[jira] [Resolved] (WICKET-6687) Cleanup the code from attribute inline styles and attribute inline scripts

Tue, 25 Feb 2020 12:36:52 -0800 


     [ 
https://issues.apache.org/jira/browse/WICKET-6687?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Emond Papegaaij resolved WICKET-6687.
-------------------------------------
    Fix Version/s: 9.0.0-M5
         Assignee: Emond Papegaaij
       Resolution: Fixed

> Cleanup the code from attribute inline styles and attribute inline scripts
> --------------------------------------------------------------------------
>
>                 Key: WICKET-6687
>                 URL: https://issues.apache.org/jira/browse/WICKET-6687
>             Project: Wicket
>          Issue Type: Task
>          Components: wicket-core
>            Reporter: Andrew Kondratev
>            Assignee: Emond Papegaaij
>            Priority: Major
>             Fix For: 9.0.0-M5
>
>
> Another issue for improving Wicket's Content Security Policy(CSP) 
> compatibility is an  abundance of attribute inline styles and scripts, such 
> as style="display: none", onclick="doSomething()", and 
> href="javascript:doSomething();" all these could be easily replaced with 
> appropriate nonced inline scripts and styles or references to predefined css 
> classes and js functions.
> h2. Examples
> org.apache.wicket.ajax.markup.html.*AjaxLink*#onComponentTag : should rather 
> completely remove the href, potentially some css class like 
> `wicket-ajax-link` could be added
> {code:java}
> if (tagName.equalsIgnoreCase("a") || tagName.equalsIgnoreCase("link") ||
>       tagName.equalsIgnoreCase("area"))
> {
>       // disable any href attr in markup
>       tag.put("href", "javascript:;");
> }
> {code}
> org.apache.wicket.*Component*#renderPlaceholderTag : should rather add some 
> special css class, or javascript which can set display none programmatically 
> (and can also be nonced)
> {code:java}
> response.write("<");
> response.write(name);
> response.write(" id=\"");
> response.write(getAjaxRegionMarkupId());
> response.write("\" style=\"display:none\" data-wicket-placeholder=\"\"></");
> response.write(name);
> response.write(">");
> {code}
> (org.apache.wicket.extensions.ajax.markup.html.AjaxIndicatorAppender#afterRender
>  has the same issue)
> org.apache.wicket.markup.html.form.Form#appendDefaultButtonField : this piece 
> is just ridiculous to have in 2019
> {code:java}
> buffer.append(String.format("<div 
> style=\"width:0px;height:0px;position:absolute;left:-100px;top:-100px;overflow:hidden\"
>  class=\"%s\">", cssClass));
> {code}
> org.apache.wicket.markup.html.form.Form#appendDefaultButtonField
> {code:java}
> buffer.append(defaultSubmittingComponent.getInputName());
> buffer.append("\" onclick=\" var b=document.getElementById('");
> buffer.append(submittingComponent.getMarkupId());
> {code}



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to