[
https://issues.apache.org/jira/browse/WICKET-7113?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17856533#comment-17856533
]
John Tal edited comment on WICKET-7113 at 6/20/24 6:34 PM:
-----------------------------------------------------------
OK, let me restate the two cases more simply, both cases are using some
elements of pre-existing/Custom CSP (rolled our own under Wicket 8):
- In case A) for the Wicket 9 generated javascript in the top section:
<script type="text/javascript">/{*}<![CDATA[{*}/Wicket.Event.add(window,
"domready", function(event) { Wicket.Event.add('id6', 'click', function(event)
{ var f =
document.getElementById('id5');document.getElementById('id5_hf_0').innerHTML +=
'<input type="hidden" name="components/redeemSubmitLink" value="x"
/>';Wicket.Event.fire(f, 'submit');return
false;;});;Wicket.Event.publish(Wicket.Event.Topic.AJAX_HANDLERS_BOUND);;});/{*}]]>{*}/</script>
This was not generated in Wicket 8 correct?
Can we either:
1. Tell Wicket to not generate this script and still have a submit button
working? Or is this standard wicket behavior now in Wicket 9?
or
2. Can we provide a nonce value for the output to look like this:
<script type="text/javascript"
nonce="{*}OURNONCEHERE{*}--123">/{*}<![CDATA[{*}/Wicket.Event.add(window,
"domready", function(event) \{ Wicket.Event.add('id6', 'click', function(event)
{ var f =
document.getElementById('id5');document.getElementById('id5_hf_0').innerHTML +=
'<input type="hidden" name="components/redeemSubmitLink" value="x"
/>';Wicket.Event.fire(f, 'submit');return false;;}
);;Wicket.Event.publish(Wicket.Event.Topic.AJAX_HANDLERS_BOUND);;});/{*}]]>{*}/</script>
- In case B) regarding the same generated javascript in the top section
Similar questions:
1. Does this script need to be generated by Wicket 9 for the page to function?
Can we turn it off?
<script type="text/javascript"
nonce="{*}OURNONCEHERE{*}--123>/{*}<![CDATA[{*}/Wicket.Event.add(window,
"domready", function(event) { Wicket.Event.add('id6', 'click', function(event)
{ var f =
document.getElementById('id5');document.getElementById('id5_hf_0').innerHTML +=
'<input type="hidden" name="components/redeemSubmitLink" value="x"
/>';Wicket.Event.fire(f, 'submit');return false;;}
);;Wicket.Event.publish(Wicket.Event.Topic.AJAX_HANDLERS_BOUND);;});/{*}]]>{*}/</script>
2. Can you confirm what Wicket is doing at
Wicket.Event.publish(Wicket.Event.Top.AJAX_HANDLERS.BOUND)? If javascript is
already associated with the submit button will it be detached/overwritten?
3. For clarification, we have already attached javascript to the SubmitLink
(using bootstrap validation from
https://getbootstrap.com/docs/5.3/forms/validation/) which is doing our own
validation. We do not want or need Wicket to step on that existing javascript.
Wicket should not assume that it can override existing Javascript. How can we
turn off this section of Wicket generating script. It does feel like Wicket is
making assumptions it shouldn't. This wasn't happening in Wicket 8.
was (Author: JIRAUSER303766):
OK, let me restate the two cases more simply, both cases are using some
elements of pre-existing/Custom CSP (rolled our own under Wicket 8):
- In case A) for the Wicket 9 generated javascript in the top section:
<script type="text/javascript">/{*}<![CDATA[{*}/Wicket.Event.add(window,
"domready", function(event) { Wicket.Event.add('id6', 'click', function(event)
{ var f =
document.getElementById('id5');document.getElementById('id5_hf_0').innerHTML +=
'<input type="hidden" name="components/redeemSubmitLink" value="x"
/>';Wicket.Event.fire(f, 'submit');return
false;;});;Wicket.Event.publish(Wicket.Event.Topic.AJAX_HANDLERS_BOUND);;});/{*}]]>{*}/</script>
This was not generated in Wicket 8 correct?
