Uploaded image for project: 'Wicket'
  1. Wicket
  2. WICKET-6687

Cleanup the code from attribute inline styles and attribute inline scripts

    XMLWordPrintableJSON

Details

    • Task
    • Status: Resolved
    • Major
    • Resolution: Fixed
    • None
    • 9.0.0-M5
    • wicket-core
    • None

    Description

      Another issue for improving Wicket's Content Security Policy(CSP) compatibility is an abundance of attribute inline styles and scripts, such as style="display: none", onclick="doSomething()", and href="javascript:doSomething();" all these could be easily replaced with appropriate nonced inline scripts and styles or references to predefined css classes and js functions.

      Examples

      org.apache.wicket.ajax.markup.html.AjaxLink#onComponentTag : should rather completely remove the href, potentially some css class like `wicket-ajax-link` could be added

      if (tagName.equalsIgnoreCase("a") || tagName.equalsIgnoreCase("link") ||
	tagName.equalsIgnoreCase("area"))
{
	// disable any href attr in markup
	tag.put("href", "javascript:;");
}

      org.apache.wicket.Component#renderPlaceholderTag : should rather add some special css class, or javascript which can set display none programmatically (and can also be nonced)

      response.write("<");
response.write(name);
response.write(" id=\"");
response.write(getAjaxRegionMarkupId());
response.write("\" style=\"display:none\" data-wicket-placeholder=\"\"></");
response.write(name);
response.write(">");

      (org.apache.wicket.extensions.ajax.markup.html.AjaxIndicatorAppender#afterRender has the same issue)

      org.apache.wicket.markup.html.form.Form#appendDefaultButtonField : this piece is just ridiculous to have in 2019

      buffer.append(String.format("<div style=\"width:0px;height:0px;position:absolute;left:-100px;top:-100px;overflow:hidden\" class=\"%s\">", cssClass));

      org.apache.wicket.markup.html.form.Form#appendDefaultButtonField

      buffer.append(defaultSubmittingComponent.getInputName());
buffer.append("\" onclick=\" var b=document.getElementById('");
buffer.append(submittingComponent.getMarkupId());

      Attachments

        Issue Links

          is a parent of

          Bug - A problem which impairs or prevents the functions of the product. WICKET-6745 CSP: inline JS in server and client time response filters

          • Major - Major loss of function.
          • Resolved

          Improvement - An improvement or enhancement to an existing feature or task. WICKET-6724 CSP: Inline Javascript in AjaxLink

          • Major - Major loss of function.
          • Resolved

          Improvement - An improvement or enhancement to an existing feature or task. WICKET-6725 CSP: display:none in Component.renderPlaceholderTag

          • Major - Major loss of function.
          • Resolved

          Improvement - An improvement or enhancement to an existing feature or task. WICKET-6726 CSP: inline styling and js in Form submitbutton handling

          • Major - Major loss of function.
          • Resolved

          Improvement - An improvement or enhancement to an existing feature or task. WICKET-6731 CSP: inline JS in SubmitLink

          • Major - Major loss of function.
          • Resolved

          Improvement - An improvement or enhancement to an existing feature or task. WICKET-6732 CSP: inline JS in Link and ExternalLink

          • Major - Major loss of function.
          • Resolved

          Improvement - An improvement or enhancement to an existing feature or task. WICKET-6733 CSP: enable by default

          • Major - Major loss of function.
          • Resolved

          Improvement - An improvement or enhancement to an existing feature or task. WICKET-6735 CSP: inline styling in FormComponentFeedbackBorder/Indicator

          • Major - Major loss of function.
          • Resolved

          Improvement - An improvement or enhancement to an existing feature or task. WICKET-6736 CSP: Inline styling in BrowserInfoForm

          • Major - Major loss of function.
          • Resolved

          Improvement - An improvement or enhancement to an existing feature or task. WICKET-6737 CSP: violations in examples

          • Major - Major loss of function.
          • Resolved

          Improvement - An improvement or enhancement to an existing feature or task. WICKET-6738 CSP: inline styling in UploadProgressBar

          • Major - Major loss of function.
          • Resolved

          Improvement - An improvement or enhancement to an existing feature or task. WICKET-6739 CSP: inline JS in Palette

          • Major - Major loss of function.
          • Resolved

          Improvement - An improvement or enhancement to an existing feature or task. WICKET-6740 CSP: inline JS in Button

          • Major - Major loss of function.
          • Resolved

          Improvement - An improvement or enhancement to an existing feature or task. WICKET-6741 CSP: inline JS in FormComponentUpdatingBehavior

          • Major - Major loss of function.
          • Resolved

          Improvement - An improvement or enhancement to an existing feature or task. WICKET-6749 CSP: Inline styling in ExceptionErrorPage.html

          • Major - Major loss of function.
          • Resolved

          Task - A task that needs to be done. WICKET-6747 Document CSP in user guide and migration guide

          • Major - Major loss of function.
          • Resolved
          is related to

          Improvement - An improvement or enhancement to an existing feature or task. WICKET-6682 Improve JavaScriptContentHeaderItem and JavaScriptUtils to support nonce

          • Major - Major loss of function.
          • Resolved
          mentioned in

          Page Loading...

          Activity

            People

              papegaaij Emond Papegaaij
              Kondratev Andrew Kondratev
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: