[
https://issues.apache.org/jira/browse/WICKET-6938?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17452500#comment-17452500
]
Emond Papegaaij commented on WICKET-6938:
-----------------------------------------
[~alfortin] You cannot use eval in any way without unsafe-eval, and that needs
to be set in the CSP of your page, which probably is not what you want. This
needs to be fixed by rendering the {{getOnSelectJavaScriptExpression}} in a
proper event handler, which will be part of the head of your page. There, you
should not need eval because the event handler already is executable javascript
(and not a text-value of an attribute). It's probably similar to what I did
here for links:
https://github.com/apache/wicket/commit/bcda1de49a4b3faa74d0a11e893bba9d099ea9bc
> wicket-autocomplete.js not CSP compliant
> ----------------------------------------
>
> Key: WICKET-6938
> URL: https://issues.apache.org/jira/browse/WICKET-6938
> Project: Wicket
> Issue Type: Bug
> Components: wicket-extensions
> Affects Versions: 9.6.0
> Reporter: Alexandre
> Priority: Major
>
> While upgrading from wicket 8 to 9.6 we are trying to implement CSP. We also
> use the autocompletebehavior. This in turn call wicket-autocomplete.js
> (wicket-extensions\src\main\java\org\apache\wicket\extensions\ajax\markup\html\autocomplete).
> This js file contains "handleSelection" function trying to "eval(attr.value)"
> throwing a CSP 'unsafe-eval' exception.
> So the autocomplete textfield will display choices, but won't handle user
> selection.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
