Daniel Radünz created WICKET-7183:
-------------------------------------

             Summary: Changed behviour / JavaDoc of PopupSettings#setTarget 
incorrect since latest security fixes
                 Key: WICKET-7183
                 URL: https://issues.apache.org/jira/browse/WICKET-7183
             Project: Wicket
          Issue Type: Bug
    Affects Versions: 9.23.0
            Reporter: Daniel Radünz


Due to the changed behaviour of {{PopupSettings#setTarget}} with [this 
commit|https://github.com/apache/wicket/pull/1450/changes/ceaac22b5df520954cf3c114d52852332cf38814#diff-6051c993387bf3d6e5c1194b954d1bc7603cbfd5deab3df5b1f9b7b50023733aR159-R162]
 the JavaDoc is now incorrect. It still states, that links have to be manually 
enclosed by single quotes.
{panel:title=JavaDoc}
Note: if the target is an url (relative or absolute) then it should be wrapped 
in quotes, for example: setTarget("'some/url'").
{panel}
In Wicket 9.22.0 this still worked as described, in Wicket 9.23.0 this now 
leads to incorrectly opened Popup on our site with links looking like 
"http://example.com/mypage/Page1'../mypage/Page2'?1" (noctice the quotes in the 
URL). Removing the manually added single quotes in our Java code when calling 
setTarget worked just fine for us though.

Since this was a change to increase the security of Wicket, I'd assume that 
changing the JavaDoc is the prefered course of action rather than reverting the 
change, even if the change might break things for a small group of people using 
this method.

I'd assume this affects Wicket 10 as well, but we are still on 9, so that's 
where we noticed it.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to