Re: Is there an equivalent for ResourceReference in wicket 6

2014-01-30 Thread Heshani 
Thanks it worked!

--
View this message in context: 
http://apache-wicket.1842946.n4.nabble.com/Is-there-an-equivalent-for-ResourceReference-in-wicket-6-tp4664014p4664083.html
Sent from the Users forum mailing list archive at Nabble.com.

-
To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
For additional commands, e-mail: users-h...@wicket.apache.org

Re: Using "AjaxRequestTarget" with parent/child page

2014-01-30 Thread fmoriguchi 
Hi,

I would like to share the solution I used for this case.

I used some of the solutions proposed by Martin and Simon:
- Using the event mechanism to pass the "selected object" and
"AjaxRequestTarget" child pag to parent page.
- With the "selected object" to update the model of the parent page is done.
- With the "AjaxRequestTarget", I created a custom event in javascript for
the child page may notify the parent page.
 
Javascript Example:

dispatcher: "window.opener $ (window.opener.document) trigger
('notifywindowopener')..."
listener: "$ (document) on ('notifywindowopener', function () {});".

- On page father is add a "AjaxEventBehavior" for the custom event.
(Example: add (new AjaxEventBehavior ("notifywindowopener") ...)
- That way I could upgrade the components of the parent page.

I do not know is the best solution, but it was what I thought at the time.

Thank you very much for your help.


Martin Grigorov-4 wrote
> On Tue, Jan 28, 2014 at 8:49 PM, fmoriguchi <

> fmoriguchi@

> > wrote:
> 
>> Hi all,
>>
>> Simon, I tried this solution, as follows:
>>
>> - The child page raises the event. (IEventSource).
>> - The parent page listens for the event (IEventSink).
>> - The parent page receive through the event to instance of
>> "AjaxRequestTarget."
>>
>> However, when using the method "add" of the "AjaxRequestTarget" instance,
>> the update does not occur because the "AjaxRequestTarget" instance of the
>> child page, not the parent page.
>> That way he can not find the correct update for "markupId".
>>
>> I'll try a different way, maybe, force the update by behavior using
>> javascript.
>>
> 
> Here is another way:
> - pass a PageReference of the parent page to the child page
> - in the child page use that page reference to update the parent page
> - in the parent page use Ajax timer behavior that will update it when
> there
> is an something new
> 
> Not as optimal as websockets but very simple to implement.
> 
> 
>>
>>
>> Thanks all
>>
>>
>> --
>> View this message in context:
>> http://apache-wicket.1842946.n4.nabble.com/Using-AjaxRequestTarget-with-parent-child-page-tp4663996p4664008.html
>> Sent from the Users forum mailing list archive at Nabble.com.
>>
>> -
>> To unsubscribe, e-mail: 

> users-unsubscribe@.apache

>> For additional commands, e-mail: 

> users-help@.apache

>>
>>



--
View this message in context: 
http://apache-wicket.1842946.n4.nabble.com/Using-AjaxRequestTarget-with-parent-child-page-tp4663996p4664082.html
Sent from the Users forum mailing list archive at Nabble.com.

-
To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
For additional commands, e-mail: users-h...@wicket.apache.org

Re: How to handle dependent properties with FormComponents

2014-01-30 Thread Edgar Merino 

Thank you.

On 28/11/13 01:58, Martin Grigorov wrote:

Hi,

See AbstractFormValidator.
Use any of the provided implementations of this class as inspiration.


On Thu, Nov 28, 2013 at 9:48 AM, Edgar Merino  wrote:


Hello, I have a class that defines 2 properties that depend on each other
(start and end dates). Currently, I have to provide getters and setters for
this properties and then call a validator method inside
Form#onValidateModelObjects(). It would be preferable to just provide the
getters and a single method to set and validate the 2 dependent properties.

Is there a way to accomplish this?
Thanks in advance.
Edgar Merino

-
To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
For additional commands, e-mail: users-h...@wicket.apache.org





-
To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
For additional commands, e-mail: users-h...@wicket.apache.org

Re: onchange event always being fired before onclick event

2014-01-30 Thread Paul Bors 
Btw, your use-case sounds strange.

Why would you refresh what's in focus via some other's tag onChange?
Why not just simply refresh whatever component lost focus whenever its
onChagne is fired?

On Thu, Jan 30, 2014 at 3:37 PM, Paul Bors  wrote:

> What makes you think that the only way to focus on something is by
> clicking on it?
>
> I would aproach your problem from a different angle. I would ask the
> browser to give me whatever has the focus via document.activeElement:
> https://developer.mozilla.org/en-US/docs/Web/API/document.activeElement
> http://msdn.microsoft.com/en-us/library/ie/ms533065(v=vs.85).aspx
>
> Or simply use the focus selector in jQuery:
> http://api.jquery.com/focus-selector/
>
>
> On Thu, Jan 30, 2014 at 2:15 PM, Rafael Barrera Oro wrote:
>
>> Hello everyone!
>>
>> I'm trying to to mantain the focus of the last component that was clicked
>> regardless of the refresh of part of the page when certain text field
>> changes. The problem i have is that the onchange event is always fired
>> before the onclick method, and this causes that the latter is either fired
>> over the wrong component or not fired at all, is there a way to delay the
>> onchange event until after the onclick event takes place?
>>
>> My goal is to use the onclick event to save the id of the clicked
>> component, then let the onchange event do its thing (refresh a part of the
>> page which maybe includes the clicked component).
>>
>> Has anyone achieved something similiar and/or has any ideas?
>>
>> Thanks in advance!
>> Rafael
>>
>
>

Re: onchange event always being fired before onclick event

2014-01-30 Thread Paul Bors 
What makes you think that the only way to focus on something is by clicking
on it?

I would aproach your problem from a different angle. I would ask the
browser to give me whatever has the focus via document.activeElement:
https://developer.mozilla.org/en-US/docs/Web/API/document.activeElement
http://msdn.microsoft.com/en-us/library/ie/ms533065(v=vs.85).aspx

Or simply use the focus selector in jQuery:
http://api.jquery.com/focus-selector/


On Thu, Jan 30, 2014 at 2:15 PM, Rafael Barrera Oro wrote:

> Hello everyone!
>
> I'm trying to to mantain the focus of the last component that was clicked
> regardless of the refresh of part of the page when certain text field
> changes. The problem i have is that the onchange event is always fired
> before the onclick method, and this causes that the latter is either fired
> over the wrong component or not fired at all, is there a way to delay the
> onchange event until after the onclick event takes place?
>
> My goal is to use the onclick event to save the id of the clicked
> component, then let the onchange event do its thing (refresh a part of the
> page which maybe includes the clicked component).
>
> Has anyone achieved something similiar and/or has any ideas?
>
> Thanks in advance!
> Rafael
>

Re: Singleton for empty models

2014-01-30 Thread Paul Bors 
n/m as I wrote this e-mail I realized that I don't need a
FormComponentPanel and going with a simple Panel is all have to do.

Sorry for the noise...


On Thu, Jan 30, 2014 at 2:41 PM, Paul Bors  wrote:

> Btw, in my use-case I extends FormComponentPanel since if I were to
> set its panel to null or a compund property one, I would have to change my
> model object to include the wicket id for the FormComponentPanel itself and
> then go to the fields I need.
>
> Inside my panel I warpped what I needed in PropertyModels.
>
>
> On Thu, Jan 30, 2014 at 2:34 PM, Paul Bors  wrote:
>
>> While I have re-usable panels, I don't want them to look up the component
>> tree hirarchy for a compound property model.
>>
>>
>>
>> So I end up creating a lot of empty models such as:
>>
>> super(id, new Model());
>>
>>
>>
>> How do you guys manage your empty models?
>>
>> Won't it make sense to have a Model.EMPTY_INSTANCE or similar?
>>
>>
>>
>> Of course I can have Spring or some other DI handle that empty instance
>> as a singleton, but I am curious as to how other users solve this problem?
>>
>
>

Re: Singleton for empty models

2014-01-30 Thread Paul Bors 
Btw, in my use-case I extends FormComponentPanel since if I were to
set its panel to null or a compund property one, I would have to change my
model object to include the wicket id for the FormComponentPanel itself and
then go to the fields I need.

Inside my panel I warpped what I needed in PropertyModels.


On Thu, Jan 30, 2014 at 2:34 PM, Paul Bors  wrote:

> While I have re-usable panels, I don't want them to look up the component
> tree hirarchy for a compound property model.
>
>
>
> So I end up creating a lot of empty models such as:
>
> super(id, new Model());
>
>
>
> How do you guys manage your empty models?
>
> Won't it make sense to have a Model.EMPTY_INSTANCE or similar?
>
>
>
> Of course I can have Spring or some other DI handle that empty instance as
> a singleton, but I am curious as to how other users solve this problem?
>

Singleton for empty models

2014-01-30 Thread Paul Bors 
While I have re-usable panels, I don't want them to look up the component
tree hirarchy for a compound property model.



So I end up creating a lot of empty models such as:

super(id, new Model());



How do you guys manage your empty models?

Won't it make sense to have a Model.EMPTY_INSTANCE or similar?



Of course I can have Spring or some other DI handle that empty instance as
a singleton, but I am curious as to how other users solve this problem?

onchange event always being fired before onclick event

2014-01-30 Thread Rafael Barrera Oro 
Hello everyone!

I'm trying to to mantain the focus of the last component that was clicked
regardless of the refresh of part of the page when certain text field
changes. The problem i have is that the onchange event is always fired
before the onclick method, and this causes that the latter is either fired
over the wrong component or not fired at all, is there a way to delay the
onchange event until after the onclick event takes place?

My goal is to use the onclick event to save the id of the clicked
component, then let the onchange event do its thing (refresh a part of the
page which maybe includes the clicked component).

Has anyone achieved something similiar and/or has any ideas?

Thanks in advance!
Rafael

wicket session and wildfly

2014-01-30 Thread miguel 
i'm running wildfly cr1 and wicket 6.13 in a fairly simple web application
that uses a subclass of AuthenticatedWebSession that looks a bit like this:


public class WebSession extends AuthenticatedWebSession {
private static final Logger log = Logger.getLogger(WebSession.class);
private static final long serialVersionUID = 3L;

private ObjectId userId;
transient private User user;

transient private Token twitterToken;
transient private OAuthService twitterService;
transient private Token googleToken;
transient private OAuthService googleService;
...
}

with just the methods taken out.

i find that when i redeploy a different war file -- but the session object
is unchanged -- sessions on wildfly fail to deserialize. i get the following
error:


2014-01-30 07:18:13,965 ERROR
[org.infinispan.interceptors.InvocationContextInterceptor]
(SessionExpirationScheduler - 1) ISPN000136: Execution error:
org.infinispan.commons.CacheListenerException: ISPN000280: Caught exception
[java.lang
.IllegalArgumentException] while invoking method [public void
org.wildfly.clustering.web.infinispan.session.InfinispanSessionManager.activated(org.infinispan.notifications.cachelistener.event.CacheEntryActivatedEvent)]
on listener instan
ce:
org.wildfly.clustering.web.infinispan.session.InfinispanSessionManager@288f08b2
at
org.infinispan.notifications.AbstractListenerImpl$ListenerInvocation$1.run(AbstractListenerImpl.java:211)
at
org.infinispan.util.concurrent.WithinThreadExecutor.execute(WithinThreadExecutor.java:22)
at
org.infinispan.notifications.AbstractListenerImpl$ListenerInvocation.invoke(AbstractListenerImpl.java:229)
at
org.infinispan.notifications.AbstractListenerImpl$ListenerInvocation.invoke(AbstractListenerImpl.java:192)
at
org.infinispan.notifications.cachelistener.CacheNotifierImpl.notifyCacheEntryActivated(CacheNotifierImpl.java:355)
at
org.infinispan.interceptors.ActivationInterceptor.sendNotification(ActivationInterceptor.java:109)
at
org.infinispan.interceptors.CacheLoaderInterceptor.recordLoadedEntry(CacheLoaderInterceptor.java:325)
at
org.infinispan.interceptors.CacheLoaderInterceptor.loadIfNeeded(CacheLoaderInterceptor.java:278)
at
org.infinispan.interceptors.ActivationInterceptor.loadIfNeeded(ActivationInterceptor.java:86)
at
org.infinispan.interceptors.CacheLoaderInterceptor.loadIfNeededAndUpdateStats(CacheLoaderInterceptor.java:335)
at
org.infinispan.interceptors.CacheLoaderInterceptor.visitGetKeyValueCommand(CacheLoaderInterceptor.java:105)
at
org.infinispan.commands.read.GetKeyValueCommand.acceptVisitor(GetKeyValueCommand.java:40)
...
Caused by: java.lang.IllegalArgumentException:
java.io.InvalidClassException: com.mypackage.WebSession; Module load failed
at
org.wildfly.clustering.web.infinispan.session.MarshalledValueSessionAttributeMarshaller.read(MarshalledValueSessionAttributeMarshaller.java:48)
at
org.wildfly.clustering.web.infinispan.session.MarshalledValueSessionAttributeMarshaller.read(MarshalledValueSessionAttributeMarshaller.java:33)
at
org.wildfly.clustering.web.infinispan.session.coarse.CoarseImmutableSessionAttributes.getAttributes(CoarseImmutableSessionAttributes.java:46)
at
org.wildfly.clustering.web.infinispan.session.coarse.CoarseImmutableSessionAttributes.getAttributeNames(CoarseImmutableSessionAttributes.java:51)
at
org.wildfly.clustering.web.infinispan.session.InfinispanSessionManager.findListeners(InfinispanSessionManager.java:381)
at
org.wildfly.clustering.web.infinispan.session.InfinispanSessionManager.triggerPostActivationEvents(InfinispanSessionManager.java:370)
at
org.wildfly.clustering.web.infinispan.session.InfinispanSessionManager.activated(InfinispanSessionManager.java:272)
at sun.reflect.GeneratedMethodAccessor108.invoke(Unknown Source)
[:1.7.0_25]
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
[rt.jar:1.7.0_25]
at java.lang.reflect.Method.invoke(Method.java:606)
[rt.jar:1.7.0_25]
at
org.infinispan.notifications.AbstractListenerImpl$ListenerInvocation$1.run(AbstractListenerImpl.java:207)
... 58 more
Caused by: java.io.InvalidClassException: com.mypackage.WebSession; Module
load failed
at
org.jboss.marshalling.ModularClassResolver.resolveClass(ModularClassResolver.java:108)
at
org.jboss.marshalling.river.RiverUnmarshaller.doReadClassDescriptor(RiverUnmarshaller.java:947)
at
org.jboss.marshalling.river.RiverUnmarshaller.doReadNewObject(RiverUnmarshaller.java:1243)
at
org.jboss.marshalling.river.RiverUnmarshaller.doReadObject(RiverUnmarshaller.java:276)
...
... 68 more
Caused by: org.jboss.modules.ModuleNotFoundException:
deployment.files-01-29_215042.war:main
at org.jboss.modules.ModuleLoader.loadModule(ModuleLoader.java:

Re: Is there an equivalent for ResourceReference in wicket 6

2014-01-30 Thread thomas 


Try this:


container.getHeaderResponse().render(JavaScriptHeaderItem.forReference (

new ResourceReference(FansTable.class, "fanspage.js")));



Am 29.01.2014 07:00, schrieb Heshani:
I'm migrating wicket from 1.4 to 6.13. Read that the ResourceReference 
class

has been removed in 1.5 version.
Does anyone know whether there is an equivalent to achieve the same
functionality?

 container.getHeaderResponse().renderJavascriptReference(
new ResourceReference(FansTable.class, 
"fanspage.js"));


--
View this message in context:
http://apache-wicket.1842946.n4.nabble.com/Is-there-an-equivalent-for-ResourceReference-in-wicket-6-tp4664014.html
Sent from the Users forum mailing list archive at Nabble.com.

-
To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
For additional commands, e-mail: users-h...@wicket.apache.org


-
To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
For additional commands, e-mail: users-h...@wicket.apache.org

Is there an equivalent for ResourceReference in wicket 6

2014-01-30 Thread Heshani 
I'm migrating wicket from 1.4 to 6.13. Read that the ResourceReference class
has been removed in 1.5 version. 
Does anyone know whether there is an equivalent to achieve the same
functionality? 

 container.getHeaderResponse().renderJavascriptReference(
new ResourceReference(FansTable.class, "fanspage.js"));

--
View this message in context: 
http://apache-wicket.1842946.n4.nabble.com/Is-there-an-equivalent-for-ResourceReference-in-wicket-6-tp4664014.html
Sent from the Users forum mailing list archive at Nabble.com.

-
To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
For additional commands, e-mail: users-h...@wicket.apache.org

Re: Capture client side logs and improve your apps

2014-01-30 Thread Martijn Dashorst 
Speaking of which... The technology radar disapproves of JSF and similar
frameworks (i.e. server side component oriented frameworks):

> We continue to see teams run into trouble using JSF -- JavaServer Faces
> -- and are recommending you avoid this technology. Teams seem to choose
> JSF because it is a J2EE standard without really evaluating whether the
> programming model suits them. We think JSF is flawed because it tries
> to abstract away HTML, CSS and HTTP, exactly the reverse of what modern
> web frameworks do. JSF, like ASP.NET webforms, attempts to create
> statefulness on top of the stateless protocol HTTP and ends up causing
> a whole host of problems involving shared server-side state. We are
> aware of the improvements in JSF 2.0, but think the model is
> fundamentally broken. We recommend teams use simple frameworks and
> embrace and understand web technologies including HTTP, HTML and CSS.

While they open with a clear message: don't use JSF, it is actually a jab
at Wicket, Tapestry, et al.

I don't agree with them (other than that Wicket/JSF/Tapestry are no golden
hammer): I still think the model is valid for many use cases. Especially
large and complex applications is where Wicket really shines: reuse, proper
abstractions, state management, back button support to name a few which are
hard to achieve with "simple frameworks": we did that in 2004, did not like
it, still have state management issues haunting us today.

Martijn



On Thu, Jan 30, 2014 at 12:15 PM, Martin Grigorov wrote:

> Hi,
>
> At
>
> http://wicketinaction.com/2014/01/capture-javascript-errors-and-log-them-at-the-server/I
> posted a short article about something recommended by ThoughtWorks'
> radar 
>
>
> Martin Grigorov
> Wicket Training and Consulting
>



-- 
Become a Wicket expert, learn from the best: http://wicketinaction.com

Re: AjaxLazyLoadPanel loading asynchronously

2014-01-30 Thread Martin Grigorov 
Hi,

Create a panel that has a child an image (the busy indicator).
Add a timer behavior to this panel and check whether the slow operation is
done and replace the image with another component that renders the new data:

public void onTimer(AjaxRequestTarget target) {
   Data newData = getNewData();
   if (newData != null)
   {
  NewComponent c = new Component(image.getId(), newData);
  image.replaceWith(c);
  target.add(c);
   }
   else {
 // target.appendJavaScript("still waiting ...");
   }

