Hi Its been brought to my attention that wicket seems to be XSS vulnerable. We have a public internet facing form, and by simply putting
<img src=x onerror=prompt(1);> In the fields you can get a js prompt appearing. As add the fields have validators on them, all code is passing through the wicket based code. If there any way to stop this? We're using wicket 1.4.21 but I've also just tried with the latest version of wicket with the same response. Its a standard form and we're not setting setEscapeModelStrings or anything. How can we sanitise the fields on an onError? thanks
