Uploaded image for project: 'Wicket'
  1. Wicket
  2. WICKET-6732

CSP: inline JS in Link and ExternalLink

    XMLWordPrintableJSON

Details

    • Improvement
    • Status: Resolved
    • Major
    • Resolution: Fixed
    • 9.0.0-M4
    • 9.0.0-M5
    • wicket-core
    • None

    Description

      org.apache.wicket.markup.html.link.Link uses a lot of inline JS, like:

      tag.put("onclick", popupSettings.getPopupJavaScript());

      tag.put(
	"onclick",
	"var win = this.ownerDocument.defaultView || this.ownerDocument.parentWindow; " +
		"if (win == window) { window.location.href='" +
		url + "'; } ;return false");

      // If the subclass specified javascript, use that
final CharSequence onClickJavaScript = getOnClickScript(url);
if (onClickJavaScript != null)
{
	tag.put("onclick", onClickJavaScript);
}

      Similar code can be found in ExternalLink.

      Also take a look at AjaxFallbackLink. This class removes the onclick attribute from the Link, but that will not work if they are not added in the first place.

      Attachments

        Issue Links

          is a child of

          Task - A task that needs to be done. WICKET-6687 Cleanup the code from attribute inline styles and attribute inline scripts

          • Major - Major loss of function.
          • Resolved

          Activity

            People

              papegaaij Emond Papegaaij
              papegaaij Emond Papegaaij
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: