[jira] [Commented] (WICKET-6938) wicket-autocomplete.js not CSP compliant

Martin Tzvetanov Grigorov (Jira) Thu, 02 Dec 2021 00:42:18 -0800


    [ 
https://issues.apache.org/jira/browse/WICKET-6938?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17452240#comment-17452240
 ]


Martin Tzvetanov Grigorov commented on WICKET-6938:
---------------------------------------------------

Some comments at 
https://github.com/apache/wicket/commit/7724a8b#commitcomment-61225205

> wicket-autocomplete.js not CSP compliant
> ----------------------------------------
>
>                 Key: WICKET-6938
>                 URL: https://issues.apache.org/jira/browse/WICKET-6938
>             Project: Wicket
>          Issue Type: Bug
>          Components: wicket-extensions
>    Affects Versions: 9.6.0
>            Reporter: Alexandre
>            Priority: Major
>
> While upgrading from wicket 8 to 9.6 we are trying to implement CSP. We also 
> use the autocompletebehavior. This in turn call wicket-autocomplete.js 
> (wicket-extensions\src\main\java\org\apache\wicket\extensions\ajax\markup\html\autocomplete).
> This js file contains "handleSelection" function trying to "eval(attr.value)" 
> throwing a CSP 'unsafe-eval' exception.
> So the autocomplete textfield will display choices, but won't handle user 
> selection.



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

[jira] [Commented] (WICKET-6938) wicket-autocomplete.js not CSP compliant

Reply via email to