This is an automated email from the ASF dual-hosted git repository.
bitstorm pushed a commit to branch wicket-8.x
in repository https://gitbox.apache.org/repos/asf/wicket.git
The following commit(s) were added to refs/heads/wicket-8.x by this push:
new 21a938e00b Wicket 8.x security fixes (#1451)
21a938e00b is described below
commit 21a938e00b2cf4643ef845aa766bd4bec62304fd
Author: pedrosans <[email protected]>
AuthorDate: Sat May 9 14:07:19 2026 -0300
Wicket 8.x security fixes (#1451)
* Changing session id after binding.
* Added JS sanitazing and and fix for PackageResource
---------
Co-authored-by: Andrea Del Bene <[email protected]>
---
.../authentication/AuthenticatedWebSession.java | 1 +
.../wicket/core/util/string/JavaScriptUtils.java | 20 +++
.../wicket/markup/html/link/ExternalLink.java | 3 +-
.../org/apache/wicket/markup/html/link/Link.java | 2 +-
.../wicket/markup/html/link/PopupSettings.java | 7 +-
.../wicket/request/resource/PackageResource.java | 54 +++------
.../core/util/string/JavaScriptUtilsTest.java | 8 ++
.../wicket/markup/html/PackageResourceTest.java | 58 ++++++++-
.../markup/html/link/ClientSideImageMapTest.java | 76 ++++++------
.../wicket/markup/html/link/ExternalLinkTest.java | 135 +++++++++++++--------
.../snake_case/TestPageInsideSnakeCasePackage.html | 11 ++
.../TestPageInsideSnakeCasePackage.java} | 61 ++++------
.../apache/wicket/markup/html/snake_case/style.css | 0
.../autocomplete/AbstractAutoCompleteRenderer.java | 3 +-
.../AbstractAutoCompleteRendererTest.java | 65 ++++++++++
15 files changed, 334 insertions(+), 170 deletions(-)
diff --git
a/wicket-auth-roles/src/main/java/org/apache/wicket/authroles/authentication/AuthenticatedWebSession.java
b/wicket-auth-roles/src/main/java/org/apache/wicket/authroles/authentication/AuthenticatedWebSession.java
index 3fa0aad982..b0f1df7c9a 100644
---
a/wicket-auth-roles/src/main/java/org/apache/wicket/authroles/authentication/AuthenticatedWebSession.java
+++
b/wicket-auth-roles/src/main/java/org/apache/wicket/authroles/authentication/AuthenticatedWebSession.java
@@ -71,6 +71,7 @@ public abstract class AuthenticatedWebSession extends
AbstractAuthenticatedWebSe
}
else if (authenticated && signedIn.compareAndSet(false, true))
{
+ changeSessionId();
bind();
}
return authenticated;
diff --git
a/wicket-core/src/main/java/org/apache/wicket/core/util/string/JavaScriptUtils.java
b/wicket-core/src/main/java/org/apache/wicket/core/util/string/JavaScriptUtils.java
index 8e4d042cd1..03a30bb62a 100644
---
a/wicket-core/src/main/java/org/apache/wicket/core/util/string/JavaScriptUtils.java
+++
b/wicket-core/src/main/java/org/apache/wicket/core/util/string/JavaScriptUtils.java
@@ -95,6 +95,26 @@ public class JavaScriptUtils
return s;
}
+ /**
+ * Escape single and double quotes so that they can be part of e.g. an
alert call.
+ *
+ * Note: JSON values need to escape only the double quote, so this
method wont help.
+ *
+ * @param input
+ * the JavaScript which needs to be escaped
+ * @return Escaped version of the input
+ */
+ public static CharSequence escapeQuotesAndBackslash(final CharSequence
input)
+ {
+ CharSequence s = input;
+ if (s != null)
+ {
+ s = Strings.replaceAll(s, "\\", "\\\\");
+ s = escapeQuotes(s);
+ }
+ return s;
+ }
+
/**
* Write a reference to a javascript file to the response object
*
diff --git
a/wicket-core/src/main/java/org/apache/wicket/markup/html/link/ExternalLink.java
b/wicket-core/src/main/java/org/apache/wicket/markup/html/link/ExternalLink.java
index e37799bab7..6526c38b72 100644
---
a/wicket-core/src/main/java/org/apache/wicket/markup/html/link/ExternalLink.java
+++
b/wicket-core/src/main/java/org/apache/wicket/markup/html/link/ExternalLink.java
@@ -16,6 +16,7 @@
*/
package org.apache.wicket.markup.html.link;
+import org.apache.wicket.core.util.string.JavaScriptUtils;
import org.apache.wicket.markup.ComponentTag;
import org.apache.wicket.model.IModel;
import org.apache.wicket.model.Model;
@@ -193,7 +194,7 @@ public class ExternalLink extends AbstractLink
// generate a popup script by asking
popup settings for one
if (popupSettings != null)
{
- popupSettings.setTarget("'" +
url + "'");
+ popupSettings.setTarget(url);
String popupScript =
popupSettings.getPopupJavaScript();
tag.put("onclick", popupScript);
}
diff --git
a/wicket-core/src/main/java/org/apache/wicket/markup/html/link/Link.java
b/wicket-core/src/main/java/org/apache/wicket/markup/html/link/Link.java
index b7b303ccb7..fd2816efd5 100644
--- a/wicket-core/src/main/java/org/apache/wicket/markup/html/link/Link.java
+++ b/wicket-core/src/main/java/org/apache/wicket/markup/html/link/Link.java
@@ -385,7 +385,7 @@ public abstract class Link<T> extends AbstractLink
implements IRequestListener,
// generate a popup script by asking popup
settings for one
if (popupSettings != null)
{
- popupSettings.setTarget("'" + url +
"'");
+ popupSettings.setTarget(url.toString());
String popupScript =
popupSettings.getPopupJavaScript();
tag.put("onclick", popupScript);
}
diff --git
a/wicket-core/src/main/java/org/apache/wicket/markup/html/link/PopupSettings.java
b/wicket-core/src/main/java/org/apache/wicket/markup/html/link/PopupSettings.java
index 82dc08f82f..e62b3e01be 100644
---
a/wicket-core/src/main/java/org/apache/wicket/markup/html/link/PopupSettings.java
+++
b/wicket-core/src/main/java/org/apache/wicket/markup/html/link/PopupSettings.java
@@ -16,6 +16,7 @@
*/
package org.apache.wicket.markup.html.link;
+import org.apache.wicket.core.util.string.JavaScriptUtils;
import org.apache.wicket.util.io.IClusterable;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
@@ -155,8 +156,10 @@ public class PopupSettings implements IClusterable
windowTitle = windowTitle.replaceAll("\\W", "_");
}
- StringBuilder script = new StringBuilder("var w = window.open(" +
target + ", '").append(
- windowTitle).append("', '");
+ StringBuilder script = new StringBuilder(//
+ "var w = window.open('"//
+ + JavaScriptUtils.escapeQuotes(target) //
+ + "', '").append(windowTitle).append("', '");
script.append("scrollbars=").append(flagToString(SCROLLBARS));
script.append(",location=").append(flagToString(LOCATION_BAR));
diff --git
a/wicket-core/src/main/java/org/apache/wicket/request/resource/PackageResource.java
b/wicket-core/src/main/java/org/apache/wicket/request/resource/PackageResource.java
index e1ace3a127..78bb33d75c 100644
---
a/wicket-core/src/main/java/org/apache/wicket/request/resource/PackageResource.java
+++
b/wicket-core/src/main/java/org/apache/wicket/request/resource/PackageResource.java
@@ -16,17 +16,6 @@
*/
package org.apache.wicket.request.resource;
-import java.io.ByteArrayInputStream;
-import java.io.IOException;
-import java.io.InputStream;
-import java.io.Serializable;
-import java.nio.charset.Charset;
-import java.nio.charset.StandardCharsets;
-import java.util.Locale;
-import java.util.Objects;
-
-import javax.servlet.http.HttpServletResponse;
-
import org.apache.wicket.Application;
import org.apache.wicket.IWicketInternalException;
import org.apache.wicket.Session;
@@ -46,7 +35,6 @@ import org.apache.wicket.response.StringResponse;
import org.apache.wicket.util.io.IOUtils;
import org.apache.wicket.util.lang.Classes;
import org.apache.wicket.util.lang.Packages;
-import org.apache.wicket.util.resource.IFixedLocationResourceStream;
import org.apache.wicket.util.resource.IResourceStream;
import org.apache.wicket.util.resource.ResourceStreamNotFoundException;
import org.apache.wicket.util.resource.ResourceStreamWrapper;
@@ -55,6 +43,16 @@ import org.apache.wicket.util.time.Time;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
+import javax.servlet.http.HttpServletResponse;
+import java.io.ByteArrayInputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.Serializable;
+import java.nio.charset.Charset;
+import java.nio.charset.StandardCharsets;
+import java.util.Locale;
+import java.util.Objects;
+
/**
* Represents a localizable static resource.
