[
https://issues.apache.org/jira/browse/WICKET-6938?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17452443#comment-17452443
]
Alexandre commented on WICKET-6938:
-----------------------------------
[~mgrigorov] The use case is the following : the choices list are fully develop
names (i.e. title, first name, last name), but when user click we call an
"AbstractDefaultAjaxBehavior" with Wicket.Ajax.get (defined in
getOnSelectJavaScriptExpression) to set the textfield value with the username
instead.
This scenario is pretty much what the examples are describing.
I understand now that this will break because the unsafe eval is there.
You can close this issue, i will try moving this logic to an event handler like
suggested.
Thank you
> wicket-autocomplete.js not CSP compliant
> ----------------------------------------
>
> Key: WICKET-6938
> URL: https://issues.apache.org/jira/browse/WICKET-6938
> Project: Wicket
> Issue Type: Bug
> Components: wicket-extensions
> Affects Versions: 9.6.0
> Reporter: Alexandre
> Priority: Major
>
> While upgrading from wicket 8 to 9.6 we are trying to implement CSP. We also
> use the autocompletebehavior. This in turn call wicket-autocomplete.js
> (wicket-extensions\src\main\java\org\apache\wicket\extensions\ajax\markup\html\autocomplete).
> This js file contains "handleSelection" function trying to "eval(attr.value)"
> throwing a CSP 'unsafe-eval' exception.
> So the autocomplete textfield will display choices, but won't handle user
> selection.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
