Alexandre created WICKET-6938:
---------------------------------
Summary: wicket-autocomplete.js not CSP compliant
Key: WICKET-6938
URL: https://issues.apache.org/jira/browse/WICKET-6938
Project: Wicket
Issue Type: Bug
Components: wicket-extensions
Affects Versions: 9.6.0
Reporter: Alexandre
While upgrading from wicket 8 to 9.6 we are trying to implement CSP. We also
use the autocompletebehavior. This in turn call wicket-autocomplete.js
(wicket-extensions\src\main\java\org\apache\wicket\extensions\ajax\markup\html\autocomplete).
This js file contains "handleSelection" function trying to "eval(attr.value)"
throwing a CSP 'unsafe-eval' exception.
So the autocomplete textfield will display choices, but won't handle user
selection.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
