[jira] [Commented] (WICKET-6938) wicket-autocomplete.js not CSP compliant
[ https://issues.apache.org/jira/browse/WICKET-6938?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17453973#comment-17453973 ] Alexandre commented on WICKET-6938: --- [~svenmeier] thank you it is pretty much what I'm doing now. I have to be creative to get the onclick of the choice selection, but it is now working. > wicket-autocomplete.js not CSP compliant > > > Key: WICKET-6938 > URL: https://issues.apache.org/jira/browse/WICKET-6938 > Project: Wicket > Issue Type: Bug > Components: wicket-extensions >Affects Versions: 9.6.0 >Reporter: Alexandre >Priority: Major > > While upgrading from wicket 8 to 9.6 we are trying to implement CSP. We also > use the autocompletebehavior. This in turn call wicket-autocomplete.js > (wicket-extensions\src\main\java\org\apache\wicket\extensions\ajax\markup\html\autocomplete). > This js file contains "handleSelection" function trying to "eval(attr.value)" > throwing a CSP 'unsafe-eval' exception. > So the autocomplete textfield will display choices, but won't handle user > selection. -- This message was sent by Atlassian Jira (v8.20.1#820001)
[jira] [Commented] (WICKET-6938) wicket-autocomplete.js not CSP compliant
[ https://issues.apache.org/jira/browse/WICKET-6938?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17453334#comment-17453334 ] Sven Meier commented on WICKET-6938: Regarding AbstractAutoCompleteRenderer#getOnSelectJavaScriptExpression(): I would just deprecate it, as the two examples given in the Javadoc are dubious anyways: the first can be done with an OnChangeAjaxBehavior instead, and the second wouldn't work, since Ajax is asynchronous. > wicket-autocomplete.js not CSP compliant > > > Key: WICKET-6938 > URL: https://issues.apache.org/jira/browse/WICKET-6938 > Project: Wicket > Issue Type: Bug > Components: wicket-extensions >Affects Versions: 9.6.0 >Reporter: Alexandre >Priority: Major > > While upgrading from wicket 8 to 9.6 we are trying to implement CSP. We also > use the autocompletebehavior. This in turn call wicket-autocomplete.js > (wicket-extensions\src\main\java\org\apache\wicket\extensions\ajax\markup\html\autocomplete). > This js file contains "handleSelection" function trying to "eval(attr.value)" > throwing a CSP 'unsafe-eval' exception. > So the autocomplete textfield will display choices, but won't handle user > selection. -- This message was sent by Atlassian Jira (v8.20.1#820001)
[jira] [Commented] (WICKET-6938) wicket-autocomplete.js not CSP compliant
[ https://issues.apache.org/jira/browse/WICKET-6938?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17453331#comment-17453331 ] Sven Meier commented on WICKET-6938: [~alfortin] Try this: {code:java} IAutoCompleteRenderer renderer = new AbstractAutoCompleteTextRenderer() { @Override protected String getTextValue(Foo foo) { return foo.getName(); } @Override protected void renderChoice(Foo foo, Response response, String criteria) { String string = foo.getFullName(); string = Strings.escapeMarkup(textValue).toString(); response.write(string); } }; {code} > wicket-autocomplete.js not CSP compliant > > > Key: WICKET-6938 > URL: https://issues.apache.org/jira/browse/WICKET-6938 > Project: Wicket > Issue Type: Bug > Components: wicket-extensions >Affects Versions: 9.6.0 >Reporter: Alexandre >Priority: Major > > While upgrading from wicket 8 to 9.6 we are trying to implement CSP. We also > use the autocompletebehavior. This in turn call wicket-autocomplete.js > (wicket-extensions\src\main\java\org\apache\wicket\extensions\ajax\markup\html\autocomplete). > This js file contains "handleSelection" function trying to "eval(attr.value)" > throwing a CSP 'unsafe-eval' exception. > So the autocomplete textfield will display choices, but won't handle user > selection. -- This message was sent by Atlassian Jira (v8.20.1#820001)
[jira] [Commented] (WICKET-6938) wicket-autocomplete.js not CSP compliant
[ https://issues.apache.org/jira/browse/WICKET-6938?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17452555#comment-17452555 ] Alexandre commented on WICKET-6938: --- Ok thank you. I'm looking to see what can be done. > wicket-autocomplete.js not CSP compliant > > > Key: WICKET-6938 > URL: https://issues.apache.org/jira/browse/WICKET-6938 > Project: Wicket > Issue Type: Bug > Components: wicket-extensions >Affects Versions: 9.6.0 >Reporter: Alexandre >Priority: Major > > While upgrading from wicket 8 to 9.6 we are trying to implement CSP. We also > use the autocompletebehavior. This in turn call wicket-autocomplete.js > (wicket-extensions\src\main\java\org\apache\wicket\extensions\ajax\markup\html\autocomplete). > This js file contains "handleSelection" function trying to "eval(attr.value)" > throwing a CSP 'unsafe-eval' exception. > So the autocomplete textfield will display choices, but won't handle user > selection. -- This message was sent by Atlassian Jira (v8.20.1#820001)