}

Martin Grigorov
Wicket Training and Consulting


On Thu, Jan 30, 2014 at 12:02 PM, vp143  wrote:

> Ernesto Reinaldo Barreiro-4 wrote
> > Hi,
> >
> > I remember Igor posted and example of a non-blocking lazy load panel
> (long
> > time ago). As far as I remember all it did was:
> >
> > 1-Check is results where ready is so render the panel
> > 2-If not then schedule a timer to poll the panel again
> >
> > Regards - Ernesto Reinaldo Barreiro
>
> Does anyone have a link to this post as I cannot find it?
> Regards, V
>
>
> --
> View this message in context:
> http://apache-wicket.1842946.n4.nabble.com/AjaxLazyLoadPanel-loading-asynchronously-tp4664035p4664063.html
> Sent from the Users forum mailing list archive at Nabble.com.
>
> -
> To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
> For additional commands, e-mail: users-h...@wicket.apache.org
>
>

Re: XSS in wicket. Wicket fault or my fault?

2014-01-30 Thread Gonzalo Aguilar Delgado 

Hi Bas,

Thank you for the reference, I forgot this one. I updated the code.

Thank you for reference. It's better with StringResourceModel... :D

El 30/01/14 11:22, Bas Gooren escribió:

Hi!

You can also replace your Label's model with a StringResourceModel.

See 
http://ci.apache.org/projects/wicket/apidocs/6.x/org/apache/wicket/model/StringResourceModel.html


Met vriendelijke groet,
Kind regards,

Bas Gooren

schreef Gonzalo Aguilar Delgado op 30-1-2014 11:17:

Hi Martin,

This is how I've done it.

label = new Label("message", getString("main.message", new 
Model(authSession.getUser(;

label.setOutputMarkupId(true);


And in the MainTmsPage.properties I have:

main.message=Hello ${realName}. Welcome to the 
Technoactivity Payment Solutions main page.



And it worked!


El 30/01/14 10:03, Martin Grigorov escribió:

Hi,

On Wed, Jan 29, 2014 at 6:26 PM, Gonzalo Aguilar Delgado <
gagui...@aguilardelgado.com> wrote:


Hi there,

I'm building an application for a client and my security advisor 
told me

about a XSS attack that can be performed on the site.

When user logs-in I welcome they by Saying "Hello user".


 
 Hello ${realName}.


How do you substitute the value of ${realName} ?
Wicket doesn't support such placeholders.

The Wicket syntax would be: Hello .
Together with: page.add(new Label("realName", "Some Name");



 Welcome to the Synapse web.
 
 


As you can see I use I18N so this is not the real text that will 
show up,

but's similar.

I used to think that wicket validated output before building web 
but the
white hat hacked it by just putting a fake name into the database. 
Too easy

for me...

The content of realName is:

'';!--"alert('XSS')=&{()}


So I ended with:

Hello'';!--"alert('XSS')=&{()}

In the web page. And the script executed on login.

I was thinking about baking a method into my DAO classes to validate
everything that goes to the database. But it should be a better 
solution.


Can you point me to right one?



Best regards,






-
To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
For additional commands, e-mail: users-h...@wicket.apache.org








-
To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
For additional commands, e-mail: users-h...@wicket.apache.org

Capture client side logs and improve your apps

2014-01-30 Thread Martin Grigorov 
Hi,

At
http://wicketinaction.com/2014/01/capture-javascript-errors-and-log-them-at-the-server/I
posted a short article about something recommended by ThoughtWorks'
radar 


Martin Grigorov
Wicket Training and Consulting

Re: AjaxLazyLoadPanel loading asynchronously

2014-01-30 Thread vp143 
Peter Henderson wrote
> ​You could try native web sockets​. Get your worker threads to broadcast a
> message to the page, it ends up being very similar to an ajax update.
> 
> Peter Henderson

Thanks for the tip Peter, but as I understand it, Web Sockets is not
production ready so I would prefer to stay away from it as REST
functionality would be heavily used area on the website.

--
View this message in context: 
http://apache-wicket.1842946.n4.nabble.com/AjaxLazyLoadPanel-loading-asynchronously-tp4664035p4664064.html
Sent from the Users forum mailing list archive at Nabble.com.

-
To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
For additional commands, e-mail: users-h...@wicket.apache.org

Re: AjaxLazyLoadPanel loading asynchronously

2014-01-30 Thread vp143 
Ernesto Reinaldo Barreiro-4 wrote
> Hi,
> 
> I remember Igor posted and example of a non-blocking lazy load panel (long
> time ago). As far as I remember all it did was:
> 
> 1-Check is results where ready is so render the panel
> 2-If not then schedule a timer to poll the panel again
> 
> Regards - Ernesto Reinaldo Barreiro

Does anyone have a link to this post as I cannot find it?
Regards, V


--
View this message in context: 
http://apache-wicket.1842946.n4.nabble.com/AjaxLazyLoadPanel-loading-asynchronously-tp4664035p4664063.html
Sent from the Users forum mailing list archive at Nabble.com.

