Major Description
When uploading files via org.apache.wicket.markup.html.form.upload.MultiFileUploadField component, names of uploaded files are added into a table.
Inside MultiFileUploadField.js is line that adds names of files:
contentsColumn.innerHTML = this.getOnlyFileNames(element);
This code is missing any escaping, so if you upload file named:
<code onmouseover=alert(1)>.doc
and hover on the name, you trigger sort of an XSS.
It is unlikely to be a real threat, as you can probably only attack yourself with this bug and it very uncommon to have files with "<" or ">" characters in their name, but "&" can be relatively common in names of files and "&" needs proper escaping too.
So before adding the filename to contentsColumn.innerHtml, it needs to be properly escaped.