[
https://issues.apache.org/jira/browse/WICKET-6724?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17015380#comment-17015380
]
Emond Papegaaij commented on WICKET-6724:
-----------------------------------------
Removal of the href will break styling of many applications. This can be fixed
with a css class and updated styling, but I'd rather go for a less invasive
solution. It is not possible to whitelist a href with javascript: via a hash.
In CSP3 this can be done, but requires {{unsafe-hashes}}, which is unsafe.
Rather than changing the href to do nothing, why not prevent it from being
called in the first place? We can put href="#" and set
AjaxRequestAttributes.setPreventDefault(true).
> CSP: Inline Javascript in AjaxLink
> ----------------------------------
>
> Key: WICKET-6724
> URL: https://issues.apache.org/jira/browse/WICKET-6724
> Project: Wicket
> Issue Type: Bug
> Components: wicket-core
> Reporter: Emond Papegaaij
> Priority: Major
>
> org.apache.wicket.ajax.markup.html.*AjaxLink*#onComponentTag : should rather
> completely remove the href, potentially some css class like
> `wicket-ajax-link` could be added
> {code:java}
> if (tagName.equalsIgnoreCase("a") || tagName.equalsIgnoreCase("link") ||
> tagName.equalsIgnoreCase("area"))
> {
> // disable any href attr in markup
> tag.put("href", "javascript:;");
> }
> {code}
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
