> > But one thing those componentresolvers are stored in the > applicationsettings object? > But that means that people can do things that we maybe shouldn't allow.. > Putting all objects over the complete > webapplication in that componentresolver..
Yes, I thinking about it also. Putting it into AppSettings means is public and modifable by everyone. The same is true for protected Container.resolveComponent(). Every component may implement its own. Hopefully it'll not happen what you describe. Jon, in his reqs mail, suggest to allow the id attribute value (wicket-([a-zA-Z_-..]+) only to be html conform. That is no more [autolink] etc.. I think that reduces the risk, though it not prevent users from do so. Any idea on how to better protected it? > > shouldn't we have 2 sets of componentresolvers? One based on the current > page. and one global one? > this is exactly how it is implemented. One "static" (used by [autolink]) List of Resolvers and one per Container (Page). Though the container one is not taken from AppSettings, we added a protected method to Container.resolveComponent() (e.g. used by Border).. Juergen ------------------------------------------------------- The SF.Net email is sponsored by: Beat the post-holiday blues Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek. It's fun and FREE -- well, almost....http://www.thinkgeek.com/sfshirt _______________________________________________ Wicket-develop mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/wicket-develop
