Re: Generate markup for hidden framework form field?
janneru schrieb: i also just found a similar one by uwe schaefer: http://www.codesmell.org/blog/2008/12/wicket-secureform/ cheers uwe. note that it is just a copy of what mighty igor posted here :) i´m using it in production a lot. thx again, igor. cu uwe - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org
Re: Generate markup for hidden framework form field?
thx jörn for sharing ur solution! i also just found a similar one by uwe schaefer: http://www.codesmell.org/blog/2008/12/wicket-secureform/ cheers uwe. On Tue, May 26, 2009 at 2:43 PM, Jörn Zaefferer joern.zaeffe...@googlemail.com wrote: Thanks guys! The end result looks like this, works fine, and removed a lot of html boilderplate from our templates: public SecureForm(String id, IModelT model) { super(id, model); setMarkupId(id); add(new IFormValidator() { �...@override public void validate(Form? form) { String submitted = getRequest().getParameter(csrf-protection); if (Application.get().getConfigurationType().equals(Application.DEPLOYMENT) !csrfProtection().equals(submitted)) { log.warn(potential csrf attack, submitted value: + submitted + , expected: + csrfProtection()); form.error(wrong csrf protection cookie); } } �...@override public FormComponent?[] getDependentFormComponents() { return null; } }); } @Override protected void onComponentTagBody(MarkupStream markupStream, ComponentTag openTag) { getResponse().write(new AppendingStringBuffer(input type=\hidden\ name=\csrf-protection\ value=\).append(csrfProtection()).append(\ /)); super.onComponentTagBody(markupStream, openTag); } Jörn On Tue, May 26, 2009 at 2:23 PM, Jörn Zaefferer joern.zaeffe...@googlemail.com wrote: The current component (the HiddenField) checks that the same value that it started with, is submitted. I'll try to replace that using a form validator that reads the parameter directly. Thanks Jörn On Tue, May 26, 2009 at 1:32 PM, Maarten Bosteels mbosteels@gmail.com wrote: When you write it out with oncomponenttagbody it's not part of the component hierarchy, it's just rendered markup. Once the form is submitted, you can retrieve the value using the servlet API. What behavior would you want to add on top ? Maarten On Tue, May 26, 2009 at 12:17 PM, Jörn Zaefferer joern.zaeffe...@googlemail.com wrote: How is that going the fix the problem? I'd end up with markup, but no behaviour on top of it. Jörn On Mon, May 25, 2009 at 5:52 PM, Igor Vaynberg igor.vaynb...@gmail.com wrote: right, so remove that code since you have replaced that component with pure markup. -igor On Mon, May 25, 2009 at 8:48 AM, Jörn Zaefferer joern.zaeffe...@googlemail.com wrote: That was the idea. But Wicket still can't find the component markup when looking for it. The form adds this elsewhere: add(new HiddenFieldString(csrf-protection, new ModelString(csrfProtection())).setRequired(true).add(new IValidatorString() { public void validate(IValidatableString validatable) { log.warn(potential csrf attack, submitted value: + validatable.getValue() + , expected: + csrfProtection()); validatable.error(new ValidationError().setMessage(wrong csrf protection cookie)); } })); Jörn On Mon, May 25, 2009 at 5:44 PM, Igor Vaynberg igor.vaynb...@gmail.com wrote: if you write it out in oncomponenttagbody then you dont need it in the markupo anymore. -igor On Mon, May 25, 2009 at 6:32 AM, Jörn Zaefferer joern.zaeffe...@googlemail.com wrote: Hi, my application uses a form subclass everywhere for CSRF protection. Each form needs a hidden field like this: input type=hidden wicket:id=csrf-protection / The wicket component for that is added by the form subclass (SecureForm) which all other forms in the application extend. Currently each form has to include that markup somewhere, producing a lot of duplication. I'm looking for a way to get rid of that duplication. An approach I'm currently investigating is to generate the markup, similar to how Form genrates a hidden input it its onComponentTagBody: @Override protected void onComponentTagBody(MarkupStream markupStream, ComponentTag openTag) { String nameAndId = get(csrf-protection).getId(); AppendingStringBuffer buffer = new AppendingStringBuffer( input type=\hidden\ name=\).append(nameAndId).append(\ /); getResponse().write(buffer); super.onComponentTagBody(markupStream, openTag); } That doesn't work, Wicket throws an exception of a missing reference in markup anyway. Likely because this just writes to the response, not extending the markup. I also don't see any way to achieve this via MarkupStream or ComponentTag. Any ideas? Regards Jörn Zaefferer - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org
Re: Generate markup for hidden framework form field?
How is that going the fix the problem? I'd end up with markup, but no behaviour on top of it. Jörn On Mon, May 25, 2009 at 5:52 PM, Igor Vaynberg igor.vaynb...@gmail.com wrote: right, so remove that code since you have replaced that component with pure markup. -igor On Mon, May 25, 2009 at 8:48 AM, Jörn Zaefferer joern.zaeffe...@googlemail.com wrote: That was the idea. But Wicket still can't find the component markup when looking for it. The form adds this elsewhere: add(new HiddenFieldString(csrf-protection, new ModelString(csrfProtection())).setRequired(true).add(new IValidatorString() { public void validate(IValidatableString validatable) { log.warn(potential csrf attack, submitted value: + validatable.getValue() + , expected: + csrfProtection()); validatable.error(new ValidationError().setMessage(wrong csrf protection cookie)); } })); Jörn On Mon, May 25, 2009 at 5:44 PM, Igor Vaynberg igor.vaynb...@gmail.com wrote: if you write it out in oncomponenttagbody then you dont need it in the markupo anymore. -igor On Mon, May 25, 2009 at 6:32 AM, Jörn Zaefferer joern.zaeffe...@googlemail.com wrote: Hi, my application uses a form subclass everywhere for CSRF protection. Each form needs a hidden field like this: input type=hidden wicket:id=csrf-protection / The wicket component for that is added by the form subclass (SecureForm) which all other forms in the application extend. Currently each form has to include that markup somewhere, producing a lot of duplication. I'm looking for a way to get rid of that duplication. An approach I'm currently investigating is to generate the markup, similar to how Form genrates a hidden input it its onComponentTagBody: @Override protected void onComponentTagBody(MarkupStream markupStream, ComponentTag openTag) { String nameAndId = get(csrf-protection).getId(); AppendingStringBuffer buffer = new AppendingStringBuffer( input type=\hidden\ name=\).append(nameAndId).append(\ /); getResponse().write(buffer); super.onComponentTagBody(markupStream, openTag); } That doesn't work, Wicket throws an exception of a missing reference in markup anyway. Likely because this just writes to the response, not extending the markup. I also don't see any way to achieve this via MarkupStream or ComponentTag. Any ideas? Regards Jörn Zaefferer - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org
Re: Generate markup for hidden framework form field?
When you write it out with oncomponenttagbody it's not part of the component hierarchy, it's just rendered markup. Once the form is submitted, you can retrieve the value using the servlet API. What behavior would you want to add on top ? Maarten On Tue, May 26, 2009 at 12:17 PM, Jörn Zaefferer joern.zaeffe...@googlemail.com wrote: How is that going the fix the problem? I'd end up with markup, but no behaviour on top of it. Jörn On Mon, May 25, 2009 at 5:52 PM, Igor Vaynberg igor.vaynb...@gmail.com wrote: right, so remove that code since you have replaced that component with pure markup. -igor On Mon, May 25, 2009 at 8:48 AM, Jörn Zaefferer joern.zaeffe...@googlemail.com wrote: That was the idea. But Wicket still can't find the component markup when looking for it. The form adds this elsewhere: add(new HiddenFieldString(csrf-protection, new ModelString(csrfProtection())).setRequired(true).add(new IValidatorString() { public void validate(IValidatableString validatable) { log.warn(potential csrf attack, submitted value: + validatable.getValue() + , expected: + csrfProtection()); validatable.error(new ValidationError().setMessage(wrong csrf protection cookie)); } })); Jörn On Mon, May 25, 2009 at 5:44 PM, Igor Vaynberg igor.vaynb...@gmail.com wrote: if you write it out in oncomponenttagbody then you dont need it in the markupo anymore. -igor On Mon, May 25, 2009 at 6:32 AM, Jörn Zaefferer joern.zaeffe...@googlemail.com wrote: Hi, my application uses a form subclass everywhere for CSRF protection. Each form needs a hidden field like this: input type=hidden wicket:id=csrf-protection / The wicket component for that is added by the form subclass (SecureForm) which all other forms in the application extend. Currently each form has to include that markup somewhere, producing a lot of duplication. I'm looking for a way to get rid of that duplication. An approach I'm currently investigating is to generate the markup, similar to how Form genrates a hidden input it its onComponentTagBody: @Override protected void onComponentTagBody(MarkupStream markupStream, ComponentTag openTag) { String nameAndId = get(csrf-protection).getId(); AppendingStringBuffer buffer = new AppendingStringBuffer( input type=\hidden\ name=\).append(nameAndId).append(\ /); getResponse().write(buffer); super.onComponentTagBody(markupStream, openTag); } That doesn't work, Wicket throws an exception of a missing reference in markup anyway. Likely because this just writes to the response, not extending the markup. I also don't see any way to achieve this via MarkupStream or ComponentTag. Any ideas? Regards Jörn Zaefferer - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org
Re: Generate markup for hidden framework form field?
The current component (the HiddenField) checks that the same value that it started with, is submitted. I'll try to replace that using a form validator that reads the parameter directly. Thanks Jörn On Tue, May 26, 2009 at 1:32 PM, Maarten Bosteels mbosteels@gmail.com wrote: When you write it out with oncomponenttagbody it's not part of the component hierarchy, it's just rendered markup. Once the form is submitted, you can retrieve the value using the servlet API. What behavior would you want to add on top ? Maarten On Tue, May 26, 2009 at 12:17 PM, Jörn Zaefferer joern.zaeffe...@googlemail.com wrote: How is that going the fix the problem? I'd end up with markup, but no behaviour on top of it. Jörn On Mon, May 25, 2009 at 5:52 PM, Igor Vaynberg igor.vaynb...@gmail.com wrote: right, so remove that code since you have replaced that component with pure markup. -igor On Mon, May 25, 2009 at 8:48 AM, Jörn Zaefferer joern.zaeffe...@googlemail.com wrote: That was the idea. But Wicket still can't find the component markup when looking for it. The form adds this elsewhere: add(new HiddenFieldString(csrf-protection, new ModelString(csrfProtection())).setRequired(true).add(new IValidatorString() { public void validate(IValidatableString validatable) { log.warn(potential csrf attack, submitted value: + validatable.getValue() + , expected: + csrfProtection()); validatable.error(new ValidationError().setMessage(wrong csrf protection cookie)); } })); Jörn On Mon, May 25, 2009 at 5:44 PM, Igor Vaynberg igor.vaynb...@gmail.com wrote: if you write it out in oncomponenttagbody then you dont need it in the markupo anymore. -igor On Mon, May 25, 2009 at 6:32 AM, Jörn Zaefferer joern.zaeffe...@googlemail.com wrote: Hi, my application uses a form subclass everywhere for CSRF protection. Each form needs a hidden field like this: input type=hidden wicket:id=csrf-protection / The wicket component for that is added by the form subclass (SecureForm) which all other forms in the application extend. Currently each form has to include that markup somewhere, producing a lot of duplication. I'm looking for a way to get rid of that duplication. An approach I'm currently investigating is to generate the markup, similar to how Form genrates a hidden input it its onComponentTagBody: @Override protected void onComponentTagBody(MarkupStream markupStream, ComponentTag openTag) { String nameAndId = get(csrf-protection).getId(); AppendingStringBuffer buffer = new AppendingStringBuffer( input type=\hidden\ name=\).append(nameAndId).append(\ /); getResponse().write(buffer); super.onComponentTagBody(markupStream, openTag); } That doesn't work, Wicket throws an exception of a missing reference in markup anyway. Likely because this just writes to the response, not extending the markup. I also don't see any way to achieve this via MarkupStream or ComponentTag. Any ideas? Regards Jörn Zaefferer - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org
Re: Generate markup for hidden framework form field?
Thanks guys! The end result looks like this, works fine, and removed a lot of html boilderplate from our templates: public SecureForm(String id, IModelT model) { super(id, model); setMarkupId(id); add(new IFormValidator() { @Override public void validate(Form? form) { String submitted = getRequest().getParameter(csrf-protection); if (Application.get().getConfigurationType().equals(Application.DEPLOYMENT) !csrfProtection().equals(submitted)) { log.warn(potential csrf attack, submitted value: + submitted + , expected: + csrfProtection()); form.error(wrong csrf protection cookie); } } @Override public FormComponent?[] getDependentFormComponents() { return null; } }); } @Override protected void onComponentTagBody(MarkupStream markupStream, ComponentTag openTag) { getResponse().write(new AppendingStringBuffer(input type=\hidden\ name=\csrf-protection\ value=\).append(csrfProtection()).append(\ /)); super.onComponentTagBody(markupStream, openTag); } Jörn On Tue, May 26, 2009 at 2:23 PM, Jörn Zaefferer joern.zaeffe...@googlemail.com wrote: The current component (the HiddenField) checks that the same value that it started with, is submitted. I'll try to replace that using a form validator that reads the parameter directly. Thanks Jörn On Tue, May 26, 2009 at 1:32 PM, Maarten Bosteels mbosteels@gmail.com wrote: When you write it out with oncomponenttagbody it's not part of the component hierarchy, it's just rendered markup. Once the form is submitted, you can retrieve the value using the servlet API. What behavior would you want to add on top ? Maarten On Tue, May 26, 2009 at 12:17 PM, Jörn Zaefferer joern.zaeffe...@googlemail.com wrote: How is that going the fix the problem? I'd end up with markup, but no behaviour on top of it. Jörn On Mon, May 25, 2009 at 5:52 PM, Igor Vaynberg igor.vaynb...@gmail.com wrote: right, so remove that code since you have replaced that component with pure markup. -igor On Mon, May 25, 2009 at 8:48 AM, Jörn Zaefferer joern.zaeffe...@googlemail.com wrote: That was the idea. But Wicket still can't find the component markup when looking for it. The form adds this elsewhere: add(new HiddenFieldString(csrf-protection, new ModelString(csrfProtection())).setRequired(true).add(new IValidatorString() { public void validate(IValidatableString validatable) { log.warn(potential csrf attack, submitted value: + validatable.getValue() + , expected: + csrfProtection()); validatable.error(new ValidationError().setMessage(wrong csrf protection cookie)); } })); Jörn On Mon, May 25, 2009 at 5:44 PM, Igor Vaynberg igor.vaynb...@gmail.com wrote: if you write it out in oncomponenttagbody then you dont need it in the markupo anymore. -igor On Mon, May 25, 2009 at 6:32 AM, Jörn Zaefferer joern.zaeffe...@googlemail.com wrote: Hi, my application uses a form subclass everywhere for CSRF protection. Each form needs a hidden field like this: input type=hidden wicket:id=csrf-protection / The wicket component for that is added by the form subclass (SecureForm) which all other forms in the application extend. Currently each form has to include that markup somewhere, producing a lot of duplication. I'm looking for a way to get rid of that duplication. An approach I'm currently investigating is to generate the markup, similar to how Form genrates a hidden input it its onComponentTagBody: @Override protected void onComponentTagBody(MarkupStream markupStream, ComponentTag openTag) { String nameAndId = get(csrf-protection).getId(); AppendingStringBuffer buffer = new AppendingStringBuffer( input type=\hidden\ name=\).append(nameAndId).append(\ /); getResponse().write(buffer); super.onComponentTagBody(markupStream, openTag); } That doesn't work, Wicket throws an exception of a missing reference in markup anyway. Likely because this just writes to the response, not extending the markup. I also don't see any way to achieve this via MarkupStream or ComponentTag. Any ideas? Regards Jörn Zaefferer - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org -
Generate markup for hidden framework form field?
Hi, my application uses a form subclass everywhere for CSRF protection. Each form needs a hidden field like this: input type=hidden wicket:id=csrf-protection / The wicket component for that is added by the form subclass (SecureForm) which all other forms in the application extend. Currently each form has to include that markup somewhere, producing a lot of duplication. I'm looking for a way to get rid of that duplication. An approach I'm currently investigating is to generate the markup, similar to how Form genrates a hidden input it its onComponentTagBody: @Override protected void onComponentTagBody(MarkupStream markupStream, ComponentTag openTag) { String nameAndId = get(csrf-protection).getId(); AppendingStringBuffer buffer = new AppendingStringBuffer( input type=\hidden\ name=\).append(nameAndId).append(\ /); getResponse().write(buffer); super.onComponentTagBody(markupStream, openTag); } That doesn't work, Wicket throws an exception of a missing reference in markup anyway. Likely because this just writes to the response, not extending the markup. I also don't see any way to achieve this via MarkupStream or ComponentTag. Any ideas? Regards Jörn Zaefferer - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org
Re: Generate markup for hidden framework form field?
if you write it out in oncomponenttagbody then you dont need it in the markupo anymore. -igor On Mon, May 25, 2009 at 6:32 AM, Jörn Zaefferer joern.zaeffe...@googlemail.com wrote: Hi, my application uses a form subclass everywhere for CSRF protection. Each form needs a hidden field like this: input type=hidden wicket:id=csrf-protection / The wicket component for that is added by the form subclass (SecureForm) which all other forms in the application extend. Currently each form has to include that markup somewhere, producing a lot of duplication. I'm looking for a way to get rid of that duplication. An approach I'm currently investigating is to generate the markup, similar to how Form genrates a hidden input it its onComponentTagBody: @Override protected void onComponentTagBody(MarkupStream markupStream, ComponentTag openTag) { String nameAndId = get(csrf-protection).getId(); AppendingStringBuffer buffer = new AppendingStringBuffer( input type=\hidden\ name=\).append(nameAndId).append(\ /); getResponse().write(buffer); super.onComponentTagBody(markupStream, openTag); } That doesn't work, Wicket throws an exception of a missing reference in markup anyway. Likely because this just writes to the response, not extending the markup. I also don't see any way to achieve this via MarkupStream or ComponentTag. Any ideas? Regards Jörn Zaefferer - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org
Re: Generate markup for hidden framework form field?
That was the idea. But Wicket still can't find the component markup when looking for it. The form adds this elsewhere: add(new HiddenFieldString(csrf-protection, new ModelString(csrfProtection())).setRequired(true).add(new IValidatorString() { public void validate(IValidatableString validatable) { log.warn(potential csrf attack, submitted value: + validatable.getValue() + , expected: + csrfProtection()); validatable.error(new ValidationError().setMessage(wrong csrf protection cookie)); } })); Jörn On Mon, May 25, 2009 at 5:44 PM, Igor Vaynberg igor.vaynb...@gmail.com wrote: if you write it out in oncomponenttagbody then you dont need it in the markupo anymore. -igor On Mon, May 25, 2009 at 6:32 AM, Jörn Zaefferer joern.zaeffe...@googlemail.com wrote: Hi, my application uses a form subclass everywhere for CSRF protection. Each form needs a hidden field like this: input type=hidden wicket:id=csrf-protection / The wicket component for that is added by the form subclass (SecureForm) which all other forms in the application extend. Currently each form has to include that markup somewhere, producing a lot of duplication. I'm looking for a way to get rid of that duplication. An approach I'm currently investigating is to generate the markup, similar to how Form genrates a hidden input it its onComponentTagBody: @Override protected void onComponentTagBody(MarkupStream markupStream, ComponentTag openTag) { String nameAndId = get(csrf-protection).getId(); AppendingStringBuffer buffer = new AppendingStringBuffer( input type=\hidden\ name=\).append(nameAndId).append(\ /); getResponse().write(buffer); super.onComponentTagBody(markupStream, openTag); } That doesn't work, Wicket throws an exception of a missing reference in markup anyway. Likely because this just writes to the response, not extending the markup. I also don't see any way to achieve this via MarkupStream or ComponentTag. Any ideas? Regards Jörn Zaefferer - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org
Re: Generate markup for hidden framework form field?
right, so remove that code since you have replaced that component with pure markup. -igor On Mon, May 25, 2009 at 8:48 AM, Jörn Zaefferer joern.zaeffe...@googlemail.com wrote: That was the idea. But Wicket still can't find the component markup when looking for it. The form adds this elsewhere: add(new HiddenFieldString(csrf-protection, new ModelString(csrfProtection())).setRequired(true).add(new IValidatorString() { public void validate(IValidatableString validatable) { log.warn(potential csrf attack, submitted value: + validatable.getValue() + , expected: + csrfProtection()); validatable.error(new ValidationError().setMessage(wrong csrf protection cookie)); } })); Jörn On Mon, May 25, 2009 at 5:44 PM, Igor Vaynberg igor.vaynb...@gmail.com wrote: if you write it out in oncomponenttagbody then you dont need it in the markupo anymore. -igor On Mon, May 25, 2009 at 6:32 AM, Jörn Zaefferer joern.zaeffe...@googlemail.com wrote: Hi, my application uses a form subclass everywhere for CSRF protection. Each form needs a hidden field like this: input type=hidden wicket:id=csrf-protection / The wicket component for that is added by the form subclass (SecureForm) which all other forms in the application extend. Currently each form has to include that markup somewhere, producing a lot of duplication. I'm looking for a way to get rid of that duplication. An approach I'm currently investigating is to generate the markup, similar to how Form genrates a hidden input it its onComponentTagBody: @Override protected void onComponentTagBody(MarkupStream markupStream, ComponentTag openTag) { String nameAndId = get(csrf-protection).getId(); AppendingStringBuffer buffer = new AppendingStringBuffer( input type=\hidden\ name=\).append(nameAndId).append(\ /); getResponse().write(buffer); super.onComponentTagBody(markupStream, openTag); } That doesn't work, Wicket throws an exception of a missing reference in markup anyway. Likely because this just writes to the response, not extending the markup. I also don't see any way to achieve this via MarkupStream or ComponentTag. Any ideas? Regards Jörn Zaefferer - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org