[
https://issues.apache.org/jira/browse/WICKET-6687?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17017867#comment-17017867
]
Emond Papegaaij commented on WICKET-6687:
-----------------------------------------
[~svenmeier] I'd consider them a bug from the perspective of CSP. With a strict
CSP enabled, these places will break. In the global picture, you could say
enabling a strict CSP is an improvement, thus these findings are improvements
as well.
Why is this making your clients nervous? These bugs are all on 9, which hasn't
been released yet. The bug is not in 8, because there the script CSP is not yet
supported.
> Cleanup the code from attribute inline styles and attribute inline scripts
> --------------------------------------------------------------------------
>
> Key: WICKET-6687
> URL: https://issues.apache.org/jira/browse/WICKET-6687
> Project: Wicket
> Issue Type: Task
> Components: wicket-core
> Reporter: Andrew Kondratev
> Priority: Major
>
> Another issue for improving Wicket's Content Security Policy(CSP)
> compatibility is an abundance of attribute inline styles and scripts, such
> as style="display: none", onclick="doSomething()", and
> href="javascript:doSomething();" all these could be easily replaced with
> appropriate nonced inline scripts and styles or references to predefined css
> classes and js functions.
> h2. Examples
> org.apache.wicket.ajax.markup.html.*AjaxLink*#onComponentTag : should rather
> completely remove the href, potentially some css class like
> `wicket-ajax-link` could be added
> {code:java}
> if (tagName.equalsIgnoreCase("a") || tagName.equalsIgnoreCase("link") ||
> tagName.equalsIgnoreCase("area"))
> {
> // disable any href attr in markup
> tag.put("href", "javascript:;");
> }
> {code}
> org.apache.wicket.*Component*#renderPlaceholderTag : should rather add some
> special css class, or javascript which can set display none programmatically
> (and can also be nonced)
> {code:java}
> response.write("<");
> response.write(name);
> response.write(" id=\"");
> response.write(getAjaxRegionMarkupId());
> response.write("\" style=\"display:none\" data-wicket-placeholder=\"\"></");
> response.write(name);
> response.write(">");
> {code}
> (org.apache.wicket.extensions.ajax.markup.html.AjaxIndicatorAppender#afterRender
> has the same issue)
> org.apache.wicket.markup.html.form.Form#appendDefaultButtonField : this piece
> is just ridiculous to have in 2019
> {code:java}
> buffer.append(String.format("<div
> style=\"width:0px;height:0px;position:absolute;left:-100px;top:-100px;overflow:hidden\"
> class=\"%s\">", cssClass));
> {code}
> org.apache.wicket.markup.html.form.Form#appendDefaultButtonField
> {code:java}
> buffer.append(defaultSubmittingComponent.getInputName());
> buffer.append("\" onclick=\" var b=document.getElementById('");
> buffer.append(submittingComponent.getMarkupId());
> {code}
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