[jira] [Commented] (WICKET-6938) wicket-autocomplete.js not CSP compliant
[ https://issues.apache.org/jira/browse/WICKET-6938?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17452554#comment-17452554 ] Emond Papegaaij commented on WICKET-6938: - [~alfortin] This will need to be addressed in the component itself. I think [~mgrigorov] is working on a solution, right? If not, I can have a look, but that will be next week, as I'm a bit occupied this week. > wicket-autocomplete.js not CSP compliant > > > Key: WICKET-6938 > URL: https://issues.apache.org/jira/browse/WICKET-6938 > Project: Wicket > Issue Type: Bug > Components: wicket-extensions >Affects Versions: 9.6.0 >Reporter: Alexandre >Priority: Major > > While upgrading from wicket 8 to 9.6 we are trying to implement CSP. We also > use the autocompletebehavior. This in turn call wicket-autocomplete.js > (wicket-extensions\src\main\java\org\apache\wicket\extensions\ajax\markup\html\autocomplete). > This js file contains "handleSelection" function trying to "eval(attr.value)" > throwing a CSP 'unsafe-eval' exception. > So the autocomplete textfield will display choices, but won't handle user > selection. -- This message was sent by Atlassian Jira (v8.20.1#820001)
[jira] [Commented] (WICKET-6938) wicket-autocomplete.js not CSP compliant
[ https://issues.apache.org/jira/browse/WICKET-6938?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17452533#comment-17452533 ] Alexandre commented on WICKET-6938: --- [~papegaaij] Thanks for the response. right now I have no issue to trigger off the "enter" key of my textfield with OnEventHeaderItem.forComponent.But I'm not able to register the click event of the popup since the popup does not exist yet at page load. It is created dynamically. I believe OnEventHeaderItem.forMarkupId fail for lack of div. Once the popup has shown at least once I can inspect I find it, but not before. This is problematic. Do you have a solution on how to register an event for an item that does not yet exist? > wicket-autocomplete.js not CSP compliant > > > Key: WICKET-6938 > URL: https://issues.apache.org/jira/browse/WICKET-6938 > Project: Wicket > Issue Type: Bug > Components: wicket-extensions >Affects Versions: 9.6.0 >Reporter: Alexandre >Priority: Major > > While upgrading from wicket 8 to 9.6 we are trying to implement CSP. We also > use the autocompletebehavior. This in turn call wicket-autocomplete.js > (wicket-extensions\src\main\java\org\apache\wicket\extensions\ajax\markup\html\autocomplete). > This js file contains "handleSelection" function trying to "eval(attr.value)" > throwing a CSP 'unsafe-eval' exception. > So the autocomplete textfield will display choices, but won't handle user > selection. -- This message was sent by Atlassian Jira (v8.20.1#820001)
[jira] [Commented] (WICKET-6938) wicket-autocomplete.js not CSP compliant
[ https://issues.apache.org/jira/browse/WICKET-6938?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17452500#comment-17452500 ] Emond Papegaaij commented on WICKET-6938: - [~alfortin] You cannot use eval in any way without unsafe-eval, and that needs to be set in the CSP of your page, which probably is not what you want. This needs to be fixed by rendering the {{getOnSelectJavaScriptExpression}} in a proper event handler, which will be part of the head of your page. There, you should not need eval because the event handler already is executable javascript (and not a text-value of an attribute). It's probably similar to what I did here for links: https://github.com/apache/wicket/commit/bcda1de49a4b3faa74d0a11e893bba9d099ea9bc > wicket-autocomplete.js not CSP compliant > > > Key: WICKET-6938 > URL: https://issues.apache.org/jira/browse/WICKET-6938 > Project: Wicket > Issue Type: Bug > Components: wicket-extensions >Affects Versions: 9.6.0 >Reporter: Alexandre >Priority: Major > > While upgrading from wicket 8 to 9.6 we are trying to implement CSP. We also > use the autocompletebehavior. This in turn call wicket-autocomplete.js > (wicket-extensions\src\main\java\org\apache\wicket\extensions\ajax\markup\html\autocomplete). > This js file contains "handleSelection" function trying to "eval(attr.value)" > throwing a CSP 'unsafe-eval' exception. > So the autocomplete textfield will display choices, but won't handle user > selection. -- This message was sent by Atlassian Jira (v8.20.1#820001)
[jira] [Commented] (WICKET-6938) wicket-autocomplete.js not CSP compliant
