[ https://issues.apache.org/jira/browse/WICKET-6938?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17452500#comment-17452500 ]
Emond Papegaaij commented on WICKET-6938: ----------------------------------------- [~alfortin] You cannot use eval in any way without unsafe-eval, and that needs to be set in the CSP of your page, which probably is not what you want. This needs to be fixed by rendering the {{getOnSelectJavaScriptExpression}} in a proper event handler, which will be part of the head of your page. There, you should not need eval because the event handler already is executable javascript (and not a text-value of an attribute). It's probably similar to what I did here for links: https://github.com/apache/wicket/commit/bcda1de49a4b3faa74d0a11e893bba9d099ea9bc > wicket-autocomplete.js not CSP compliant > ---------------------------------------- > > Key: WICKET-6938 > URL: https://issues.apache.org/jira/browse/WICKET-6938 > Project: Wicket > Issue Type: Bug > Components: wicket-extensions > Affects Versions: 9.6.0 > Reporter: Alexandre > Priority: Major > > While upgrading from wicket 8 to 9.6 we are trying to implement CSP. We also > use the autocompletebehavior. This in turn call wicket-autocomplete.js > (wicket-extensions\src\main\java\org\apache\wicket\extensions\ajax\markup\html\autocomplete). > This js file contains "handleSelection" function trying to "eval(attr.value)" > throwing a CSP 'unsafe-eval' exception. > So the autocomplete textfield will display choices, but won't handle user > selection. -- This message was sent by Atlassian Jira (v8.20.1#820001)