This is an automated email from the ASF dual-hosted git repository.
pedrosans pushed a commit to branch wicket-8.x
in repository https://gitbox.apache.org/repos/asf/wicket.git
The following commit(s) were added to refs/heads/wicket-8.x by this push:
new a8df9def42 Removing security changes not impacting Wicket 8
a8df9def42 is described below
commit a8df9def426ef2ffe8bde90e7518c7af6d5fca0e
Author: Pedro Santos <[email protected]>
AuthorDate: Sat May 9 14:55:44 2026 -0300
Removing security changes not impacting Wicket 8
---
.../wicket/core/util/string/JavaScriptUtils.java | 20 ----
.../wicket/markup/html/link/ExternalLink.java | 3 +-
.../org/apache/wicket/markup/html/link/Link.java | 2 +-
.../wicket/markup/html/link/PopupSettings.java | 7 +-
.../core/util/string/JavaScriptUtilsTest.java | 8 --
.../markup/html/link/ClientSideImageMapTest.java | 76 +++++++--------
.../wicket/markup/html/link/ExternalLinkTest.java | 12 +++
.../apache/wicket/markup/html/link/LinkTest.java | 105 +++++++++++++++++++++
8 files changed, 159 insertions(+), 74 deletions(-)
diff --git
a/wicket-core/src/main/java/org/apache/wicket/core/util/string/JavaScriptUtils.java
b/wicket-core/src/main/java/org/apache/wicket/core/util/string/JavaScriptUtils.java
index 03a30bb62a..8e4d042cd1 100644
---
a/wicket-core/src/main/java/org/apache/wicket/core/util/string/JavaScriptUtils.java
+++
b/wicket-core/src/main/java/org/apache/wicket/core/util/string/JavaScriptUtils.java
@@ -95,26 +95,6 @@ public class JavaScriptUtils
return s;
}
- /**
- * Escape single and double quotes so that they can be part of e.g. an
alert call.
- *
- * Note: JSON values need to escape only the double quote, so this
method wont help.
- *
- * @param input
- * the JavaScript which needs to be escaped
- * @return Escaped version of the input
- */
- public static CharSequence escapeQuotesAndBackslash(final CharSequence
input)
- {
- CharSequence s = input;
- if (s != null)
- {
- s = Strings.replaceAll(s, "\\", "\\\\");
- s = escapeQuotes(s);
- }
- return s;
- }
-
/**
* Write a reference to a javascript file to the response object
*
diff --git
a/wicket-core/src/main/java/org/apache/wicket/markup/html/link/ExternalLink.java
b/wicket-core/src/main/java/org/apache/wicket/markup/html/link/ExternalLink.java
index 6526c38b72..e37799bab7 100644
---
a/wicket-core/src/main/java/org/apache/wicket/markup/html/link/ExternalLink.java
+++
b/wicket-core/src/main/java/org/apache/wicket/markup/html/link/ExternalLink.java
@@ -16,7 +16,6 @@
*/
package org.apache.wicket.markup.html.link;
-import org.apache.wicket.core.util.string.JavaScriptUtils;
import org.apache.wicket.markup.ComponentTag;
import org.apache.wicket.model.IModel;
import org.apache.wicket.model.Model;
@@ -194,7 +193,7 @@ public class ExternalLink extends AbstractLink
// generate a popup script by asking
popup settings for one
if (popupSettings != null)
{
- popupSettings.setTarget(url);
+ popupSettings.setTarget("'" +
url + "'");
String popupScript =
popupSettings.getPopupJavaScript();
tag.put("onclick", popupScript);
}
diff --git
a/wicket-core/src/main/java/org/apache/wicket/markup/html/link/Link.java
b/wicket-core/src/main/java/org/apache/wicket/markup/html/link/Link.java
index fd2816efd5..b7b303ccb7 100644
--- a/wicket-core/src/main/java/org/apache/wicket/markup/html/link/Link.java
+++ b/wicket-core/src/main/java/org/apache/wicket/markup/html/link/Link.java
@@ -385,7 +385,7 @@ public abstract class Link<T> extends AbstractLink
implements IRequestListener,
// generate a popup script by asking popup
settings for one
if (popupSettings != null)
{
