Uploaded image for project: 'Wicket'
  1. Wicket
  2. WICKET-6732

CSP: inline JS in Link and ExternalLink

    XMLWordPrintableJSON

    Details

    • Type: Improvement
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 9.0.0-M4
    • Fix Version/s: 9.0.0-M5
    • Component/s: wicket-core
    • Labels:
      None

      Description

      org.apache.wicket.markup.html.link.Link uses a lot of inline JS, like:

      tag.put("onclick", popupSettings.getPopupJavaScript());
      
      tag.put(
      	"onclick",
      	"var win = this.ownerDocument.defaultView || this.ownerDocument.parentWindow; " +
      		"if (win == window) { window.location.href='" +
      		url + "'; } ;return false");
      
      // If the subclass specified javascript, use that
      final CharSequence onClickJavaScript = getOnClickScript(url);
      if (onClickJavaScript != null)
      {
      	tag.put("onclick", onClickJavaScript);
      }
      

      Similar code can be found in ExternalLink.

      Also take a look at AjaxFallbackLink. This class removes the onclick attribute from the Link, but that will not work if they are not added in the first place.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                papegaaij Emond Papegaaij
                Reporter:
                papegaaij Emond Papegaaij
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: