Hi Thorsten,
> As well I really only need to render within one and the same thread
> one after another,
that should work.
> is it safe to render recursively using ComponentRenderer within
> one and the same thread?
I assume you mean 'consecutively'? Yes, see above.
H
.renderPage" is where I would call the above additionally to
provide text- and HTML-only. From my understanding that should be
safe, because ComponentRenderer supports multiple different contexts
for app etc.:
> private T inThreadContext(Supplier supplier)
> {
> Threa
m/mtgrigorov
> >
> > On Thu, Feb 9, 2017 at 12:50 PM, daniel simko <dan.si...@gmail.com>
> wrote:
> >
> > > Hello,
> > >
> > > I would like to ask you whether there is some safe way how to display
> > html
> > > output from some ri
ps://twitter.com/mtgrigorov
>
> On Thu, Feb 9, 2017 at 12:50 PM, daniel simko <dan.si...@gmail.com> wrote:
>
> > Hello,
> >
> > I would like to ask you whether there is some safe way how to display
> html
> > output from some rich editor (e.g. TinyMCE)? In order
Hi,
Check https://jsoup.org/cookbook/cleaning-html/whitelist-sanitizer
Martin Grigorov
Wicket Training and Consulting
https://twitter.com/mtgrigorov
On Thu, Feb 9, 2017 at 12:50 PM, daniel simko <dan.si...@gmail.com> wrote:
> Hello,
>
> I would like to ask you whether there i
Hello,
I would like to ask you whether there is some safe way how to display html
output from some rich editor (e.g. TinyMCE)? In order to display html it is
necessary to switch off model escaping [1] which is opening a door for XSS.
I was thinking about some converter [2] which would escape only
https://issues.apache.org/jira/browse/WICKET-5456
6.13 should be released soon.
Martin Grigorov
Wicket Training and Consulting
On Mon, Dec 23, 2013 at 4:21 PM, Jeremy Thomerson jer...@wickettraining.com
wrote:
On Sun, Dec 22, 2013 at 5:30 AM, Steve shadders@gmail.com wrote:
So what
On Sun, Dec 22, 2013 at 5:30 AM, Steve shadders@gmail.com wrote:
So what it is the best way to go about requesting a change to
wicket-core? I'm happy to fork and create a pull request etc but it
seems overkill for removing a single word from one class. Should I
create a JIRA ticket
On 19/12/13 18:45, Martin Grigorov wrote:
So far no one needed to add custom MarkupElements and that's why it is not
very easy.
You can fork Wicket and create a branch where you can make modifications to
make it easier and
later we can review the needed changes and probably apply them back
change once created.
If the developer changes the markup then the whole Markup instance is
replaced with a new one. As now.
2/ Is the per thread/class caching strategy really safe? The only way I
could think it could be broken is if it was possible for the server to
suspend a thread mid
resolving the EL expressions in the markup the only 'safe' way to do it
and stay completely transparent to wicket is to replace the original
RawMarkup with a new one... e.g.
in the EL component:
public void onRender() {
modifiableMarkup.resolve(some params);
super.onRender();
}
What it looks like
examples of: if
(element instanceof RawMarkup) do something; in wicket so when
resolving the EL expressions in the markup the only 'safe' way to do it
and stay completely transparent to wicket is to replace the original
RawMarkup with a new one... e.g.
in the EL component:
public void onRender
of safety and releasing some
resources from the backing XmlTags in the MarkupElements. Is there any
other purpose to it? i.e. can you forsee any problems with using a mutable
instance of Markup for rendering?
because its immutable it is thread-safe. making it mutable would add a
lot of complexity
to it? i.e. can you forsee any problems with using a mutable
instance of Markup for rendering?
2/ Is the per thread/class caching strategy really safe? The only way I
could think it could be broken is if it was possible for the server to
suspend a thread mid-render cycle and give another request use
Hi
After playing around with both lambdaJ and SafeModel, here is our take
on safe property model creation (that shamelessly steals from the above
ones):
IModelPerson p=...
IModelStreet pm = model(from(p).getAddress().getStreet())
or
assert(address.street, path(from(p).getAddress().getStreet
this url to determine the file's contents.
However, I'm concerned about how safe it would be to do this. To add the
shared resource I have to produce a single WebResource object. This would be
fine if the call to getResourceStream would also pass along the parameters
that have been set
is to create a shared resource and mount a url to it so I can
reference it easily. Since the PDF file is generated on-the-fly, I can also
pass a parameter through this url to determine the file's contents.