* <p>
@@ -557,38 +555,18 @@ public class PackageResource extends AbstractResource
implements IStaticCacheabl
private IResourceStream internalGetResourceStream(final String style,
final Locale locale)
{
+ if (!accept(absolutePath))
+ {
+ throw new PackageResourceBlockedException(
+ "Access denied to (static) package resource " +
absolutePath + ". See IPackageResourceGuard");
+ }
+
IResourceStreamLocator resourceStreamLocator = Application.get()
.getResourceSettings()
.getResourceStreamLocator();
IResourceStream resourceStream =
resourceStreamLocator.locate(getScope(), absolutePath,
style, variation, locale, null, false);
- String realPath = absolutePath;
- if (resourceStream instanceof IFixedLocationResourceStream)
- {
- realPath =
((IFixedLocationResourceStream)resourceStream).locationAsString();
- if (realPath != null)
- {
- int index = realPath.indexOf(absolutePath);
- if (index != -1)
- {
- realPath = realPath.substring(index);
- }
- }
- else
- {
- realPath = absolutePath;
- }
-
- }
-
- if (accept(realPath) == false)
- {
- throw new PackageResourceBlockedException(
- "Access denied to (static) package resource " +
absolutePath +
- ". See IPackageResourceGuard");
- }
-
if (resourceStream != null)
{
resourceStream = new
ProcessingResourceStream(resourceStream);
diff --git
a/wicket-core/src/test/java/org/apache/wicket/core/util/string/JavaScriptUtilsTest.java
b/wicket-core/src/test/java/org/apache/wicket/core/util/string/JavaScriptUtilsTest.java
index 1c7f5c499a..33b29b1d7b 100644
---
a/wicket-core/src/test/java/org/apache/wicket/core/util/string/JavaScriptUtilsTest.java
+++
b/wicket-core/src/test/java/org/apache/wicket/core/util/string/JavaScriptUtilsTest.java
@@ -17,9 +17,12 @@
package org.apache.wicket.core.util.string;
import org.apache.wicket.response.StringResponse;
+import org.hamcrest.CoreMatchers;
import org.junit.Assert;
import org.junit.Test;
+import static org.hamcrest.CoreMatchers.is;
+
/**
* @since 1.5.7
*/
@@ -89,4 +92,9 @@ public class JavaScriptUtilsTest extends Assert
JavaScriptUtils.SCRIPT_OPEN_TAG);
assertEquals("\n/*]]>*/\n</script>\n",
JavaScriptUtils.SCRIPT_CLOSE_TAG);
}
+
+ @Test
+ public void escapeQuotesAndBackslash(){
+
assertThat(JavaScriptUtils.escapeQuotesAndBackslash("alert('foo\\tbar')"),
is("alert(\\'foo\\\\tbar\\')"));
+ }
}
diff --git
a/wicket-core/src/test/java/org/apache/wicket/markup/html/PackageResourceTest.java
b/wicket-core/src/test/java/org/apache/wicket/markup/html/PackageResourceTest.java
index 63d6b6a25b..8d5fc14031 100644
---
a/wicket-core/src/test/java/org/apache/wicket/markup/html/PackageResourceTest.java
+++
b/wicket-core/src/test/java/org/apache/wicket/markup/html/PackageResourceTest.java
@@ -16,11 +16,11 @@
*/
package org.apache.wicket.markup.html;
-import java.util.Locale;
-
import org.apache.wicket.Application;
import org.apache.wicket.SharedResources;
+import org.apache.wicket.markup.html.snake_case.TestPageInsideSnakeCasePackage;
import org.apache.wicket.protocol.http.WebApplication;
+import org.apache.wicket.protocol.https.HttpPage;
import org.apache.wicket.request.resource.JavaScriptPackageResource;
import org.apache.wicket.request.resource.PackageResource;
import org.apache.wicket.request.resource.PackageResourceReference;
@@ -30,6 +30,9 @@ import org.apache.wicket.util.tester.WicketTestCase;
import org.junit.Before;
import org.junit.Test;
+import java.util.Locale;
+
+
/**
* Tests for package resources.
*
@@ -189,4 +192,55 @@ public class PackageResourceTest extends WicketTestCase
final String contentType =
tester.getLastResponse().getContentType();
assertEquals("text/javascript; charset=" + encoding,
contentType);
}
+
+ @Test
+ public void getResourceStream()
+ {
+ PackageResource resource = new
PackageResourceReference(PackageResourceTest.class,
+ "packaged1.txt").getResource();
+ assertNotNull(resource.getResourceStream());
+ }
+
+ @Test(expected = PackageResource.PackageResourceBlockedException.class)
+ public void dontGetResourceStream()
+ {
+ PackageResource resource = new
PackageResourceReference(HttpPage.class,
+ "HttpPage.html").getResource();
+ resource.getResourceStream();
+ }
+
+ @Test(expected = PackageResource.PackageResourceBlockedException.class)
+ public void dontGetResourceStreamIfNameHasSuffix()
+ {
+ PackageResource resource = new
PackageResourceReference(HttpPage.class,
+ "HttpPage_en.html").getResource();
+ resource.getResourceStream();
+ }
+
+ @Test
+ public void getResourceStreamInSnakeCasePackage()
+ {
+ PackageResource resource = new PackageResourceReference(
+ TestPageInsideSnakeCasePackage.class,
"style.css").getResource();
+ assertNotNull(resource.getResourceStream());
+ }
+
+ @Test(expected = PackageResource.PackageResourceBlockedException.class)
+ public void dontGetResourceStreamInSnakeCasePackage()
+ {
+ PackageResource resource = new PackageResourceReference(
+ TestPageInsideSnakeCasePackage.class,
+ "TestPageInsideSnakeCasePackage.html").getResource();
+ resource.getResourceStream();
+ }
+
+ @Test(expected = PackageResource.PackageResourceBlockedException.class)
+ public void dontGetResourceStreamInSnakeCasePackageIfNameHasSuffix()
+ {
+ PackageResource resource = new PackageResourceReference(
+ TestPageInsideSnakeCasePackage.class,
+ "TestPageInsideSnakeCasePackage_en.html").getResource();
+ resource.getResourceStream();
+ }
+
}
diff --git
a/wicket-core/src/test/java/org/apache/wicket/markup/html/link/ClientSideImageMapTest.java
b/wicket-core/src/test/java/org/apache/wicket/markup/html/link/ClientSideImageMapTest.java
index 4396371ecb..7df70ba519 100644
---
a/wicket-core/src/test/java/org/apache/wicket/markup/html/link/ClientSideImageMapTest.java
+++
b/wicket-core/src/test/java/org/apache/wicket/markup/html/link/ClientSideImageMapTest.java
@@ -1,38 +1,38 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements. See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.wicket.markup.html.link;
-
-import java.util.Locale;
-
-import org.apache.wicket.util.tester.WicketTestCase;
-import org.junit.Test;
-
-/**
- * @since 1.5
- */
-public class ClientSideImageMapTest extends WicketTestCase
-{
- /**
- * @throws Exception
- */
- @Test
- public void testRenderClientSideImageMapPage_1() throws Exception
- {
- tester.getSession().setLocale(Locale.US);
- executeTest(ClientSideImageMapPage_1.class,
"ClientSideImageMapPageExpectedResult_1.html");
- }
-}
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.wicket.markup.html.link;
+
+import java.util.Locale;
+
+import org.apache.wicket.util.tester.WicketTestCase;
+import org.junit.Test;
+
+/**
+ * @since 1.5
+ */
+public class ClientSideImageMapTest extends WicketTestCase
+{
+ /**
+ * @throws Exception
+ */
+ @Test
+ public void testRenderClientSideImageMapPage_1() throws Exception
+ {
+ tester.getSession().setLocale(Locale.US);
+ executeTest(ClientSideImageMapPage_1.class,
"ClientSideImageMapPageExpectedResult_1.html");
+ }
+}
\ No newline at end of file
diff --git
a/wicket-core/src/test/java/org/apache/wicket/markup/html/link/ExternalLinkTest.java
b/wicket-core/src/test/java/org/apache/wicket/markup/html/link/ExternalLinkTest.java
index 2093da6235..c37c56b730 100644
---
a/wicket-core/src/test/java/org/apache/wicket/markup/html/link/ExternalLinkTest.java
+++
b/wicket-core/src/test/java/org/apache/wicket/markup/html/link/ExternalLinkTest.java
@@ -1,49 +1,86 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements. See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.wicket.markup.html.link;
-
-import org.apache.wicket.util.tester.WicketTestCase;
-import org.junit.Test;
-
-/**
- * Test ExternalLink (href="...")
