Ok, let's try to find out how much work that is. I believe inline styling can be found this way? git grep "style\s*=\s*" -- "*.html" > /tmp/style.txt
Result attached. That's 95 occurrences that need to be removed with classes in geoserver.css, some like "display:none" can probably be controlled by code instead (making the wicket component non visible). For local scripts, the following returns 17 occurrences: > git grep -i "<script" -- "*.html" community/gsr/src/main/resources/demos/dynamic_map_layer.html: <script src="https://js.arcgis.com/4.5/"></script> community/gsr/src/main/resources/demos/dynamic_map_layer.html: <script> community/gsr/src/main/resources/demos/layers-featurelayer-polygon.html: <script src="https://js.arcgis.com/4.5/"></script> community/gsr/src/main/resources/demos/layers-featurelayer-polygon.html: <script> community/ogcapi/ogcapi-core/src/main/resources/swagger-ui/oauth2-redirect.html:<script> extension/importer/web/src/main/java/org/geoserver/importer/web/ImportTaskTable$LayerPreviewPanel.html: <script type="text/javascript"> web/app/src/main/webapp/index.html:<script type="text/javascript"> web/core/src/main/java/org/geoserver/web/GeoServerBasePage.html: <script type="text/javascript" src="js/jquery.placeholder.js"></script> web/core/src/main/java/org/geoserver/web/GeoServerBasePage.html: <script type="text/javascript" src="js/jquery.fullscreen.js"></script> web/core/src/main/java/org/geoserver/web/GeoServerBasePage.html: <script type="text/javascript"> web/core/src/main/java/org/geoserver/web/GeoServerLoginPage.html: <script type="text/javascript"> web/core/src/main/java/org/geoserver/web/admin/LogPage.html: <script defer="defer" type="text/javascript"> web/core/src/main/java/org/geoserver/web/system/status/JVMConsolePanel.html: <script defer="defer" type="text/javascript"> web/core/src/main/java/org/geoserver/web/wicket/ColorPicker.html: <script type="text/javascript" src="js/jscolor/jscolor.js"></script> web/core/src/main/java/org/geoserver/web/wicket/GeoServerTablePanel.html: <script type="text/javascript"> web/core/src/main/java/org/geoserver/web/wicket/js/editarea/plugins/charmap/popup.html:<script language="Javascript" type="text/javascript" src="jscripts/map.js"> web/demo/src/main/java/org/geoserver/web/demo/SRSDescriptionPage.html: <script> For the local event handlers bit I've come up with this instead: > git grep -E -i " on\w+\s*=" -- "*.html" web/core/src/main/java/org/geoserver/web/system/status/JVMConsolePanel.html: <a onclick="downloadFile('dump.log')"><wicket:message key="download">download as dump text</wicket:message></a> web/core/src/main/java/org/geoserver/web/wicket/js/editarea/plugins/charmap/popup.html:<body onload='map_load()'> web/core/src/main/java/org/geoserver/web/wicket/js/editarea/plugins/charmap/popup.html:<select id='select_range' onchange='renderCharMapHTML()' title='{$charmap_choose_block}'> web/demo/src/main/java/org/geoserver/web/demo/DemoRequestResponse.html:<body onload="document.getElementById('form').submit();return false;"> Do you think it's a complete list? If so, it's big (the style part at least) but not massive. Looks like a lot of small changes, which would fit nicely in my "around one hour a week" typical availability. And now... back to house chores before wife gets mad at me 🤣 Cheers Andrea On Wed, Jan 3, 2024 at 1:08 AM Brad Hards <br...@frogmouth.net> wrote: > On Wednesday, 3 January 2024 5:35:42 AM AEDT Torben Barsballe wrote: > > Wicket 9 upgrade > > > > https://github.com/geoserver/geoserver/pull/7154 > > > > Need to collect all pages and panels that need to be tested, make a list, > > and divide the list amongst participants to the testing effort. First we > > need Brad’s ok to move on. > > Part of the Wicket 9 changes is a (strict) Content Security Policy. > See > > https://nightlies.apache.org/wicket/guide/9.x/single.html#_content_security_policy_csp > > CSP could help us a lot with security. See > https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP > for what it does. The TL;DR; version is it blocks most XSS attacks. > > It doesn't come for free though. We need to move or remove all the > inline styling and javascript. For inline javascript, it > needs to go into a "renderHead()" method. > > We also need to remove inline event handlers. > > I would like help to do that work, although I will get some of it done > soon. > Please let me know if you can help > > Since this stands a pretty good chance of breaking stuff, > we should defer the manual testing. > > The only good news I have is that it looks like there will be automation > support for getting from Wicket 9 to Wicket 10. > > https://cwiki.apache.org/confluence/display/WICKET/Migration+to+Wicket+10.0#MigrationtoWicket10.0-AddmigrationrecipestoWicket10WICKET-7029 > > Brad > > > > > _______________________________________________ > Geoserver-devel mailing list > Geoserver-devel@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/geoserver-devel > -- Regards, Andrea Aime == GeoServer Professional Services from the experts! Visit http://bit.ly/gs-services-us for more information. == Ing. Andrea Aime @geowolf Technical Lead GeoSolutions Group phone: +39 0584 962313 fax: +39 0584 1660272 mob: +39 339 8844549 https://www.geosolutionsgroup.com/ http://twitter.com/geosolutions_it ------------------------------------------------------- Con riferimento alla normativa sul trattamento dei dati personali (Reg. UE 2016/679 - Regolamento generale sulla protezione dei dati “GDPR”), si precisa che ogni circostanza inerente alla presente email (il suo contenuto, gli eventuali allegati, etc.) è un dato la cui conoscenza è riservata al/i solo/i destinatario/i indicati dallo scrivente. Se il messaggio Le è giunto per errore, è tenuta/o a cancellarlo, ogni altra operazione è illecita. Le sarei comunque grato se potesse darmene notizia. This email is intended only for the person or entity to which it is addressed and may contain information that is privileged, confidential or otherwise protected from disclosure. We remind that - as provided by European Regulation 2016/679 “GDPR” - copying, dissemination or use of this e-mail or the information herein by anyone other than the intended recipient is prohibited. If you have received this email by mistake, please notify us immediately by telephone or e-mail
_______________________________________________ Geoserver-devel mailing list Geoserver-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/geoserver-devel