all inline scripts including style="display: none" simply stop working.
Why it's unsafe? In short: attackers can modify the style of the page similarly
with JS XSS injections, also, under some circumstances code evaluation is
possible inside of style definitions. I'll just drop a few links for more
details:
[https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet]
[https://www.mediawiki.org/wiki/Preventing_XSS_Attacks_through_CSS_Whitelisting
]Also some of our huge clients from US and Australia require the CSP to be
applied without any "unsafe" things. Unsafe inline scripts it's just one little
thing on the way to clean CSP. These requirements is a trend rather than a
random deviation. I suppose other wicket users/developers are likely to have a
similar issue.
"um-ajax-link" is just a custom styles to mark unrefined links, so styles to
which users are accustomed can be applied. It's here just as an example. I
suppose the href can be removed without adding anything instead.
> Cleanup the code from attribute inline styles and attribute inline scripts
> --------------------------------------------------------------------------
>
> Key: WICKET-6687
> URL: https://issues.apache.org/jira/browse/WICKET-6687
> Project: Wicket
> Issue Type: Improvement
> Components: wicket-core
> Reporter: Andrew Kondratev
> Priority: Minor
>
> Another issue for improving Wicket's Content Security Policy(CSP)
> compatibility is an abundance of attribute inline styles and scripts, such
> as style="display: none", onclick="doSomething()", and
> href="javascript:doSomething();" all these could be easily replaced with
> appropriate nonced inline scripts and styles or references to predefined css
> classes and js functions.
> h2. Examples
> org.apache.wicket.ajax.markup.html.*AjaxLink*#onComponentTag : should rather
> completely remove the href, potentially some css class like
> `wicket-ajax-link` could be added
> {code:java}
> if (tagName.equalsIgnoreCase("a") || tagName.equalsIgnoreCase("link") ||
> tagName.equalsIgnoreCase("area"))
> {
> // disable any href attr in markup
> tag.put("href", "javascript:;");
> }
> {code}
> org.apache.wicket.*Component*#renderPlaceholderTag : should rather add some
> special css class, or javascript which can set display none programmatically
> (and can also be nonced)
> {code:java}
> response.write("<");
> response.write(name);
> response.write(" id=\"");
> response.write(getAjaxRegionMarkupId());
> response.write("\" style=\"display:none\" data-wicket-placeholder=\"\"></");
> response.write(name);
> response.write(">");
> {code}
> (org.apache.wicket.extensions.ajax.markup.html.AjaxIndicatorAppender#afterRender
> has the same issue)
> org.apache.wicket.markup.html.form.Form#appendDefaultButtonField : this piece
> is just ridiculous to have in 2019
> {code:java}
> buffer.append(String.format("<div
> style=\"width:0px;height:0px;position:absolute;left:-100px;top:-100px;overflow:hidden\"
> class=\"%s\">", cssClass));
> {code}
> org.apache.wicket.markup.html.form.Form#appendDefaultButtonField
> {code:java}
> buffer.append(defaultSubmittingComponent.getInputName());
> buffer.append("\" onclick=\" var b=document.getElementById('");
> buffer.append(submittingComponent.getMarkupId());
> {code}
--
This message was sent by Atlassian JIRA
(v7.6.14#76016)