- *
- * <a href="https://issues.apache.org/jira/browse/WICKET-1016";></<a>
- */
-public class ExternalLinkTest extends WicketTestCase
-{
- /**
- * @throws Exception
- */
- @Test
- public void renderExternalLink_1() throws Exception
- {
-
tester.getApplication().getMarkupSettings().setAutomaticLinking(true);
- executeTest(ExternalLinkPage_1.class,
"ExternalLinkPageExpectedResult_1.html");
- }
-
- /**
- * @throws Exception
- */
- @Test
- public void renderExternalLink_2() throws Exception
- {
-
tester.getApplication().getMarkupSettings().setAutomaticLinking(true);
- executeTest(ExternalLinkPage_2.class,
"ExternalLinkPageExpectedResult_2.html");
- }
-
-}
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.wicket.markup.html.link;
+
+import org.apache.wicket.MockPageWithOneComponent;
+import org.apache.wicket.markup.ComponentTag;
+import org.apache.wicket.util.tester.WicketTestCase;
+import org.junit.Test;
+
+import static org.apache.wicket.MockPageWithOneComponent.COMPONENT_ID;
+import static org.hamcrest.CoreMatchers.containsString;
+
+/**
+ * Test ExternalLink (href="...")
+ *
+ * <a href="https://issues.apache.org/jira/browse/WICKET-1016";></<a>
+ */
+public class ExternalLinkTest extends WicketTestCase
+{
+
+ @Test
+ public void allowsJavascriptScheme() throws Exception
+ {
+ String uri = "javascript:alert(1)";
+ MockPageWithOneComponent page = new MockPageWithOneComponent();
+ page.add(new ExternalLink(COMPONENT_ID, uri){
+ @Override
+ protected void onComponentTag(ComponentTag tag)
+ {
+ super.onComponentTag(tag);
+ tag.setName("a");
+ }
+ });
+
+ tester.startPage(page);
+
+ assertThat(tester.getLastResponseAsString(),
containsString(uri));
+ }
+
+ @Test
+ public void allowsJavascriptSchemeInPopupTarget() throws Exception
+ {
+ String uri = "javascript:alert(1)";
+ MockPageWithOneComponent page = new MockPageWithOneComponent();
+ page.add(new ExternalLink(COMPONENT_ID, uri));
+
+ tester.startPage(page);
+
+ assertThat(tester.getLastResponseAsString(),
containsString(uri));
+ }
+
+ /**
+ * @throws Exception
+ */
+ @Test
+ public void renderExternalLink_1() throws Exception
+ {
+
tester.getApplication().getMarkupSettings().setAutomaticLinking(true);
+ executeTest(ExternalLinkPage_1.class,
"ExternalLinkPageExpectedResult_1.html");
+ }
+
+ /**
+ * @throws Exception
+ */
+ @Test
+ public void renderExternalLink_2() throws Exception
+ {
+
tester.getApplication().getMarkupSettings().setAutomaticLinking(true);
+ executeTest(ExternalLinkPage_2.class,
"ExternalLinkPageExpectedResult_2.html");
+ }
+
+}
diff --git
a/wicket-core/src/test/java/org/apache/wicket/markup/html/snake_case/TestPageInsideSnakeCasePackage.html
b/wicket-core/src/test/java/org/apache/wicket/markup/html/snake_case/TestPageInsideSnakeCasePackage.html
new file mode 100644
index 0000000000..ea75f28073
--- /dev/null
+++
b/wicket-core/src/test/java/org/apache/wicket/markup/html/snake_case/TestPageInsideSnakeCasePackage.html
@@ -0,0 +1,11 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE html>
+<html xmlns:wicket="http://wicket.apache.org";>
+<head>
+ <meta http-equiv="Content-Type" content="text/html;charset=UTF-8"/>
+ <title>Test Page</title>
+</head>
+<body>
+none
+</body>
+</html>
diff --git
a/wicket-core/src/test/java/org/apache/wicket/markup/html/link/ClientSideImageMapTest.java
b/wicket-core/src/test/java/org/apache/wicket/markup/html/snake_case/TestPageInsideSnakeCasePackage.java
similarity index 61%
copy from
wicket-core/src/test/java/org/apache/wicket/markup/html/link/ClientSideImageMapTest.java
copy to
wicket-core/src/test/java/org/apache/wicket/markup/html/snake_case/TestPageInsideSnakeCasePackage.java
index 4396371ecb..ee3288eaa8 100644
---
a/wicket-core/src/test/java/org/apache/wicket/markup/html/link/ClientSideImageMapTest.java
+++
b/wicket-core/src/test/java/org/apache/wicket/markup/html/snake_case/TestPageInsideSnakeCasePackage.java
