On Wed, 20 Oct 2021 at 17:21, Shengche Hsiao <shengchehs...@gmail.com> wrote:
> Dear Martin > > After I applied the code, the website showed exceptions below > > > ERROR [org.apache.wicket.DefaultExceptionMapper] (default task-2521) > Unexpected error occurred: org.apache.wicket.WicketRuntimeException: An > error occurred while generating an Url for handler > 'ResourceReferenceRequestHandler{resourceReference=scope: > org.apache.wicket.resource.JQueryResourceReference; name: > jquery/jquery-2.2.4.js; locale: null; style: null; variation: null, > pageParameters=}' > > > > Caused by: > org.apache.wicket.request.resource.PackageResource$PackageResourceBlockedException: > Access denied to (static) package resource > org/apache/wicket/resource/jquery/jquery-2.2.4.js. See IPackageResourceGuard > > It seems you are still using 2.2.4 Please ensure it is switched via `getJavaScriptLibrarySettings().setJQueryReference` > > > From: Martin Grigorov <mgrigo...@apache.org> > Date: Wednesday, October 20, 2021 at 14:34 > To: users@wicket.apache.org <users@wicket.apache.org> > Subject: Re: About jQuery 2.2.4 vulnerability > You could use SecurePackageResourceGuard to forbid access to a resource. > In YourApplication#init(): > > SecurePackageResourceGuard guard = (SecurePackageResourceGuard) > getResourceSettings().getPackageResourceGuard(); > guard.addPattern("-**/jquery-2*.js"); > > On Wed, Oct 20, 2021 at 9:25 AM Shengche Hsiao <shengchehs...@gmail.com> > wrote: > > > Dear Martin > > > > I actually configured with jQuery version 3 on Application, and on > browser > > console showed jquery version with 3.6.0. But the scanner still find this > > url [ > > > https://mysite/wicket/resource/org.apache.wicket.resource.JQueryResourceReference/jquery/jquery-2.2.4-v-6233386130326534.js > ]< > https://mysite/wicket/resource/org.apache.wicket.resource.JQueryResourceReference/jquery/jquery-2.2.4-v-6233386130326534.js%5d > > > > appears. I know this resource is generated automatically by Wicket 8.13.0 > > (our project), and I don’t want this url resource be retrieved by > scanner. > > How to do that? > > > > > > From: Martin Grigorov <mgrigo...@apache.org> > > Date: Wednesday, October 20, 2021 at 14:17 > > To: users@wicket.apache.org <users@wicket.apache.org> > > Subject: Re: About jQuery 2.2.4 vulnerability > > Hi, > > > > On Wed, Oct 20, 2021 at 5:46 AM Shengche Hsiao <shengchehs...@gmail.com> > > wrote: > > > > > Dear All > > > > > > Recently, our website made a vulnerability scanning. The report shows > > > > > > [/wicket/resource/org.apache.wicket.resource.JQueryResourceReference/jquery/jquery-2.2.4-v- > > > 6233386130326534.js] as a vulnerability library. How do I disallow > output > > > this jquery version to avoid scan? > > > > > > > I don't understand your question. Please re-phrase if the following does > > not help you! > > > > You can upgrade jQuery by adding such code to YourApplication#init(): > > > > getJavaScriptLibrarySettings().setJQueryReference(new > > JavaScriptResourceReference(MyClass.class, "jquery-x.y.z.js")); > > you could > > use org.apache.wicket.resource.JQueryResourceReference#INSTANCE_3, for > > example > > > > > > > > > > Thanks > > > > > > -- Best regards, Maxim