Can we either:
1. Tell Wicket to not generate this script and still have a submit button
working? Or is this standard wicket behavior now in Wicket 9?
or
2. Can we provide a nonce value for the output to look like this:
<script type="text/javascript"
nonce="{*}OURNONCEHERE{*}--123">/{*}<![CDATA[{*}/Wicket.Event.add(window,
"domready", function(event) \{ Wicket.Event.add('id6', 'click', function(event)
{ var f =
document.getElementById('id5');document.getElementById('id5_hf_0').innerHTML +=
'<input type="hidden" name="components/redeemSubmitLink" value="x"
/>';Wicket.Event.fire(f, 'submit');return false;;}
);;Wicket.Event.publish(Wicket.Event.Topic.AJAX_HANDLERS_BOUND);;});/{*}]]>{*}/</script>
- In case B) regarding the same generated javascript in the top section
Similar questions:
1. Does this script need to be generated by Wicket 9 for the page to function?
Can we turn it off?
<script type="text/javascript"
nonce="{*}OURNONCEHERE{*}--123>/{*}<![CDATA[{*}/Wicket.Event.add(window,
"domready", function(event) { Wicket.Event.add('id6', 'click', function(event)
{ var f =
document.getElementById('id5');document.getElementById('id5_hf_0').innerHTML +=
'<input type="hidden" name="components/redeemSubmitLink" value="x"
/>';Wicket.Event.fire(f, 'submit');return false;;}
);;Wicket.Event.publish(Wicket.Event.Topic.AJAX_HANDLERS_BOUND);;});/{*}]]>{*}/</script>
2. Can you confirm what Wicket is doing at
Wicket.Event.publish(Wicket.Event.Top.AJAX_HANDLERS.BOUND)? If javascript is
already associated with the submit button will it be detached/overwritten?
3. For clarification, we have already attached javascript to the SubmitLink
(using bootstrap validation) which is doing our own validation. We do not want
or need Wicket to step on that existing javascript. Wicket should not assume
that it can override existing Javascript. How can we turn off this section of
Wicket generating script. It does feel like Wicket is making assumptions it
shouldn't. This wasn't happening in Wicket 8.
> Wicket Ajax domReady colliding with existing scripting
> ------------------------------------------------------
>
> Key: WICKET-7113
> URL: https://issues.apache.org/jira/browse/WICKET-7113
> Project: Wicket
> Issue Type: Bug
> Components: wicket-core
> Affects Versions: 9.16.0
> Environment: Rhel 8, with Docker, Java 17 OpenJdk Adoptium
> Reporter: John Tal
> Priority: Major
>
> Related to SubmitLinks we now see this javascript being generated on the page
> in Wicket 9:
> <script type="text/javascript">/*<![CDATA[*/Wicket.Event.add(window,
> "domready", function(event) \{ Wicket.Event.add('id6', 'click',
> function(event) { var f =
> document.getElementById('id5');document.getElementById('id5_hf_0').innerHTML
> += '<input type="hidden" name="components/redeemSubmitLink" value="x"
> />';Wicket.Event.fire(f, 'submit');return
> false;;});;Wicket.Event.publish(Wicket.Event.Topic.AJAX_HANDLERS_BOUND);;});/*]]>*/</script>
>
> However, we have two instances where this is breaking existing code:
> A) In the case of having rolled out own CSP already in Wicket 8, migrating to
> Wicket 9 and turning off CSP for the app through the following:
> *
> {{public}} {{void}} {{init() {}}
> {{ }}{{getCspSettings().blocking().disabled();}}
> {{}}}
> * {{}}
> {{This still results in the above javascript being generated into the page
> and being blocked by our inhouse CSP. We don't want the above javascript
> added to the page at all.}}
> {{}}
> {{B) In the case of using intensive jquery already on pages, with CSP turned
> on in Wicket 9, our existing jquery scripting can't fire because of this code
> is on the page. The custom jquery code is already dealing with Nonce values
> and adding its own event handlers to the components on the page. So this is
> sort of a hybrid CSP approach. But we cannot avoid using this approach with
> jquery/nonce/eventhandlers as it's done in jquery at another company which
> maintains the jquery side and we maintain the wicket side.}}
> {{Again, we don't want the above javascript added to the page at all.}}
> {{{}{}}}For both cases we attempted to use setDefaultFormProcessing(false);
> however that results in no form submission at all.
>
> We probably just don't know what APIs to call to get Wicket to act like we
> need it to.
>
> {{}}
> {{{}{}}}already are using jquery and other scripting
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
