andruhon commented on a change in pull request #376: WICKET-6682 add CSP nonce
support: DecoratingHeaderResponse approach
URL: https://github.com/apache/wicket/pull/376#discussion_r303835058
##########
File path:
wicket-core/src/main/java/org/apache/wicket/markup/head/JavaScriptHeaderItem.java
##########
@@ -365,15 +372,54 @@ protected final void
internalRenderJavaScriptReference(Response response, String
boolean isAjax =
RequestCycle.get().find(IPartialPageRequestHandler.class).isPresent();
// the url needs to be escaped when Ajax, because it will break
the Ajax Response XML (WICKET-4777)
CharSequence escapedUrl = isAjax ? Strings.escapeMarkup(url):
url;
-
- JavaScriptUtils.writeJavaScriptUrl(response, escapedUrl, id,
defer, charset, async);
+ AttributeMap attributes = AttributeMap.of(
+ HeaderItemAttribute.TYPE, "text/javascript",
+ HeaderItemAttribute.SCRIPT_SRC,
String.valueOf(escapedUrl)
+ );
+ if (id != null)
+ {
+ attributes.add(HeaderItemAttribute.ID, id);
+ }
+ if (defer)
+ {
+ attributes.add(HeaderItemAttribute.SCRIPT_DEFER,
"defer");
+ }
+ if (charset != null)
+ {
+ // XXX this attribute is not necessary for modern
browsers
+ attributes.add("charset", charset);
+ }
+ if (async)
+ {
+ attributes.add(HeaderItemAttribute.SCRIPT_ASYNC,
"async");
+ }
+ attributes.compute(HeaderItemAttribute.CSP_NONCE,
this::getNonce);
Review comment:
Maybe escaping is just a wrong solution. This should be some kind of
escaping, which doesn't destroy & characters
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
With regards,
Apache Git Services
