Hi All,

please ignore this. We found the issue - it was due to AbstractBehavior
that was being added to the textfields that outputs the raw value in a div
before escaping it.

On Wed, May 7, 2014 at 11:23 AM, Wayne W <waynemailingli...@gmail.com>wrote:

> Hi
> Its been brought to my attention that wicket seems to be XSS vulnerable.
> We have a public internet facing form, and by simply putting
> <img src=x onerror=prompt(1);>
> In the fields you can get a js prompt appearing. As add the fields have
> validators on them, all code is passing through the wicket based code. If
> there any way to stop this?
> We're using wicket 1.4.21 but I've also just tried with the latest version
> of wicket with the same response.
> Its a standard form and we're not setting setEscapeModelStrings or
> anything.
> How can we sanitise the fields on an onError?
> thanks

Reply via email to