However, I'm concerned about how safe it would be to do this. To add the
shared resource I
-
From: Igor Vaynberg [mailto:igor.vaynb...@gmail.com]
Sent: terça-feira, 14 de setembro de 2010 14:22
To: users@wicket.apache.org
Subject: Re: Safe URL for a dynamic resource
you can read the parameters off the url yourself,
requestcycle.getrequest()...
-igor
On Tue, Sep 14, 2010 at 10:08 AM, Denis
-
From: Igor Vaynberg [mailto:igor.vaynb...@gmail.com]
Sent: terça-feira, 14 de setembro de 2010 14:22
To: users@wicket.apache.org
Subject: Re: Safe URL for a dynamic resource
you can read the parameters off the url yourself,
requestcycle.getrequest()...
-igor
On Tue, Sep 14, 2010 at 10:08 AM, Denis
the method that works,
but, out of curiosity, any idea why this happens?
Denis Souza
-Original Message-
From: Igor Vaynberg [mailto:igor.vaynb...@gmail.com]
Sent: terça-feira, 14 de setembro de 2010 14:22
To: users@wicket.apache.org
Subject: Re: Safe URL for a dynamic resource
you
As solution I can see using HttpServletRequestWrapper instead of dealing
directly with the HttpServletRequest passed by the container.
This way we can provide custom implementation of HttpServletRequestWrapper
that overrides javax.servlet.ServletRequestWrapper.getCharacterEncoding()
and if
I'm not sure if this is severe or not, but I think there's a gap in the
implicit assumptions underlying WicketFilter.checkCharacterEncoding():
It seems the author's intention was to guarantee a postcondition of
servletRequest.getCharacterEncoding() != null,
but this postcondition does not
()
{
StockQuote quote = new StockQuote(IBM);
add(new Label(stockIBM, new PropertyModel(quote, quote));
}
I seem to remember, that I've seen an example of a Wicket extension, which
allows me to write type safe field references. Does any one have a clue,
which extension I stumbled into or how to perform
Hi,
Perhaps this is what you're looking for?
http://code.google.com/p/bindgen-wicket/
add(new Label(state, new PropertyModel(person, address.state.code)));
becomes
add(new Label(state, new PropertyModel(person, new
PersonBinding().address().state().code().getPath(;
Type safe and refactor
org.apache.wicket.markup.repeater.RepeatingView:content
has a non-safe child id of [STRING_SEARCHED].
Safe child ids must be composed of digits only.
The [STRING_SEARCHED] is whatever I typed in the text field (e.g.
Barcelona, Spain or Athens, Greece).
So apparently, GMap2 sets an ID somewhere using the text field's value
org.apache.wicket.markup.repeater.RepeatingView:content
has a non-safe child id of [STRING_SEARCHED].
Safe child ids must be composed of digits only.
The [STRING_SEARCHED] is whatever I typed in the text field (e.g.
Barcelona, Spain or Athens, Greece).
So apparently, GMap2 sets an ID
this message in context:
http://www.nabble.com/About-a-thread-safe-problem-of-the-WebApplication-class-tp21154813p21156901.html
Sent from the Wicket - User mailing list archive at Nabble.com.
-
To unsubscribe, e-mail: users
of the
WebApplication class is not the thread safe.
The sessionDestroyed method and the addBufferedResponse method of the
WebApplication class might have to be controlled exclusively(When
these methods were declared in synchronized, the problem was
canceled
environment]
OS:AIX5.3 TL005 +WAS6.1.0.21
Java:JDK1.5.0
Wicket:wicket1.3.5
[Consideration And Question]
I think that it is a cause that the bufferedResponses instance of the
WebApplication class is not the thread safe.
The sessionDestroyed method and the addBufferedResponse method
I found my problem in the end. There was an object that wasn't able to be
correctly serialized (a JFreeChart object), which threw an error that, due
to some mistake on my logging configuration I was hiding.
Anyway, once I fixed the serialization problem, now everything is being
correctly
Building a sample to show the problem has been harder than I thought.
Because on all bare-bones applications that I tried to build, the URLs end
up being different (the counter on the interface seems to be working). What
could make my larger application not increment the
Hi,
I have an application that generates different reports based on what the
user selects. The report generation page is the same, but the reports vary.
Part of the reports contain a DynamicImageResource (JFreeChart chart).
