Wicket
  1. Wicket
  2. WICKET-4219

Enable markup escaping of WizardStep's labels by default due to security aspects

    Details

    • Type: Improvement Improvement
    • Status: Resolved
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: 1.4.19, 1.5.3
    • Fix Version/s: 6.0.0-beta2
    • Component/s: wicket-extensions
    • Labels:
      None

      Description

      Markup escaping of the title and summary label in org.apache.wicket.extensions.wizard.WizardStep are disabled by default. This fact is not documented, an therefore there could be some security risk, when their Models are generated from user input.
      An improvement would be to enable markup escaping and let the user disable this on demand.

        Activity

        Thomas Aulinger created issue -
        Sven Meier made changes -
        Field Original Value New Value
        Status Open [ 1 ] Resolved [ 5 ]
        Assignee Sven Meier [ svenmeier ]
        Fix Version/s 6.0.0-beta2 [ 12320343 ]
        Resolution Fixed [ 1 ]

          People

          • Assignee:
            Sven Meier
            Reporter:
            Thomas Aulinger
          • Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development