- popupSettings.setTarget(url.toString());
+ popupSettings.setTarget("'" + url +
"'");
String popupScript =
popupSettings.getPopupJavaScript();
tag.put("onclick", popupScript);
}
diff --git
a/wicket-core/src/main/java/org/apache/wicket/markup/html/link/PopupSettings.java
b/wicket-core/src/main/java/org/apache/wicket/markup/html/link/PopupSettings.java
index e62b3e01be..82dc08f82f 100644
---
a/wicket-core/src/main/java/org/apache/wicket/markup/html/link/PopupSettings.java
+++
b/wicket-core/src/main/java/org/apache/wicket/markup/html/link/PopupSettings.java
@@ -16,7 +16,6 @@
*/
package org.apache.wicket.markup.html.link;
-import org.apache.wicket.core.util.string.JavaScriptUtils;
import org.apache.wicket.util.io.IClusterable;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
@@ -156,10 +155,8 @@ public class PopupSettings implements IClusterable
windowTitle = windowTitle.replaceAll("\\W", "_");
}
- StringBuilder script = new StringBuilder(//
- "var w = window.open('"//
- + JavaScriptUtils.escapeQuotes(target) //
- + "', '").append(windowTitle).append("', '");
+ StringBuilder script = new StringBuilder("var w = window.open(" +
target + ", '").append(
+ windowTitle).append("', '");
script.append("scrollbars=").append(flagToString(SCROLLBARS));
script.append(",location=").append(flagToString(LOCATION_BAR));
diff --git
a/wicket-core/src/test/java/org/apache/wicket/core/util/string/JavaScriptUtilsTest.java
b/wicket-core/src/test/java/org/apache/wicket/core/util/string/JavaScriptUtilsTest.java
index 33b29b1d7b..1c7f5c499a 100644
---
a/wicket-core/src/test/java/org/apache/wicket/core/util/string/JavaScriptUtilsTest.java
+++
b/wicket-core/src/test/java/org/apache/wicket/core/util/string/JavaScriptUtilsTest.java
@@ -17,12 +17,9 @@
package org.apache.wicket.core.util.string;
import org.apache.wicket.response.StringResponse;
-import org.hamcrest.CoreMatchers;
import org.junit.Assert;
import org.junit.Test;
-import static org.hamcrest.CoreMatchers.is;
-
/**
* @since 1.5.7
*/
@@ -92,9 +89,4 @@ public class JavaScriptUtilsTest extends Assert
JavaScriptUtils.SCRIPT_OPEN_TAG);
assertEquals("\n/*]]>*/\n</script>\n",
JavaScriptUtils.SCRIPT_CLOSE_TAG);
}
-
- @Test
- public void escapeQuotesAndBackslash(){
-
assertThat(JavaScriptUtils.escapeQuotesAndBackslash("alert('foo\\tbar')"),
is("alert(\\'foo\\\\tbar\\')"));
- }
}
diff --git
a/wicket-core/src/test/java/org/apache/wicket/markup/html/link/ClientSideImageMapTest.java
b/wicket-core/src/test/java/org/apache/wicket/markup/html/link/ClientSideImageMapTest.java
index 7df70ba519..4396371ecb 100644
---
a/wicket-core/src/test/java/org/apache/wicket/markup/html/link/ClientSideImageMapTest.java
+++
b/wicket-core/src/test/java/org/apache/wicket/markup/html/link/ClientSideImageMapTest.java
@@ -1,38 +1,38 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements. See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.wicket.markup.html.link;
-
-import java.util.Locale;
-
-import org.apache.wicket.util.tester.WicketTestCase;
-import org.junit.Test;
-
-/**
- * @since 1.5
- */
-public class ClientSideImageMapTest extends WicketTestCase
-{
- /**
- * @throws Exception
- */
- @Test
- public void testRenderClientSideImageMapPage_1() throws Exception
- {
- tester.getSession().setLocale(Locale.US);
- executeTest(ClientSideImageMapPage_1.class,
"ClientSideImageMapPageExpectedResult_1.html");
- }
-}
\ No newline at end of file
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.wicket.markup.html.link;
+
+import java.util.Locale;
+
+import org.apache.wicket.util.tester.WicketTestCase;
+import org.junit.Test;
+
+/**
+ * @since 1.5