@@ -1,38 +1,23 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements. See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.wicket.markup.html.link;
-
-import java.util.Locale;
-
-import org.apache.wicket.util.tester.WicketTestCase;
-import org.junit.Test;
-
-/**
- * @since 1.5
- */
-public class ClientSideImageMapTest extends WicketTestCase
-{
- /**
- * @throws Exception
- */
- @Test
- public void testRenderClientSideImageMapPage_1() throws Exception
- {
- tester.getSession().setLocale(Locale.US);
- executeTest(ClientSideImageMapPage_1.class,
"ClientSideImageMapPageExpectedResult_1.html");
- }
-}
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.wicket.markup.html.snake_case;
+
+import org.apache.wicket.markup.html.WebPage;
+
+public class TestPageInsideSnakeCasePackage extends WebPage
+{
+}
diff --git
a/wicket-core/src/test/java/org/apache/wicket/markup/html/snake_case/style.css
b/wicket-core/src/test/java/org/apache/wicket/markup/html/snake_case/style.css
new file mode 100644
index 0000000000..e69de29bb2
diff --git
a/wicket-extensions/src/main/java/org/apache/wicket/extensions/ajax/markup/html/autocomplete/AbstractAutoCompleteRenderer.java
b/wicket-extensions/src/main/java/org/apache/wicket/extensions/ajax/markup/html/autocomplete/AbstractAutoCompleteRenderer.java
index d6d3bef92d..d7af7cc356 100644
---
a/wicket-extensions/src/main/java/org/apache/wicket/extensions/ajax/markup/html/autocomplete/AbstractAutoCompleteRenderer.java
+++
b/wicket-extensions/src/main/java/org/apache/wicket/extensions/ajax/markup/html/autocomplete/AbstractAutoCompleteRenderer.java
@@ -16,6 +16,7 @@
*/
package org.apache.wicket.extensions.ajax.markup.html.autocomplete;
+import org.apache.wicket.core.util.string.JavaScriptUtils;
import org.apache.wicket.request.Response;
import org.apache.wicket.util.string.Strings;
@@ -50,7 +51,7 @@ public abstract class AbstractAutoCompleteRenderer<T>
implements IAutoCompleteRe
final CharSequence handler =
getOnSelectJavaScriptExpression(object);
if (handler != null)
{
- response.write(" onselect=\"" + handler + '"');
+ response.write(" onselect=\"" +
Strings.escapeMarkup(handler) + '"');
}
response.write(">");
renderChoice(object, response, criteria);
diff --git
a/wicket-extensions/src/test/java/org/apache/wicket/extensions/ajax/markup/html/autocomplete/AbstractAutoCompleteRendererTest.java
b/wicket-extensions/src/test/java/org/apache/wicket/extensions/ajax/markup/html/autocomplete/AbstractAutoCompleteRendererTest.java
new file mode 100644
index 0000000000..59e80ab651
--- /dev/null
+++
b/wicket-extensions/src/test/java/org/apache/wicket/extensions/ajax/markup/html/autocomplete/AbstractAutoCompleteRendererTest.java
@@ -0,0 +1,65 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.wicket.extensions.ajax.markup.html.autocomplete;
+
+import org.apache.wicket.mock.MockWebResponse;
+import org.apache.wicket.request.Response;
+import org.apache.wicket.util.tester.WicketTestCase;
+import org.junit.jupiter.api.Assertions;
+import org.junit.jupiter.api.Test;
+
+public class AbstractAutoCompleteRendererTest extends WicketTestCase
+{
+ @Test
+ void escapeOnselectJSExpression()
+ {
+ var renderer = new Renderer("alert('hello');");
+ MockWebResponse response = new MockWebResponse();
+ renderer.render("foo", response, null);
+ Assertions.assertTrue(response.getTextResponse().toString()
+ .contains("<li textvalue=\"foo\"
onselect=\"alert('hello');\">foo</li>"));
+ }
+
+ static class Renderer extends AbstractAutoCompleteRenderer<String>
+ {
+
+ final String expression;
+
+ Renderer(String expression)
+ {
+ this.expression = expression;
+ }
+
+ @Override
+ protected CharSequence getOnSelectJavaScriptExpression(String
item)
+ {
+ return expression;
+ }
+
+ @Override
+ protected void renderChoice(String object, Response response,
String criteria)
+ {
+ response.write(object);
+ }
+
+ @Override
+ protected String getTextValue(String object)
+ {
+ return object;
+ }
+ }
+}
