andruhon commented on issue #378: WICKET-6688 add RFC support (to avoid unsafe eval) URL: https://github.com/apache/wicket/pull/378#issuecomment-524776052 @svenmeier please have a look at the proof of concept in my last commit. Generally the issue is in header item being evaluated instead of added to the head, so what I did is made all header contributions in ajax to render these header items, also I added nonce support to the JS. Essentially this can be used to replace all evals (as a legacy support feature). I don't think this approach is optimal, and ideally components should keep their JS in a JS file similar to what we do with properties and html file, these JS's will be rendered as header items and later used with some JS initialisation callback, or maybe with standard function. Do you think it's a right direction? cc @martin-g @solomax
---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected] With regards, Apache Git Services