[ https://issues.apache.org/jira/browse/WICKET-6938?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17452443#comment-17452443 ] Alexandre commented on WICKET-6938: --- [~mgrigorov] The use case is the following : the choices list are fully develop names (i.e. title, first name, last name), but when user click we call an "AbstractDefaultAjaxBehavior" with Wicket.Ajax.get (defined in getOnSelectJavaScriptExpression) to set the textfield value with the username instead. This scenario is pretty much what the examples are describing. I understand now that this will break because the unsafe eval is there. You can close this issue, i will try moving this logic to an event handler like suggested. Thank you > wicket-autocomplete.js not CSP compliant > > > Key: WICKET-6938 > URL: https://issues.apache.org/jira/browse/WICKET-6938 > Project: Wicket > Issue Type: Bug > Components: wicket-extensions >Affects Versions: 9.6.0 >Reporter: Alexandre >Priority: Major > > While upgrading from wicket 8 to 9.6 we are trying to implement CSP. We also > use the autocompletebehavior. This in turn call wicket-autocomplete.js > (wicket-extensions\src\main\java\org\apache\wicket\extensions\ajax\markup\html\autocomplete). > This js file contains "handleSelection" function trying to "eval(attr.value)" > throwing a CSP 'unsafe-eval' exception. > So the autocomplete textfield will display choices, but won't handle user > selection. -- This message was sent by Atlassian Jira (v8.20.1#820001)
[jira] [Commented] (WICKET-6938) wicket-autocomplete.js not CSP compliant
[ https://issues.apache.org/jira/browse/WICKET-6938?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17452429#comment-17452429 ] Martin Tzvetanov Grigorov commented on WICKET-6938: --- [~alfortin] Could you please explain more how you use getOnSelectJavaScriptExpression() exactly ? "Removing the on select fixed the eval issue but break on select behavior" is not quite clear to me. At the moment getOnSelectJavaScriptExpression() could be used to enhance the item's value. The examples in the javadoc are very optimistic, e.g. one of them uses Ajax to fetch some extra data, but Ajax is asynchronous, so obviously it won't work as is. As far as I can see if you want to avoid the CSP error you have to move the JS logic to Java. > wicket-autocomplete.js not CSP compliant > > > Key: WICKET-6938 > URL: https://issues.apache.org/jira/browse/WICKET-6938 > Project: Wicket > Issue Type: Bug > Components: wicket-extensions >Affects Versions: 9.6.0 >Reporter: Alexandre >Priority: Major > > While upgrading from wicket 8 to 9.6 we are trying to implement CSP. We also > use the autocompletebehavior. This in turn call wicket-autocomplete.js > (wicket-extensions\src\main\java\org\apache\wicket\extensions\ajax\markup\html\autocomplete). > This js file contains "handleSelection" function trying to "eval(attr.value)" > throwing a CSP 'unsafe-eval' exception. > So the autocomplete textfield will display choices, but won't handle user > selection. -- This message was sent by Atlassian Jira (v8.20.1#820001)
[jira] [Commented] (WICKET-6938) wicket-autocomplete.js not CSP compliant
[ https://issues.apache.org/jira/browse/WICKET-6938?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17452240#comment-17452240 ] Martin Tzvetanov Grigorov commented on WICKET-6938: --- Some comments at https://github.com/apache/wicket/commit/7724a8b#commitcomment-61225205 > wicket-autocomplete.js not CSP compliant > > > Key: WICKET-6938 > URL: https://issues.apache.org/jira/browse/WICKET-6938 > Project: Wicket > Issue Type: Bug > Components: wicket-extensions >Affects Versions: 9.6.0 >Reporter: Alexandre >Priority: Major > > While upgrading from wicket 8 to 9.6 we are trying to implement CSP. We also > use the autocompletebehavior. This in turn call wicket-autocomplete.js > (wicket-extensions\src\main\java\org\apache\wicket\extensions\ajax\markup\html\autocomplete). > This js file contains "handleSelection" function trying to "eval(attr.value)" > throwing a CSP 'unsafe-eval' exception. > So the autocomplete textfield will display choices, but won't handle user > selection. -- This message was sent by Atlassian Jira (v8.20.1#820001)
[jira] [Commented] (WICKET-6938) wicket-autocomplete.js not CSP compliant
[ https://issues.apache.org/jira/browse/WICKET-6938?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17451887#comment-17451887 ] Alexandre commented on WICKET-6938: --- To help debugging of this we do have "getOnSelectJavaScriptExpression" overriden in our AbstractAutoCompleteTextRenderer because what the user see in the choices list is more verbose than the actual choice. Removing the on select fixed the eval issue but break on select behavior. Thank you. > wicket-autocomplete.js not CSP compliant > > > Key: WICKET-6938 > URL: https://issues.apache.org/jira/browse/WICKET-6938 > Project: Wicket > Issue Type: Bug > Components: wicket-extensions >Affects Versions: 9.6.0 >Reporter: Alexandre >Priority: Major > > While upgrading from wicket 8 to 9.6 we are trying to implement CSP. We also > use the autocompletebehavior. This in turn call wicket-autocomplete.js > (wicket-extensions\src\main\java\org\apache\wicket\extensions\ajax\markup\html\autocomplete). > This js file contains "handleSelection" function trying to "eval(attr.value)" > throwing a CSP 'unsafe-eval' exception. > So the autocomplete textfield will display choices, but won't handle user > selection. -- This message was sent by Atlassian Jira (v8.20.1#820001)