Re: Embedding Wicket Components

[Martin Grigorov]

Hi,

On Mon, May 24, 2021 at 3:51 AM Ilya Naryzhnyy  wrote:

> Hello,
>
> I'm thinking about creating JavaScript library for more seamless embedding
> Wicket components and pages into external HTML pages. Use case: there is
> Wordpress site and it's needed to embed few components into corresponding
> pages. Your advice is needed!
>
> There are few options to do that:
> 1) IFRAME. It's the most easiest way, but there are some disadvantages:
> problems with SEO, vertical stretching, usability and etc.
> 2) Natural embedding through "document.write'. There are also some
> disadvantages: styles and scripts namespaces, security and etc.
>
> But nevertheless second option looks for me pretty interesting. Please stop
> me if you think otherwise.
>
> Logic of embedding:
>
> 1) User ebbedd special JavaScript library. For example by snippet: " src="http://mywicketsite/wicket-exporter.js";>"
> 2) User "binds" local element id to some Wicket Component. For example:
> WicketExporter.bind("elementId", "com.mypackage.MyComponent', attrsAsJson);
> 3) The library "renders" first all required Wicket scripts, libraries and
> present required element first as "dummy element".
> 4) Through Wicket Ajax Library invoke special "page" which returns
> AjaxRequestTarget which replace "dummy element" with required one.


>
> Your thoughts?
> After marrying VueJS and Wicket (https://github.com/OrienteerBAP/vuecket)
> I'm sure that it's possible, but, probably, I don't see some obvious
> obstacles.
>

I also don't see any problems doing it!


>
> Thanks,
>
> Ilia
> -
> Orienteer(http://orienteer.org) - open source Business Application
> Platform
>

CVE-2021-23937: Apache Wicket: DNS proxy and possible amplification attack

[Emond Papegaaij]

Description:

A DNS proxy and possible amplification attack vulnerability in
WebClientInfo of Apache Wicket allows an attacker to trigger arbitrary
DNS lookups from the server when the X-Forwarded-For header is not
properly sanitized. This DNS lookup can be engineered to overload an
internal DNS server or to slow down request processing of the Apache
Wicket application causing a possible denial of service on either the
internal infrastructure or the web application itself.

This issue affects Apache Wicket Apache Wicket 9.x version 9.2.0 and
prior versions; Apache Wicket 8.x version 8.11.0 and prior versions;
Apache Wicket 7.x version 7.17.0 and prior versions and Apache Wicket
6.x version 6.2.0 and later versions.

Mitigation:

Sanitize the X-Forwarded-For header by running an Apache Wicket
application behind a reverse HTTP proxy. This proxy should put the
client IP address in the X-Forwarded-For header and not pass through
the contents of the header as received by the client.

The application developers are recommended to upgrade to:
- Apache Wicket 7.18.0

- Apache Wicket 8.12.0

- Apache Wicket 9.0.0


Credit:

Apache Wicket would like to thank Jonathan Juursema from
Topicus.Healthcare for reporting this issue.

Apache Wicket Team

-
To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
For additional commands, e-mail: users-h...@wicket.apache.org