+ */
+public class ClientSideImageMapTest extends WicketTestCase
+{
+ /**
+ * @throws Exception
+ */
+ @Test
+ public void testRenderClientSideImageMapPage_1() throws Exception
+ {
+ tester.getSession().setLocale(Locale.US);
+ executeTest(ClientSideImageMapPage_1.class,
"ClientSideImageMapPageExpectedResult_1.html");
+ }
+}
diff --git
a/wicket-core/src/test/java/org/apache/wicket/markup/html/link/ExternalLinkTest.java
b/wicket-core/src/test/java/org/apache/wicket/markup/html/link/ExternalLinkTest.java
index c37c56b730..035fbcd1bb 100644
---
a/wicket-core/src/test/java/org/apache/wicket/markup/html/link/ExternalLinkTest.java
+++
b/wicket-core/src/test/java/org/apache/wicket/markup/html/link/ExternalLinkTest.java
@@ -63,6 +63,18 @@ public class ExternalLinkTest extends WicketTestCase
assertThat(tester.getLastResponseAsString(),
containsString(uri));
}
+ @Test
+ public void escapesJavascriptQuotes() throws Exception
+ {
+ String unescaped = "javascript:alert('foo')";
+ MockPageWithOneComponent page = new MockPageWithOneComponent();
+ page.add(new ExternalLink(COMPONENT_ID, unescaped));
+
+ tester.startPage(page);
+
+ assertThat(tester.getLastResponseAsString(),
containsString("javascript:alert('foo')"));
+ }
+
/**
* @throws Exception
*/
diff --git
a/wicket-core/src/test/java/org/apache/wicket/markup/html/link/LinkTest.java
b/wicket-core/src/test/java/org/apache/wicket/markup/html/link/LinkTest.java
new file mode 100644
index 0000000000..8aa0f9aab1
--- /dev/null
+++ b/wicket-core/src/test/java/org/apache/wicket/markup/html/link/LinkTest.java
@@ -0,0 +1,105 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.wicket.markup.html.link;
+
+import org.apache.wicket.MockPageWithLink;
+import org.apache.wicket.MockPageWithOneComponent;
+import org.apache.wicket.markup.ComponentTag;
+import org.apache.wicket.markup.MarkupException;
+import org.apache.wicket.util.tester.WicketTestCase;
+import org.junit.Assert;
+import org.junit.Test;
+
+import static org.apache.wicket.MockPageWithOneComponent.COMPONENT_ID;
+
+public class LinkTest extends WicketTestCase
+{
+
+ @Test
+ public void allowsJavascriptSchemeInPopupsTarget()
+ {
+ String uri = "javascript:alert(1);";
+ MockPageWithOneComponent page = new MockPageWithOneComponent();
+ page.add(new PopupLink(COMPONENT_ID, uri));
+
+ tester.startPage(page);
+
+
Assert.assertTrue(tester.getLastResponseAsString().contains(uri));
+ }
+
+ @Test
+ public void escapesJavascriptQuotesInPopupsTarget()
+ {
+ String uri = "javascript:alert('foo');";
+ MockPageWithOneComponent page = new MockPageWithOneComponent();
+ page.add(new PopupLink(COMPONENT_ID, uri));
+
+ tester.startPage(page);
+
+
assertTrue(tester.getLastResponseAsString().contains("javascript:alert('foo');"));
+ }
+
+ @Test(expected = MarkupException.class)
+ public void testWrongComponentId()
+ {
+ MockPageWithLink mockPageWithLink = new MockPageWithLink();
+ Link<Void> link = new Link<Void>("linkx")
+ {
+ private static final long serialVersionUID = 1L;
+
+ @Override
+ public void onClick()
+ {
+ }
+
+ };
+
+ mockPageWithLink.add(link);
+ tester.startPage(mockPageWithLink);
+ }
+
+ static class PopupLink extends Link<Void>
+ {
+ private final String uri;
+
+ public PopupLink(String id, String uri)
+ {
+ super(id);
+ this.uri = uri;
+ setPopupSettings(new PopupSettings());
+ }
+
+ @Override
+ public void onClick()
+ {
+ }
+
+ @Override
+ protected void onComponentTag(ComponentTag tag)
+ {
+ super.onComponentTag(tag);
+ tag.setName("a");
+ }
+
+ @Override
+ protected CharSequence getURL()
+ {
+ return uri;
+ }
+ }
+
+}
\ No newline at end of file
