[
https://issues.apache.org/jira/browse/WICKET-7183?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18093694#comment-18093694
]
ASF GitHub Bot commented on WICKET-7183:
----------------------------------------
pedrosans opened a new pull request, #1504:
URL: https://github.com/apache/wicket/pull/1504
target is now processed as the parameter described in the javadoc (using
single quotes)
> Changed behaviour / JavaDoc of PopupSettings#setTarget incorrect since latest
> security fixes
> --------------------------------------------------------------------------------------------
>
> Key: WICKET-7183
> URL: https://issues.apache.org/jira/browse/WICKET-7183
> Project: Wicket
> Issue Type: Bug
> Affects Versions: 9.23.0
> Reporter: Daniel Radünz
> Priority: Minor
>
> Due to the changed behaviour of {{PopupSettings#setTarget}} with [this
> commit|https://github.com/apache/wicket/pull/1450/changes/ceaac22b5df520954cf3c114d52852332cf38814#diff-6051c993387bf3d6e5c1194b954d1bc7603cbfd5deab3df5b1f9b7b50023733aR159-R162]
> the JavaDoc is now incorrect. It still states, that links have to be
> manually enclosed by single quotes.
> {panel:title=JavaDoc}
> Note: if the target is an url (relative or absolute) then it should be
> wrapped in quotes, for example: setTarget("'some/url'").
> {panel}
> In Wicket 9.22.0 this still worked as described, in Wicket 9.23.0 this now
> leads to incorrectly opened Popup on our site with links looking like
> "http://example.com/mypage/Page1'../mypage/Page2'?1" (noctice the quotes in
> the URL). Removing the manually added single quotes in our Java code when
> calling setTarget worked just fine for us though.
> Since this was a change to increase the security of Wicket, I'd assume that
> changing the JavaDoc is the prefered course of action rather than reverting
> the change, even if the change might break things for a small group of people
> using this method.
> I'd assume this affects Wicket 10 as well, but we are still on 9, so that's
> where we noticed it.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)