Uploaded image for project: 'Wicket'
  1. Wicket
  2. WICKET-6687

Cleanup the code from attribute inline styles and attribute inline scripts

    XMLWordPrintableJSON

    Details

    • Type: Task
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 9.0.0-M5
    • Component/s: wicket-core
    • Labels:
      None

      Description

      Another issue for improving Wicket's Content Security Policy(CSP) compatibility is an abundance of attribute inline styles and scripts, such as style="display: none", onclick="doSomething()", and href="javascript:doSomething();" all these could be easily replaced with appropriate nonced inline scripts and styles or references to predefined css classes and js functions.

      Examples

      org.apache.wicket.ajax.markup.html.AjaxLink#onComponentTag : should rather completely remove the href, potentially some css class like `wicket-ajax-link` could be added

      if (tagName.equalsIgnoreCase("a") || tagName.equalsIgnoreCase("link") ||
      	tagName.equalsIgnoreCase("area"))
      {
      	// disable any href attr in markup
      	tag.put("href", "javascript:;");
      }
      

      org.apache.wicket.Component#renderPlaceholderTag : should rather add some special css class, or javascript which can set display none programmatically (and can also be nonced)

      response.write("<");
      response.write(name);
      response.write(" id=\"");
      response.write(getAjaxRegionMarkupId());
      response.write("\" style=\"display:none\" data-wicket-placeholder=\"\"></");
      response.write(name);
      response.write(">");
      

      (org.apache.wicket.extensions.ajax.markup.html.AjaxIndicatorAppender#afterRender has the same issue)

      org.apache.wicket.markup.html.form.Form#appendDefaultButtonField : this piece is just ridiculous to have in 2019

      buffer.append(String.format("<div style=\"width:0px;height:0px;position:absolute;left:-100px;top:-100px;overflow:hidden\" class=\"%s\">", cssClass));
      

      org.apache.wicket.markup.html.form.Form#appendDefaultButtonField

      buffer.append(defaultSubmittingComponent.getInputName());
      buffer.append("\" onclick=\" var b=document.getElementById('");
      buffer.append(submittingComponent.getMarkupId());
      

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                papegaaij Emond Papegaaij
                Reporter:
                Kondratev Andrew Kondratev
              • Votes:
                0 Vote for this issue
                Watchers:
                4 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: