Re: Generate markup for hidden framework form field?
janneru schrieb: i also just found a similar one by uwe schaefer: http://www.codesmell.org/blog/2008/12/wicket-secureform/ cheers uwe. note that it is just a copy of what mighty igor posted here :) i´m using it in production a lot. thx again, igor. cu uwe - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org
Re: Generate markup for hidden framework form field?
thx jörn for sharing ur solution! i also just found a similar one by uwe schaefer: http://www.codesmell.org/blog/2008/12/wicket-secureform/ cheers uwe. On Tue, May 26, 2009 at 2:43 PM, Jörn Zaefferer wrote: > Thanks guys! The end result looks like this, works fine, and removed a > lot of html boilderplate from our templates: > > public SecureForm(String id, IModel model) { > super(id, model); > setMarkupId(id); > add(new IFormValidator() { > �...@override > public void validate(Form form) { > String submitted = > getRequest().getParameter("csrf-protection"); > if > (Application.get().getConfigurationType().equals(Application.DEPLOYMENT) > && !csrfProtection().equals(submitted)) { > log.warn("potential csrf attack, submitted > value: " + submitted + > ", expected: " + csrfProtection()); > form.error("wrong csrf protection cookie"); > } > } > > �...@override > public FormComponent[] getDependentFormComponents() { > return null; > } > }); > } > > @Override > protected void onComponentTagBody(MarkupStream markupStream, > ComponentTag openTag) { > getResponse().write(new AppendingStringBuffer(" type=\"hidden\" name=\"csrf-protection\" > value=\"").append(csrfProtection()).append("\" />")); > super.onComponentTagBody(markupStream, openTag); > } > > Jörn > > On Tue, May 26, 2009 at 2:23 PM, Jörn Zaefferer > wrote: >> The current component (the HiddenField) checks that the same value >> that it started with, is submitted. I'll try to replace that using a >> form validator that reads the parameter directly. >> >> Thanks >> Jörn >> >> On Tue, May 26, 2009 at 1:32 PM, Maarten Bosteels >> wrote: >>> When you write it out with oncomponenttagbody it's not part of the >>> component hierarchy, it's just rendered markup. >>> Once the form is submitted, you can retrieve the value using the servlet >>> API. >>> What behavior would you want to add on top ? >>> >>> Maarten >>> >>> >>> On Tue, May 26, 2009 at 12:17 PM, Jörn Zaefferer < >>> joern.zaeffe...@googlemail.com> wrote: >>> How is that going the fix the problem? I'd end up with markup, but no behaviour on top of it. Jörn On Mon, May 25, 2009 at 5:52 PM, Igor Vaynberg wrote: > right, so remove that code since you have replaced that component with > pure markup. > > -igor > > On Mon, May 25, 2009 at 8:48 AM, Jörn Zaefferer > wrote: >> That was the idea. But Wicket still can't find the component markup >> when looking for it. The form adds this elsewhere: >> >> add(new HiddenField("csrf-protection", new >> Model(csrfProtection())).setRequired(true).add(new >> IValidator() { >> public void validate(IValidatable validatable) { >> log.warn("potential csrf attack, submitted value: " + >> validatable.getValue() + ", expected: " + csrfProtection()); >> validatable.error(new ValidationError().setMessage("wrong csrf >> protection cookie")); >> } >> })); >> >> Jörn >> >> On Mon, May 25, 2009 at 5:44 PM, Igor Vaynberg wrote: >>> if you write it out in oncomponenttagbody then you dont need it in the >>> markupo anymore. >>> >>> -igor >>> >>> On Mon, May 25, 2009 at 6:32 AM, Jörn Zaefferer >>> wrote: Hi, my application uses a form subclass everywhere for CSRF protection. Each form needs a hidden field like this: >>> wicket:id="csrf-protection" /> The wicket component for that is added by the form subclass (SecureForm) which all other forms in the application extend. Currently each form has to include that markup somewhere, producing a lot of duplication. I'm looking for a way to get rid of that duplication. An approach I'm currently investigating is to generate the markup, similar to how Form genrates a hidden input it its onComponentTagBody: @Override protected void onComponentTagBody(MarkupStream markupStream, ComponentTag openTag) { String nameAndId = get("csrf-protection").getId(); AppendingStringBuffer buffer = new AppendingStringBuffer( ">>> />"); getResponse().write(buffer); super.onComponentTagBody(markupStream, openTag); } That doesn't work, Wicket throws an exception of a missing reference in markup anyway. Likely because this just writes to the response, not extending the markup. I also don't see any way to achieve this via MarkupS
Re: Generate markup for hidden framework form field?
Thanks guys! The end result looks like this, works fine, and removed a lot of html boilderplate from our templates: public SecureForm(String id, IModel model) { super(id, model); setMarkupId(id); add(new IFormValidator() { @Override public void validate(Form form) { String submitted = getRequest().getParameter("csrf-protection"); if (Application.get().getConfigurationType().equals(Application.DEPLOYMENT) && !csrfProtection().equals(submitted)) { log.warn("potential csrf attack, submitted value: " + submitted + ", expected: " + csrfProtection()); form.error("wrong csrf protection cookie"); } } @Override public FormComponent[] getDependentFormComponents() { return null; } }); } @Override protected void onComponentTagBody(MarkupStream markupStream, ComponentTag openTag) { getResponse().write(new AppendingStringBuffer("")); super.onComponentTagBody(markupStream, openTag); } Jörn On Tue, May 26, 2009 at 2:23 PM, Jörn Zaefferer wrote: > The current component (the HiddenField) checks that the same value > that it started with, is submitted. I'll try to replace that using a > form validator that reads the parameter directly. > > Thanks > Jörn > > On Tue, May 26, 2009 at 1:32 PM, Maarten Bosteels > wrote: >> When you write it out with oncomponenttagbody it's not part of the >> component hierarchy, it's just rendered markup. >> Once the form is submitted, you can retrieve the value using the servlet >> API. >> What behavior would you want to add on top ? >> >> Maarten >> >> >> On Tue, May 26, 2009 at 12:17 PM, Jörn Zaefferer < >> joern.zaeffe...@googlemail.com> wrote: >> >>> How is that going the fix the problem? I'd end up with markup, but no >>> behaviour on top of it. >>> >>> Jörn >>> >>> On Mon, May 25, 2009 at 5:52 PM, Igor Vaynberg >>> wrote: >>> > right, so remove that code since you have replaced that component with >>> > pure markup. >>> > >>> > -igor >>> > >>> > On Mon, May 25, 2009 at 8:48 AM, Jörn Zaefferer >>> > wrote: >>> >> That was the idea. But Wicket still can't find the component markup >>> >> when looking for it. The form adds this elsewhere: >>> >> >>> >> add(new HiddenField("csrf-protection", new >>> >> Model(csrfProtection())).setRequired(true).add(new >>> >> IValidator() { >>> >> public void validate(IValidatable validatable) { >>> >> log.warn("potential csrf attack, submitted value: " + >>> >> validatable.getValue() + ", expected: " + csrfProtection()); >>> >> validatable.error(new ValidationError().setMessage("wrong >>> csrf >>> >> protection cookie")); >>> >> } >>> >> })); >>> >> >>> >> Jörn >>> >> >>> >> On Mon, May 25, 2009 at 5:44 PM, Igor Vaynberg >>> wrote: >>> >>> if you write it out in oncomponenttagbody then you dont need it in the >>> >>> markupo anymore. >>> >>> >>> >>> -igor >>> >>> >>> >>> On Mon, May 25, 2009 at 6:32 AM, Jörn Zaefferer >>> >>> wrote: >>> Hi, >>> >>> my application uses a form subclass everywhere for CSRF protection. >>> Each form needs a hidden field like this: >> wicket:id="csrf-protection" /> >>> The wicket component for that is added by the form subclass >>> (SecureForm) which all other forms in the application extend. >>> >>> Currently each form has to include that markup somewhere, producing a >>> lot of duplication. >>> >>> I'm looking for a way to get rid of that duplication. An approach I'm >>> currently investigating is to generate the markup, similar to how Form >>> genrates a hidden input it its onComponentTagBody: >>> >>> @Override >>> protected void onComponentTagBody(MarkupStream markupStream, >>> ComponentTag openTag) { >>> String nameAndId = get("csrf-protection").getId(); >>> AppendingStringBuffer buffer = new AppendingStringBuffer( >>> ">> />"); >>> getResponse().write(buffer); >>> super.onComponentTagBody(markupStream, openTag); >>> } >>> >>> That doesn't work, Wicket throws an exception of a missing reference >>> in markup anyway. Likely because this just writes to the response, not >>> extending the markup. >>> I also don't see any way to achieve this via MarkupStream or >>> ComponentTag. >>> >>> Any ideas? >>> >>> Regards >>> Jörn Zaefferer >>> >>> - >>> To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org >>> For additional commands, e-mail: users-h...@wicket.apache.org >>> >>> >>> >>> >>> >>> - >>> >>> T
Re: Generate markup for hidden framework form field?
The current component (the HiddenField) checks that the same value that it started with, is submitted. I'll try to replace that using a form validator that reads the parameter directly. Thanks Jörn On Tue, May 26, 2009 at 1:32 PM, Maarten Bosteels wrote: > When you write it out with oncomponenttagbody it's not part of the > component hierarchy, it's just rendered markup. > Once the form is submitted, you can retrieve the value using the servlet > API. > What behavior would you want to add on top ? > > Maarten > > > On Tue, May 26, 2009 at 12:17 PM, Jörn Zaefferer < > joern.zaeffe...@googlemail.com> wrote: > >> How is that going the fix the problem? I'd end up with markup, but no >> behaviour on top of it. >> >> Jörn >> >> On Mon, May 25, 2009 at 5:52 PM, Igor Vaynberg >> wrote: >> > right, so remove that code since you have replaced that component with >> > pure markup. >> > >> > -igor >> > >> > On Mon, May 25, 2009 at 8:48 AM, Jörn Zaefferer >> > wrote: >> >> That was the idea. But Wicket still can't find the component markup >> >> when looking for it. The form adds this elsewhere: >> >> >> >> add(new HiddenField("csrf-protection", new >> >> Model(csrfProtection())).setRequired(true).add(new >> >> IValidator() { >> >> public void validate(IValidatable validatable) { >> >> log.warn("potential csrf attack, submitted value: " + >> >> validatable.getValue() + ", expected: " + csrfProtection()); >> >> validatable.error(new ValidationError().setMessage("wrong >> csrf >> >> protection cookie")); >> >> } >> >> })); >> >> >> >> Jörn >> >> >> >> On Mon, May 25, 2009 at 5:44 PM, Igor Vaynberg >> wrote: >> >>> if you write it out in oncomponenttagbody then you dont need it in the >> >>> markupo anymore. >> >>> >> >>> -igor >> >>> >> >>> On Mon, May 25, 2009 at 6:32 AM, Jörn Zaefferer >> >>> wrote: >> Hi, >> >> my application uses a form subclass everywhere for CSRF protection. >> Each form needs a hidden field like this: > wicket:id="csrf-protection" /> >> The wicket component for that is added by the form subclass >> (SecureForm) which all other forms in the application extend. >> >> Currently each form has to include that markup somewhere, producing a >> lot of duplication. >> >> I'm looking for a way to get rid of that duplication. An approach I'm >> currently investigating is to generate the markup, similar to how Form >> genrates a hidden input it its onComponentTagBody: >> >> @Override >> protected void onComponentTagBody(MarkupStream markupStream, >> ComponentTag openTag) { >> String nameAndId = get("csrf-protection").getId(); >> AppendingStringBuffer buffer = new AppendingStringBuffer( >> "> />"); >> getResponse().write(buffer); >> super.onComponentTagBody(markupStream, openTag); >> } >> >> That doesn't work, Wicket throws an exception of a missing reference >> in markup anyway. Likely because this just writes to the response, not >> extending the markup. >> I also don't see any way to achieve this via MarkupStream or >> ComponentTag. >> >> Any ideas? >> >> Regards >> Jörn Zaefferer >> >> - >> To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org >> For additional commands, e-mail: users-h...@wicket.apache.org >> >> >> >>> >> >>> - >> >>> To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org >> >>> For additional commands, e-mail: users-h...@wicket.apache.org >> >>> >> >>> >> >> >> >> - >> >> To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org >> >> For additional commands, e-mail: users-h...@wicket.apache.org >> >> >> >> >> > >> > - >> > To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org >> > For additional commands, e-mail: users-h...@wicket.apache.org >> > >> > >> >> - >> To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org >> For additional commands, e-mail: users-h...@wicket.apache.org >> >> > - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org
Re: Generate markup for hidden framework form field?
When you write it out with oncomponenttagbody it's not part of the component hierarchy, it's just rendered markup. Once the form is submitted, you can retrieve the value using the servlet API. What behavior would you want to add on top ? Maarten On Tue, May 26, 2009 at 12:17 PM, Jörn Zaefferer < joern.zaeffe...@googlemail.com> wrote: > How is that going the fix the problem? I'd end up with markup, but no > behaviour on top of it. > > Jörn > > On Mon, May 25, 2009 at 5:52 PM, Igor Vaynberg > wrote: > > right, so remove that code since you have replaced that component with > > pure markup. > > > > -igor > > > > On Mon, May 25, 2009 at 8:48 AM, Jörn Zaefferer > > wrote: > >> That was the idea. But Wicket still can't find the component markup > >> when looking for it. The form adds this elsewhere: > >> > >> add(new HiddenField("csrf-protection", new > >> Model(csrfProtection())).setRequired(true).add(new > >> IValidator() { > >>public void validate(IValidatable validatable) { > >>log.warn("potential csrf attack, submitted value: " + > >> validatable.getValue() + ", expected: " + csrfProtection()); > >>validatable.error(new ValidationError().setMessage("wrong > csrf > >> protection cookie")); > >>} > >> })); > >> > >> Jörn > >> > >> On Mon, May 25, 2009 at 5:44 PM, Igor Vaynberg > wrote: > >>> if you write it out in oncomponenttagbody then you dont need it in the > >>> markupo anymore. > >>> > >>> -igor > >>> > >>> On Mon, May 25, 2009 at 6:32 AM, Jörn Zaefferer > >>> wrote: > Hi, > > my application uses a form subclass everywhere for CSRF protection. > Each form needs a hidden field like this: wicket:id="csrf-protection" /> > The wicket component for that is added by the form subclass > (SecureForm) which all other forms in the application extend. > > Currently each form has to include that markup somewhere, producing a > lot of duplication. > > I'm looking for a way to get rid of that duplication. An approach I'm > currently investigating is to generate the markup, similar to how Form > genrates a hidden input it its onComponentTagBody: > > @Override > protected void onComponentTagBody(MarkupStream markupStream, > ComponentTag openTag) { > String nameAndId = get("csrf-protection").getId(); > AppendingStringBuffer buffer = new AppendingStringBuffer( > " />"); > getResponse().write(buffer); > super.onComponentTagBody(markupStream, openTag); > } > > That doesn't work, Wicket throws an exception of a missing reference > in markup anyway. Likely because this just writes to the response, not > extending the markup. > I also don't see any way to achieve this via MarkupStream or > ComponentTag. > > Any ideas? > > Regards > Jörn Zaefferer > > - > To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org > For additional commands, e-mail: users-h...@wicket.apache.org > > > >>> > >>> - > >>> To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org > >>> For additional commands, e-mail: users-h...@wicket.apache.org > >>> > >>> > >> > >> - > >> To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org > >> For additional commands, e-mail: users-h...@wicket.apache.org > >> > >> > > > > - > > To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org > > For additional commands, e-mail: users-h...@wicket.apache.org > > > > > > - > To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org > For additional commands, e-mail: users-h...@wicket.apache.org > >
Re: Generate markup for hidden framework form field?
How is that going the fix the problem? I'd end up with markup, but no behaviour on top of it. Jörn On Mon, May 25, 2009 at 5:52 PM, Igor Vaynberg wrote: > right, so remove that code since you have replaced that component with > pure markup. > > -igor > > On Mon, May 25, 2009 at 8:48 AM, Jörn Zaefferer > wrote: >> That was the idea. But Wicket still can't find the component markup >> when looking for it. The form adds this elsewhere: >> >> add(new HiddenField("csrf-protection", new >> Model(csrfProtection())).setRequired(true).add(new >> IValidator() { >> public void validate(IValidatable validatable) { >> log.warn("potential csrf attack, submitted value: " + >> validatable.getValue() + ", expected: " + csrfProtection()); >> validatable.error(new ValidationError().setMessage("wrong csrf >> protection cookie")); >> } >> })); >> >> Jörn >> >> On Mon, May 25, 2009 at 5:44 PM, Igor Vaynberg >> wrote: >>> if you write it out in oncomponenttagbody then you dont need it in the >>> markupo anymore. >>> >>> -igor >>> >>> On Mon, May 25, 2009 at 6:32 AM, Jörn Zaefferer >>> wrote: Hi, my application uses a form subclass everywhere for CSRF protection. Each form needs a hidden field like this: >>> wicket:id="csrf-protection" /> The wicket component for that is added by the form subclass (SecureForm) which all other forms in the application extend. Currently each form has to include that markup somewhere, producing a lot of duplication. I'm looking for a way to get rid of that duplication. An approach I'm currently investigating is to generate the markup, similar to how Form genrates a hidden input it its onComponentTagBody: @Override protected void onComponentTagBody(MarkupStream markupStream, ComponentTag openTag) { String nameAndId = get("csrf-protection").getId(); AppendingStringBuffer buffer = new AppendingStringBuffer( ""); getResponse().write(buffer); super.onComponentTagBody(markupStream, openTag); } That doesn't work, Wicket throws an exception of a missing reference in markup anyway. Likely because this just writes to the response, not extending the markup. I also don't see any way to achieve this via MarkupStream or ComponentTag. Any ideas? Regards Jörn Zaefferer - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org >>> >>> - >>> To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org >>> For additional commands, e-mail: users-h...@wicket.apache.org >>> >>> >> >> - >> To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org >> For additional commands, e-mail: users-h...@wicket.apache.org >> >> > > - > To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org > For additional commands, e-mail: users-h...@wicket.apache.org > > - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org
Re: Generate markup for hidden framework form field?
right, so remove that code since you have replaced that component with pure markup. -igor On Mon, May 25, 2009 at 8:48 AM, Jörn Zaefferer wrote: > That was the idea. But Wicket still can't find the component markup > when looking for it. The form adds this elsewhere: > > add(new HiddenField("csrf-protection", new > Model(csrfProtection())).setRequired(true).add(new > IValidator() { > public void validate(IValidatable validatable) { > log.warn("potential csrf attack, submitted value: " + > validatable.getValue() + ", expected: " + csrfProtection()); > validatable.error(new ValidationError().setMessage("wrong csrf > protection cookie")); > } > })); > > Jörn > > On Mon, May 25, 2009 at 5:44 PM, Igor Vaynberg > wrote: >> if you write it out in oncomponenttagbody then you dont need it in the >> markupo anymore. >> >> -igor >> >> On Mon, May 25, 2009 at 6:32 AM, Jörn Zaefferer >> wrote: >>> Hi, >>> >>> my application uses a form subclass everywhere for CSRF protection. >>> Each form needs a hidden field like this: >> wicket:id="csrf-protection" /> >>> The wicket component for that is added by the form subclass >>> (SecureForm) which all other forms in the application extend. >>> >>> Currently each form has to include that markup somewhere, producing a >>> lot of duplication. >>> >>> I'm looking for a way to get rid of that duplication. An approach I'm >>> currently investigating is to generate the markup, similar to how Form >>> genrates a hidden input it its onComponentTagBody: >>> >>> @Override >>> protected void onComponentTagBody(MarkupStream markupStream, >>> ComponentTag openTag) { >>> String nameAndId = get("csrf-protection").getId(); >>> AppendingStringBuffer buffer = new AppendingStringBuffer( >>> ""); >>> getResponse().write(buffer); >>> super.onComponentTagBody(markupStream, openTag); >>> } >>> >>> That doesn't work, Wicket throws an exception of a missing reference >>> in markup anyway. Likely because this just writes to the response, not >>> extending the markup. >>> I also don't see any way to achieve this via MarkupStream or ComponentTag. >>> >>> Any ideas? >>> >>> Regards >>> Jörn Zaefferer >>> >>> - >>> To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org >>> For additional commands, e-mail: users-h...@wicket.apache.org >>> >>> >> >> - >> To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org >> For additional commands, e-mail: users-h...@wicket.apache.org >> >> > > - > To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org > For additional commands, e-mail: users-h...@wicket.apache.org > > - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org
Re: Generate markup for hidden framework form field?
