Wicket
  1. Wicket
  2. WICKET-4219

Enable markup escaping of WizardStep's labels by default due to security aspects

    Details

    • Type: Improvement Improvement
    • Status: Resolved
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: 1.4.19, 1.5.3
    • Fix Version/s: 6.0.0-beta2
    • Component/s: wicket-extensions
    • Labels:
      None

      Description

      Markup escaping of the title and summary label in org.apache.wicket.extensions.wizard.WizardStep are disabled by default. This fact is not documented, an therefore there could be some security risk, when their Models are generated from user input.
      An improvement would be to enable markup escaping and let the user disable this on demand.

        Activity

        Hide
        Sven Meier added a comment -

        For security reasons the models are now escaped in Wicket 6 by default.

        For 1.4.x and 1.5.x we can't change this, as this would break existing applications.

        Developers needing to disable escaping of the labels (or more customization with a MultiLineLabel) can provide their own header component, see WizardStep#getHeader().

        Show
        Sven Meier added a comment - For security reasons the models are now escaped in Wicket 6 by default. For 1.4.x and 1.5.x we can't change this, as this would break existing applications. Developers needing to disable escaping of the labels (or more customization with a MultiLineLabel) can provide their own header component, see WizardStep#getHeader().

          People

          • Assignee:
            Sven Meier
            Reporter:
            Thomas Aulinger
          • Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development