solomax commented on a change in pull request #376: WICKET-6682 add CSP nonce support: DecoratingHeaderResponse approach URL: https://github.com/apache/wicket/pull/376#discussion_r303282781
########## File path: wicket-core/src/main/java/org/apache/wicket/core/util/string/JavaScriptUtils.java ########## @@ -148,32 +151,53 @@ public static void writeJavaScriptUrl(final Response response, final CharSequenc * a non null value specifies the charset attribute of the script tag * @param async * specifies that the script can be loaded asynchronously by the browser + * @deprecated please use {@link #writeJavaScriptUrl(Response, IValueMap)} instead */ + @Deprecated public static void writeJavaScriptUrl(final Response response, final CharSequence url, final String id, boolean defer, String charset, boolean async) { - response.write("<script type=\"text/javascript\" "); + response.write("<script "); + AttributeMap attributes = new AttributeMap(); + // XXX JS mimetype can be omitted (also see below) + attributes.add(HeaderItemAttribute.TYPE, "text/javascript"); + attributes.add(HeaderItemAttribute.SCRIPT_SRC, url.toString()); if (id != null) { - response.write("id=\"" + Strings.escapeMarkup(id) + "\" "); + attributes.add(HeaderItemAttribute.ID, String.valueOf(Strings.escapeMarkup(id))); } if (defer) { - response.write("defer=\"defer\" "); + attributes.add(HeaderItemAttribute.SCRIPT_DEFER, "defer"); } - if (async) { - response.write("async=\"async\" "); + attributes.add(HeaderItemAttribute.SCRIPT_ASYNC, "async"); } - if (charset != null) { - response.write("charset=\"" + Strings.escapeMarkup(charset) + "\" "); + // FIXME charset attr is deprecated + // https://developer.mozilla.org/en-US/docs/Web/HTML/Element/script#Deprecated_attributes + attributes.add("charset", Strings.escapeMarkup(charset).toString()); } - response.write("src=\""); - response.write(url); - response.write("\"></script>"); + response.write(attributes.toString()); + response.write("></script>"); + response.write("\n"); + } + + /** + * Write a reference to a javascript file to the response object + * + * @param response + * The HTTP response + * @param attributes + * Extra tag attributes + */ + public static void writeJavaScriptUrl(final Response response, IValueMap attributes) Review comment: `writeJavaScriptAttributes` or `writeJavaScriptTagAttributes` ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services