[
https://issues.apache.org/jira/browse/WICKET-6731?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17028530#comment-17028530
]
ASF subversion and git services commented on WICKET-6731:
---------------------------------------------------------
Commit ce974d51251db9a77c97debbf13a501b21b723d5 in wicket's branch
refs/heads/csp from Emond Papegaaij
[ https://gitbox.apache.org/repos/asf?p=wicket.git;h=ce974d5 ]
WICKET-6731: Use OnEventHeaderItem to render event bindings
> CSP: inline JS in SubmitLink
> ----------------------------
>
> Key: WICKET-6731
> URL: https://issues.apache.org/jira/browse/WICKET-6731
> Project: Wicket
> Issue Type: Improvement
> Components: wicket-core
> Affects Versions: 9.0.0-M4
> Reporter: Emond Papegaaij
> Assignee: Emond Papegaaij
> Priority: Major
> Fix For: 9.0.0-M5
>
>
> {{org.apache.wicket.markup.html.formSubmitLink}} uses inline Javascript in
> two places.
> The href attribute is replaced with empty JS. This will cause a CSP
> violation. A different solution needs to be found. Probably via a JS event
> handler that calls {{event.preventDefault()}}.
> {code:java}
> tag.put("href", "javascript:;");
> {code}
> The trigger javascript is rendered as onclick. This needs to be an event
> handler.
> {code:java}
> tag.put("onclick", getTriggerJavaScript());
> {code}
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