Everything works great when a user is looking at a report at a time. But
are all the urls really exactly the same?
is your pagesettings.automaticmultiwindowsupport enabled?
-igor
On Thu, Aug 14, 2008 at 10:30 AM, Michel Goldstein
[EMAIL PROTECTED] wrote:
Hi,
I have an application that generates different reports based on what the
user selects. The report
Q: are all the urls really exactly the same?
Yes, they are exactly the same
Q: is your pagesettings.automaticmultiwindowsupport enabled?
Interesting. I didn't know of such setting. But I did change it in the
application, adding:
getPageSettings().setAutomaticMultiWindowSupport(true);
but I'm
I read a different thread that is going on right now about preventing image
caching by using a NonCachingImage instead Image and seeing that it adds a
random reference to the image, I thought it might help on my problem too.
And, as far as I can tell, it actually did solve my problem too.
Should
Spoke too soon... Unfortunately the problem still seems to be there even
after I've added the NonCachingImage. This furthers the confirmation that
it's not browser caching issue, but a resource sharing problem.
Any ideas would be greatly appreciated.
Thanks,
Michel
On Thu, Aug 14, 2008 at 1:18
On Thu, 14 Aug 2008, Michel Goldstein wrote:
Spoke too soon... Unfortunately the problem still seems to be there even
after I've added the NonCachingImage. This furthers the confirmation that
it's not browser caching issue, but a resource sharing problem.
From where does the image data come
As I mentioned, I basically used what was in the twiki about JFreeChart
integration. I'll build a simple example of the problem and send it out
sometime tomorrow (USA Pacific time).
Thanks,
Michel
On Thu, Aug 14, 2008 at 7:59 PM, Timo Rantalaiho [EMAIL PROTECTED]wrote:
On Thu, 14 Aug 2008,
Hi,
Is it threadsafe and wicket safe to share static Components across multiple
instances of a Page (as well as across request threads) in wicket?
Say for example I have a BookmarkablePageLink that takes no dynamic
PageParameter arguments, can I create this as a static class member and share
(BTW I am assuming that since each component has a parent that sharing is
NOT allowed)
--
From: Joel Halbert [EMAIL PROTECTED]
Sent: Friday, June 20, 2008 9:29 AM
To: users@wicket.apache.org
Subject: Is it safe to share static components across
no
On Fri, Jun 20, 2008 at 10:29 AM, Joel Halbert [EMAIL PROTECTED] wrote:
Hi,
Is it threadsafe and wicket safe to share static Components across multiple
instances of a Page (as well as across request threads) in wicket?
Say for example I have a BookmarkablePageLink that takes no dynamic
My guess would be no, since the object hierarchy of a page is a
fundamental aspect of Wicket. I don't think that instances of Wicket
Component objects are meant to be thread-safe and shared between
different Component trees. There is all kinds of mutable data in
Component that is not meant
[EMAIL PROTECTED] wrote:
I've been told by many people that the Session object is not thread safe.
If that's true, I don't think the example can be thread safe.
RestartResponseException does not allow you to redirect to an external URL
(that's what that method does). That's why I can't use
Ok, I’ve asked this at least twice already but I’m still incredibly unsure of
how to make my webapp thread safe. So this time I thought I’d take a different
approach. I wrote on the wiki a short, unrelated example:
http://cwiki.apache.org/confluence/display/WICKET/Facebook+Integration
that looks fine
i would throw a RestartResponseException in youre forcelogin method
On Jan 31, 2008 8:48 PM, Dan Kaplan [EMAIL PROTECTED] wrote:
Ok, I've asked this at least twice already but I'm still incredibly unsure
of how to make my webapp thread safe. So this time I thought I'd take
I've been told by many people that the Session object is not thread safe. If
that's true, I don't think the example can be thread safe.
RestartResponseException does not allow you to redirect to an external URL
(that's what that method does). That's why I can't use it.
-Original Message
Hi all,
I wonder if this will work:
add(new CartPanel(cart, new PropertyModel(s, cart)));
where 's' is my app specific session, containing the method getCart() which
checks the session for an existing cart, and if not found creates one.
Is this enough to handle load/detach? Or do I have to
What would you like to detach?
What is inside that card object? I guess thats a temp storage object
of shopping items?
Do remenber that getting the card object from the session isnt thread
safe! (mutating it can be done from more then one thread if different
pagemaps and so on are used)
On 1/21
ok, and if the session isn't thread safe, where do I store my temporal data?
