[
https://issues.apache.org/jira/browse/WICKET-6938?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17451887#comment-17451887
]
Alexandre commented on WICKET-6938:
-----------------------------------
To help debugging of this we do have "getOnSelectJavaScriptExpression"
overriden in our AbstractAutoCompleteTextRenderer because what the user see in
the choices list is more verbose than the actual choice. Removing the on select
fixed the eval issue but break on select behavior. Thank you.
> wicket-autocomplete.js not CSP compliant
> ----------------------------------------
>
> Key: WICKET-6938
> URL: https://issues.apache.org/jira/browse/WICKET-6938
> Project: Wicket
> Issue Type: Bug
> Components: wicket-extensions
> Affects Versions: 9.6.0
> Reporter: Alexandre
> Priority: Major
>
> While upgrading from wicket 8 to 9.6 we are trying to implement CSP. We also
> use the autocompletebehavior. This in turn call wicket-autocomplete.js
> (wicket-extensions\src\main\java\org\apache\wicket\extensions\ajax\markup\html\autocomplete).
> This js file contains "handleSelection" function trying to "eval(attr.value)"
> throwing a CSP 'unsafe-eval' exception.
> So the autocomplete textfield will display choices, but won't handle user
> selection.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
