Hi All,
please ignore this. We found the issue - it was due to AbstractBehavior that was being added to the textfields that outputs the raw value in a div before escaping it. On Wed, May 7, 2014 at 11:23 AM, Wayne W <waynemailingli...@gmail.com>wrote: > Hi > > Its been brought to my attention that wicket seems to be XSS vulnerable. > We have a public internet facing form, and by simply putting > > <img src=x onerror=prompt(1);> > > In the fields you can get a js prompt appearing. As add the fields have > validators on them, all code is passing through the wicket based code. If > there any way to stop this? > > We're using wicket 1.4.21 but I've also just tried with the latest version > of wicket with the same response. > > Its a standard form and we're not setting setEscapeModelStrings or > anything. > > How can we sanitise the fields on an onError? > > thanks >