Hi, The version is intended to be used by the browser for client side caching, not by Wicket. That's why it is just stripped off by Wicket without any validation. Actually if Wicket rejects it then you won't be able to update your resources in new application versions.
Martin Grigorov Wicket Training and Consulting https://twitter.com/mtgrigorov On Tue, May 31, 2016 at 4:51 PM, Daniel Stoch <daniel.st...@gmail.com> wrote: > Hi, > > By default Wicket (6.x) uses IResourceCachingStrategy which generates > resource urls like this one: > > http://host/myapp/wicket/resource/com.mycompany.BootstrapBehavior/js/timepicker/bootstrap-timepicker-ver-1E0DAFB24FE33C93370DE13BF6FFE77F.js > > But as a user I can generate almost any version number in this url and > it will be handled correctly by Wicket. For example these urls still > work ok: > > http://host/myapp/wicket/resource/com.mycompany.BootstrapBehavior/js/timepicker/bootstrap-timepicker-ver-123.js > > http://host/myapp/wicket/resource/com.mycompany.BootstrapBehavior/js/timepicker/bootstrap-timepicker-ver--alert('1');return > false;.js > > Is it a desired behavior or maybe Wicket should reject such > "incorrect" versions? Could it be some security issue? > > -- > Best regards, > Daniel > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org > For additional commands, e-mail: users-h...@wicket.apache.org > >