[WICKET-4219] Enable markup escaping of WizardStep's labels by default due to security aspects - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Improvement
Status: Resolved
Priority: Major
Resolution: Fixed
Affects Version/s: 1.4.19, 1.5.3
Fix Version/s: 6.0.0-beta2
Component/s: wicket-extensions
Labels:
None

Description

Markup escaping of the title and summary label in org.apache.wicket.extensions.wizard.WizardStep are disabled by default. This fact is not documented, an therefore there could be some security risk, when their Models are generated from user input.
An improvement would be to enable markup escaping and let the user disable this on demand.

Attachments

Activity

People

Assignee:: Sven Meier

Reporter:: Thomas Aulinger

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 11/Nov/11 14:14

Updated:: 15/May/12 19:12

Resolved:: 15/May/12 19:12