[GitHub] [wicket] andruhon commented on issue #376: WICKET-6682 add CSP nonce support: DecoratingHeaderResponse approach

Mon, 15 Jul 2019 06:26:02 -0700 

andruhon commented on issue #376: WICKET-6682 add CSP nonce support: 
DecoratingHeaderResponse approach
URL: https://github.com/apache/wicket/pull/376#issuecomment-511400657
 
 
   I've got into a trouble with this stuff. Need help. The issue is that we 
really want all attributes to be escaped, except the URL. 
   
   I came up with this solutions
   ```
        /**
         * Generates a <code>String</code> representation of this object.
         *
         * @param noEscapeMarkupKeys
         *              a set of keys to not aply
         * @return <code>String</code> representation of this 
<code>ValueMap</code> consistent with the
         * tag-attribute style of markup elements. For example: <code>a="x" 
b="y" c="z"</code>.
         */
        @Override
        public String toString() {
                return toString(null);
        }
   
        /**
         * Generates a <code>String</code> representation of this object.
         *
         * @param noEscapeMarkupKeys
         *              a set of keys to not aply
         * @return <code>String</code> representation of this 
<code>ValueMap</code> consistent with the
         * tag-attribute style of markup elements. For example: <code>a="x" 
b="y" c="z"</code>.
         */
        public String toString(Collection<String> noEscapeMarkupKeys)
        {
                final StringBuilder buffer = new StringBuilder();
                boolean first = true;
                for (Map.Entry<String, Object> entry : entrySet())
                {
                        if (first == false)
                        {
                                buffer.append(' ');
                        }
                        first = false;
                        String key = entry.getKey();
                        buffer.append(key);
                        buffer.append("=\"");
                        final Object value = entry.getValue();
                        if (value == null)
                        {
                                buffer.append("null");
                        }
                        else if (value.getClass().isArray())
                        {
                                buffer.append(Arrays.asList((Object[])value));
                        }
                        else
                        {
                                buffer.append(
                                                noEscapeMarkupKeys != null && 
noEscapeMarkupKeys.contains(key)
                                                                ? value
                                                                : 
Strings.escapeMarkup(String.valueOf(value))
                                );
                        }
   
                        buffer.append('\"');
                }
                return buffer.toString();
        }
   ```
   The problem is that the interface IValueMap is mostly used everywhere, and I 
can't really add a new method to the interface within wicket 8.
   
   Any advice?

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


With regards,
Apache Git Services

Reply via email to