2008/1/21, Johan Compagner [EMAIL PROTECTED]:
The session. Because the property exp is used when you ask for the value
On 1/21/08, Martijn Lindhout [EMAIL PROTECTED] wrote:
you're right. It contains a shoppingcart
you're right. It contains a shoppingcart. What is stored in the
propertymodel, the session? Or the result of evaluating the expression
s.cart - session.getCart().
And if the session isn't thread safe, where do I store my temporal data?
2008/1/21, Johan Compagner [EMAIL PROTECTED]:
What would
().
And if the session isn't thread safe, where do I store my temporal data?
2008/1/21, Johan Compagner [EMAIL PROTECTED]:
What would you like to detach?
What is inside that card object? I guess thats a temp storage object
of shopping items?
Do remenber that getting the card object from
, new PropertyModel(this, session.cart
)));
Martijn
On 1/21/08, Martijn Lindhout [EMAIL PROTECTED] wrote:
ok, and if the session isn't thread safe, where do I store my temporal
data?
2008/1/21, Johan Compagner [EMAIL PROTECTED]:
The session. Because the property exp is used
On Jan 21, 2008 1:51 AM, Martijn Lindhout [EMAIL PROTECTED] wrote:
ok, and if the session isn't thread safe, where do I store my temporal data?
I think the session is a fine storage option for a shopping cart. Just
synchronize the cart itself and you're fine. Or don't; it's rather
unlikely you
authorization
strategy?
-Original Message-
From: Igor Vaynberg [mailto:[EMAIL PROTECTED]
Sent: Saturday, January 12, 2008 10:31 AM
To: users@wicket.apache.org; [EMAIL PROTECTED]
Subject: Re: Type safe roles for AUTH-ROLES?
wicket-auth-roles is just an example. its not really meant
:[EMAIL PROTECTED]
Sent: Saturday, January 12, 2008 10:31 AM
To: users@wicket.apache.org; [EMAIL PROTECTED]
Subject: Re: Type safe roles for AUTH-ROLES?
wicket-auth-roles is just an example. its not really meant to be
something you drop into your application, for that there is
wicketstuff-wasp
and allow me to move on to the actual content of my
webapp. Am I going to be kicking myself later for that choice?
-Original Message-
From: Igor Vaynberg [mailto:[EMAIL PROTECTED]
Sent: Monday, January 14, 2008 1:55 PM
To: users@wicket.apache.org
Subject: Re: Type safe roles for AUTH
To: users@wicket.apache.org
Subject: Re: Type safe roles for AUTH-ROLES?
In my opinion there is nothing 'wrong' with auth-roles. but they are
limited in scope. Fortunately the code base is really small so it
wouldn't take that much effort to roll your own based on that code.
That said, I think
Message-
From: Igor Vaynberg [mailto:[EMAIL PROTECTED]
Sent: Monday, January 14, 2008 1:55 PM
To: users@wicket.apache.org
Subject: Re: Type safe roles for AUTH-ROLES?
heh. it is a functional example of a fully implemented authorization
strategy. but it doesnt have any fancy features, nor
for a comparison between auth-roles and swarm/wasp, take a look at
http://wicketstuff.org/confluence/display/STUFFWIKI/Security+Framework+Comparison
gerolf
On Jan 14, 2008 11:14 PM, C. Bergström [EMAIL PROTECTED] wrote:
On Mon, 2008-01-14 at 13:51 -0800, Dan Kaplan wrote:
What? Really?
, January 14, 2008 2:15 PM
To: users@wicket.apache.org
Subject: RE: Type safe roles for AUTH-ROLES?
On Mon, 2008-01-14 at 13:51 -0800, Dan Kaplan wrote:
What? Really? F***. Can you please elaborate? Did I waste every second
of the time I spent looking at the examples on wicketstuff? I applied
I have several successful Wicket projects going, and in all have used my own
authorization strategy based on annotations. I'm just trying
wicket-auth-roles for my next project, but seem confused by the apparent
String-only roles. I already have a domain model where a User has a Role or
Role(s),
wicket-auth-roles is just an example. its not really meant to be
something you drop into your application, for that there is
wicketstuff-wasp and wicketstuff-swarm
-igor
On Jan 12, 2008 9:14 AM, Jeremy Thomerson [EMAIL PROTECTED] wrote:
I have several successful Wicket projects going, and in
62 matches
Mail list logo
