[
https://issues.apache.org/jira/browse/WICKET-6938?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17452429#comment-17452429
]
Martin Tzvetanov Grigorov commented on WICKET-6938:
---------------------------------------------------
[~alfortin] Could you please explain more how you use
getOnSelectJavaScriptExpression() exactly ?
"Removing the on select fixed the eval issue but break on select behavior" is
not quite clear to me.
At the moment getOnSelectJavaScriptExpression() could be used to enhance the
item's value. The examples in the javadoc are very optimistic, e.g. one of them
uses Ajax to fetch some extra data, but Ajax is asynchronous, so obviously it
won't work as is.
As far as I can see if you want to avoid the CSP error you have to move the JS
logic to Java.
> wicket-autocomplete.js not CSP compliant
> ----------------------------------------
>
> Key: WICKET-6938
> URL: https://issues.apache.org/jira/browse/WICKET-6938
> Project: Wicket
> Issue Type: Bug
> Components: wicket-extensions
> Affects Versions: 9.6.0
> Reporter: Alexandre
> Priority: Major
>
> While upgrading from wicket 8 to 9.6 we are trying to implement CSP. We also
> use the autocompletebehavior. This in turn call wicket-autocomplete.js
> (wicket-extensions\src\main\java\org\apache\wicket\extensions\ajax\markup\html\autocomplete).
> This js file contains "handleSelection" function trying to "eval(attr.value)"
> throwing a CSP 'unsafe-eval' exception.
> So the autocomplete textfield will display choices, but won't handle user
> selection.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