-
To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
For additional commands, e-mail: users-h...@wicket.apache.org

Re: XSS in wicket. Wicket fault or my fault?

2014-01-30 Thread Bas Gooren 

Hi!

You can also replace your Label's model with a StringResourceModel.

See 
http://ci.apache.org/projects/wicket/apidocs/6.x/org/apache/wicket/model/StringResourceModel.html


Met vriendelijke groet,
Kind regards,

Bas Gooren

schreef Gonzalo Aguilar Delgado op 30-1-2014 11:17:

Hi Martin,

This is how I've done it.

label = new Label("message", getString("main.message", new 
Model(authSession.getUser(;

label.setOutputMarkupId(true);


And in the MainTmsPage.properties I have:

main.message=Hello ${realName}. Welcome to the 
Technoactivity Payment Solutions main page.



And it worked!


El 30/01/14 10:03, Martin Grigorov escribió:

Hi,

On Wed, Jan 29, 2014 at 6:26 PM, Gonzalo Aguilar Delgado <
gagui...@aguilardelgado.com> wrote:


Hi there,

I'm building an application for a client and my security advisor 
told me

about a XSS attack that can be performed on the site.

When user logs-in I welcome they by Saying "Hello user".


 
 Hello ${realName}.


How do you substitute the value of ${realName} ?
Wicket doesn't support such placeholders.

The Wicket syntax would be: Hello .
Together with: page.add(new Label("realName", "Some Name");



 Welcome to the Synapse web.
 
 


As you can see I use I18N so this is not the real text that will 
show up,

but's similar.

I used to think that wicket validated output before building web but 
the
white hat hacked it by just putting a fake name into the database. 
Too easy

for me...

The content of realName is:

'';!--"alert('XSS')=&{()}


So I ended with:

Hello'';!--"alert('XSS')=&{()}

In the web page. And the script executed on login.

I was thinking about baking a method into my DAO classes to validate
everything that goes to the database. But it should be a better 
solution.


Can you point me to right one?



Best regards,






-
To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
For additional commands, e-mail: users-h...@wicket.apache.org

Re: Which is recomended way to implemen an editable repeating view

2014-01-30 Thread cosmindumy 
Thanks for your reply. 
Now is clear the difference between all repeater implementations. 
The solution was actually very simple. I used property model which
automatically updates the object after processing form. 
I just wanted to update a bean.
Regards.

--
View this message in context: 
http://apache-wicket.1842946.n4.nabble.com/Which-is-recomended-way-to-implemen-an-editable-repeating-view-tp4664028p4664059.html
Sent from the Users forum mailing list archive at Nabble.com.

-
To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
For additional commands, e-mail: users-h...@wicket.apache.org

Re: XSS in wicket. Wicket fault or my fault?

2014-01-30 Thread Gonzalo Aguilar Delgado 

Hi Paul,

you were right!!!

I did

label.setEscapeModelStrings(false);

in code. So I can show  bold text...

That was my fault!

Best regards,

El 29/01/14 21:29, Paul Bors escribió:

No need, Wicket escapes your model objects, see
Component#setEscapeModelStrings(true) for when HTML should be escaped and
thus the browser won't execute it as HTML or JS.
http://ci.apache.org/projects/wicket/apidocs/6.x/org/apache/wicket/Component.html#setEscapeModelStrings(boolean)

That is on by default, so you should switch to using a wicket model for
your label.

See the bottom section 11.1 "What is a model?" of the wicket free guide at:
http://wicket.apache.org/guide/guide/modelsforms.html#modelsforms_1

Also, older Wicket in Action:
http://www.javaranch.com/journal/2008/10/using-wicket-labels-and-links.html


On Wed, Jan 29, 2014 at 12:26 PM, Gonzalo Aguilar Delgado <
gagui...@aguilardelgado.com> wrote:


Hi there,

I'm building an application for a client and my security advisor told me
about a XSS attack that can be performed on the site.

When user logs-in I welcome they by Saying "Hello user".


 
 Hello ${realName}.
 Welcome to the Synapse web.
 
 


As you can see I use I18N so this is not the real text that will show up,
but's similar.

I used to think that wicket validated output before building web but the
white hat hacked it by just putting a fake name into the database. Too easy
for me...

The content of realName is:

'';!--"alert('XSS')=&{()}


So I ended with:

Hello'';!--"alert('XSS')=&{()}

In the web page. And the script executed on login.

I was thinking about baking a method into my DAO classes to validate
everything that goes to the database. But it should be a better solution.

Can you point me to right one?



Best regards,






-
To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
For additional commands, e-mail: users-h...@wicket.apache.org

Re: XSS in wicket. Wicket fault or my fault?

2014-01-30 Thread Gonzalo Aguilar Delgado 

Hi Martin,

This is how I've done it.

label = new Label("message", getString("main.message", new 
Model(authSession.getUser(;

label.setOutputMarkupId(true);


And in the MainTmsPage.properties I have:

main.message=Hello ${realName}. Welcome to the Technoactivity 
Payment Solutions main page.



And it worked!


El 30/01/14 10:03, Martin Grigorov escribió:

Hi,

On Wed, Jan 29, 2014 at 6:26 PM, Gonzalo Aguilar Delgado <
gagui...@aguilardelgado.com> wrote:


Hi there,

I'm building an application for a client and my security advisor told me
about a XSS attack that can be performed on the site.

When user logs-in I welcome they by Saying "Hello user".


 
 Hello ${realName}.


How do you substitute the value of ${realName} ?
Wicket doesn't support such placeholders.

The Wicket syntax would be: Hello .
Together with: page.add(new Label("realName", "Some Name");



 Welcome to the Synapse web.
 
 


As you can see I use I18N so this is not the real text that will show up,
but's similar.

I used to think that wicket validated output before building web but the
white hat hacked it by just putting a fake name into the database. Too easy
for me...

The content of realName is:

'';!--"alert('XSS')=&{()}


So I ended with:

Hello'';!--"alert('XSS')=&{()}

In the web page. And the script executed on login.

I was thinking about baking a method into my DAO classes to validate
everything that goes to the database. But it should be a better solution.

Can you point me to right one?



Best regards,






-
To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
For additional commands, e-mail: users-h...@wicket.apache.org

Re: XSS in wicket. Wicket fault or my fault?

2014-01-30 Thread Gonzalo Aguilar Delgado 

Hi I will take a look.



maybe I did it to allow html rendering on label. Will tell you.

Thank you a lot for references.

El 29/01/14 21:29, Paul Bors escribió:

No need, Wicket escapes your model objects, see
Component#setEscapeModelStrings(true) for when HTML should be escaped and
thus the browser won't execute it as HTML or JS.
http://ci.apache.org/projects/wicket/apidocs/6.x/org/apache/wicket/Component.html#setEscapeModelStrings(boolean)

That is on by default, so you should switch to using a wicket model for
your label.

See the bottom section 11.1 "What is a model?" of the wicket free guide at:
http://wicket.apache.org/guide/guide/modelsforms.html#modelsforms_1

Also, older Wicket in Action:
http://www.javaranch.com/journal/2008/10/using-wicket-labels-and-links.html


On Wed, Jan 29, 2014 at 12:26 PM, Gonzalo Aguilar Delgado <
gagui...@aguilardelgado.com> wrote:


Hi there,

I'm building an application for a client and my security advisor told me
about a XSS attack that can be performed on the site.

When user logs-in I welcome they by Saying "Hello user".


 
 Hello ${realName}.
 Welcome to the Synapse web.
 
 


As you can see I use I18N so this is not the real text that will show up,
but's similar.

I used to think that wicket validated output before building web but the
white hat hacked it by just putting a fake name into the database. Too easy
for me...

The content of realName is:

'';!--"alert('XSS')=&{()}


So I ended with:

Hello'';!--"alert('XSS')=&{()}

In the web page. And the script executed on login.

I was thinking about baking a method into my DAO classes to validate
everything that goes to the database. But it should be a better solution.

Can you point me to right one?



Best regards,






-
To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
For additional commands, e-mail: users-h...@wicket.apache.org

[ANNOUNCE] Wicket jQuery UI 6.13.1 is released

2014-01-30 Thread Sebastien 
Hi,

Wicket jQuery UI 6.13.1 based on *Apache Wicket 6.13.0* is released and
will shortly be available in Maven Central.

This release is an upgrade to jQuery UI 1.10.4

The (small) changelog is available at the wiki page:
https://github.com/sebfz1/wicket-jquery-ui/wiki/%5Bchangelog%5D-wicket-jquery-ui-6.13.1

Maven dependency


com.googlecode.wicket-jquery-ui
wicket-jquery-ui
6.13.1


Non Maven users can download the jars manually from here
http://central.maven.org/maven2/com/googlecode/wicket-jquery-ui/

Best regards,
Sebastien

Re: XSS in wicket. Wicket fault or my fault?

2014-01-30 Thread Martin Grigorov 
On Thu, Jan 30, 2014 at 10:26 AM, Steve  wrote:

> It looks like an EL expression but it's not wicket-el because it escapes
> output the same way wicket does...
>
> speaking of I must get off my butt and work out how to import it into
> wicketstuff... I've made all the changes that wicket 6.13 enabled.
>

+1
ping me if you need help


>
> On 30/01/14 19:03, Martin Grigorov wrote:
> > Hi,
> >
> > On Wed, Jan 29, 2014 at 6:26 PM, Gonzalo Aguilar Delgado <
> > gagui...@aguilardelgado.com> wrote:
> >
> >> Hi there,
> >>
> >> I'm building an application for a client and my security advisor told me
> >> about a XSS attack that can be performed on the site.
> >>
> >> When user logs-in I welcome they by Saying "Hello user".
> >>
> >> 
> >> 
> >> Hello ${realName}.
> >>
> > How do you substitute the value of ${realName} ?
> > Wicket doesn't support such placeholders.
> >
> > The Wicket syntax would be: Hello .
> > Together with: page.add(new Label("realName", "Some Name");
> >
> >
> >> Welcome to the Synapse web.
> >> 
> >> 
> >>
> >>
> >> As you can see I use I18N so this is not the real text that will show
> up,
> >> but's similar.
> >>
> >> I used to think that wicket validated output before building web but the
> >> white hat hacked it by just putting a fake name into the database. Too
> easy
> >> for me...
> >>
> >> The content of realName is:
> >>
> >> '';!--"alert('XSS')=&{()}
> >>
> >>
> >> So I ended with:
> >>
> >> Hello'';!--"alert('XSS')=&{()}
> >>
> >> In the web page. And the script executed on login.
> >>
> >> I was thinking about baking a method into my DAO classes to validate
> >> everything that goes to the database. But it should be a better
> solution.
> >>
> >> Can you point me to right one?
> >>
> >>
> >>
> >> Best regards,
> >>
> >>
> >>
>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
> For additional commands, e-mail: users-h...@wicket.apache.org
>
>

Re: XSS in wicket. Wicket fault or my fault?

2014-01-30 Thread Steve 
It looks like an EL expression but it's not wicket-el because it escapes
output the same way wicket does...

speaking of I must get off my butt and work out how to import it into
wicketstuff... I've made all the changes that wicket 6.13 enabled.

On 30/01/14 19:03, Martin Grigorov wrote:
> Hi,
>
> On Wed, Jan 29, 2014 at 6:26 PM, Gonzalo Aguilar Delgado <
> gagui...@aguilardelgado.com> wrote:
>
>> Hi there,
>>
>> I'm building an application for a client and my security advisor told me
>> about a XSS attack that can be performed on the site.
>>
>> When user logs-in I welcome they by Saying "Hello user".
>>
>> 
>> 
>> Hello ${realName}.
>>
> How do you substitute the value of ${realName} ?
> Wicket doesn't support such placeholders.
>
> The Wicket syntax would be: Hello .
> Together with: page.add(new Label("realName", "Some Name");
>
>
>> Welcome to the Synapse web.
>> 
>> 
>>
>>
>> As you can see I use I18N so this is not the real text that will show up,
>> but's similar.
>>
>> I used to think that wicket validated output before building web but the
>> white hat hacked it by just putting a fake name into the database. Too easy
>> for me...
>>
>> The content of realName is:
>>
>> '';!--"alert('XSS')=&{()}
>>
>>
>> So I ended with:
>>
>> Hello'';!--"alert('XSS')=&{()}
>>
>> In the web page. And the script executed on login.
>>
>> I was thinking about baking a method into my DAO classes to validate
>> everything that goes to the database. But it should be a better solution.
>>
>> Can you point me to right one?
>>
>>
>>
>> Best regards,
>>
>>
>>


-
To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
For additional commands, e-mail: users-h...@wicket.apache.org

Re: XSS in wicket. Wicket fault or my fault?

2014-01-30 Thread Martin Grigorov 
Hi,

On Wed, Jan 29, 2014 at 6:26 PM, Gonzalo Aguilar Delgado <
gagui...@aguilardelgado.com> wrote:

> Hi there,
>
> I'm building an application for a client and my security advisor told me
> about a XSS attack that can be performed on the site.
>
> When user logs-in I welcome they by Saying "Hello user".
>
> 
> 
> Hello ${realName}.
>

How do you substitute the value of ${realName} ?
Wicket doesn't support such placeholders.

The Wicket syntax would be: Hello .
Together with: page.add(new Label("realName", "Some Name");


> Welcome to the Synapse web.
> 
> 
>
>
> As you can see I use I18N so this is not the real text that will show up,
> but's similar.
>
> I used to think that wicket validated output before building web but the
> white hat hacked it by just putting a fake name into the database. Too easy
> for me...
>
> The content of realName is:
>
> '';!--"alert('XSS')=&{()}
>
>
> So I ended with:
>
> Hello'';!--"alert('XSS')=&{()}
>
> In the web page. And the script executed on login.
>
> I was thinking about baking a method into my DAO classes to validate
> everything that goes to the database. But it should be a better solution.
>
> Can you point me to right one?
>
>
>
> Best regards,
>
>
>