On Wednesday, 3 January 2024 5:35:42 AM AEDT Torben Barsballe wrote: > Wicket 9 upgrade > > https://github.com/geoserver/geoserver/pull/7154 > > Need to collect all pages and panels that need to be tested, make a list, > and divide the list amongst participants to the testing effort. First we > need Brad’s ok to move on.
Part of the Wicket 9 changes is a (strict) Content Security Policy. See https://nightlies.apache.org/wicket/guide/9.x/single.html#_content_security_policy_csp CSP could help us a lot with security. See https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP for what it does. The TL;DR; version is it blocks most XSS attacks. It doesn't come for free though. We need to move or remove all the inline styling and javascript. For inline javascript, it needs to go into a "renderHead()" method. We also need to remove inline event handlers. I would like help to do that work, although I will get some of it done soon. Please let me know if you can help Since this stands a pretty good chance of breaking stuff, we should defer the manual testing. The only good news I have is that it looks like there will be automation support for getting from Wicket 9 to Wicket 10. https://cwiki.apache.org/confluence/display/WICKET/Migration+to+Wicket+10.0#MigrationtoWicket10.0-AddmigrationrecipestoWicket10WICKET-7029 Brad _______________________________________________ Geoserver-devel mailing list Geoserver-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/geoserver-devel