I came across this while fixing XSS vulnerabilities found during a penetration test of our application (which sadly still uses Wicket 1.5.x).
Just to be sure, I also checked the source from Wicket 7.1.0 and the issue is present as well.
Object title = getTitle() != null ? getTitle().getObject() : null;
if (title != null)
For example having the title model return a string that contains
will make the browser show a JS popup when clicking on the dialog title.