That was the idea. But Wicket still can't find the component markup when looking for it. The form adds this elsewhere: add(new HiddenField("csrf-protection", new Model(csrfProtection())).setRequired(true).add(new IValidator() { public void validate(IValidatable validatable) { log.warn("potential csrf attack, submitted value: " + validatable.getValue() + ", expected: " + csrfProtection()); validatable.error(new ValidationError().setMessage("wrong csrf protection cookie")); } })); Jörn On Mon, May 25, 2009 at 5:44 PM, Igor Vaynberg wrote: > if you write it out in oncomponenttagbody then you dont need it in the > markupo anymore. > > -igor > > On Mon, May 25, 2009 at 6:32 AM, Jörn Zaefferer > wrote: >> Hi, >> >> my application uses a form subclass everywhere for CSRF protection. >> Each form needs a hidden field like this: > wicket:id="csrf-protection" /> >> The wicket component for that is added by the form subclass >> (SecureForm) which all other forms in the application extend. >> >> Currently each form has to include that markup somewhere, producing a >> lot of duplication. >> >> I'm looking for a way to get rid of that duplication. An approach I'm >> currently investigating is to generate the markup, similar to how Form >> genrates a hidden input it its onComponentTagBody: >> >> @Override >> protected void onComponentTagBody(MarkupStream markupStream, >> ComponentTag openTag) { >> String nameAndId = get("csrf-protection").getId(); >> AppendingStringBuffer buffer = new AppendingStringBuffer( >> ""); >> getResponse().write(buffer); >> super.onComponentTagBody(markupStream, openTag); >> } >> >> That doesn't work, Wicket throws an exception of a missing reference >> in markup anyway. Likely because this just writes to the response, not >> extending the markup. >> I also don't see any way to achieve this via MarkupStream or ComponentTag. >> >> Any ideas? >> >> Regards >> Jörn Zaefferer >> >> - >> To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org >> For additional commands, e-mail: users-h...@wicket.apache.org >> >> > > - > To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org > For additional commands, e-mail: users-h...@wicket.apache.org > > - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org
Re: Generate markup for hidden framework form field?
if you write it out in oncomponenttagbody then you dont need it in the markupo anymore. -igor On Mon, May 25, 2009 at 6:32 AM, Jörn Zaefferer wrote: > Hi, > > my application uses a form subclass everywhere for CSRF protection. > Each form needs a hidden field like this: wicket:id="csrf-protection" /> > The wicket component for that is added by the form subclass > (SecureForm) which all other forms in the application extend. > > Currently each form has to include that markup somewhere, producing a > lot of duplication. > > I'm looking for a way to get rid of that duplication. An approach I'm > currently investigating is to generate the markup, similar to how Form > genrates a hidden input it its onComponentTagBody: > > @Override > protected void onComponentTagBody(MarkupStream markupStream, > ComponentTag openTag) { > String nameAndId = get("csrf-protection").getId(); > AppendingStringBuffer buffer = new AppendingStringBuffer( > ""); > getResponse().write(buffer); > super.onComponentTagBody(markupStream, openTag); > } > > That doesn't work, Wicket throws an exception of a missing reference > in markup anyway. Likely because this just writes to the response, not > extending the markup. > I also don't see any way to achieve this via MarkupStream or ComponentTag. > > Any ideas? > > Regards > Jörn Zaefferer > > - > To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org > For additional commands, e-mail: users-h...@wicket.apache.org > > - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org
Generate markup for hidden framework form field?
Hi, my application uses a form subclass everywhere for CSRF protection. Each form needs a hidden field like this: The wicket component for that is added by the form subclass (SecureForm) which all other forms in the application extend. Currently each form has to include that markup somewhere, producing a lot of duplication. I'm looking for a way to get rid of that duplication. An approach I'm currently investigating is to generate the markup, similar to how Form genrates a hidden input it its onComponentTagBody: @Override protected void onComponentTagBody(MarkupStream markupStream, ComponentTag openTag) { String nameAndId = get("csrf-protection").getId(); AppendingStringBuffer buffer = new AppendingStringBuffer( ""); getResponse().write(buffer); super.onComponentTagBody(markupStream, openTag); } That doesn't work, Wicket throws an exception of a missing reference in markup anyway. Likely because this just writes to the response, not extending the markup. I also don't see any way to achieve this via MarkupStream or ComponentTag. Any ideas? Regards Jörn Zaefferer - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org