From a8b3f97bd019e601f664a3697f12994bad1cb862 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thomas=20Go=CC=88tz?= Date: Tue, 15 May 2012 09:13:53 +0200 Subject: [PATCH 1/3] WICKET-4219: Enable markup escaping of WizardStep's labels by default due to security aspects WizardStep's Header Labels now inherit the escape settings from Header, thus escaping can now be configured by overriding getHeader in WizardStep: @Override public Component getHeader(String id, Component parent, IWizard wizard) { return super.getHeader(id, parent, wizard).setEscapeModelStrings(true|false); } Thus the default is that the Strings will be escaped. --- .../wicket/extensions/wizard/WizardStep.java | 90 ++++++++++--------- 1 file changed, 46 insertions(+), 44 deletions(-) diff --git a/wicket-extensions/src/main/java/org/apache/wicket/extensions/wizard/WizardStep.java b/wicket-extensions/src/main/java/org/apache/wicket/extensions/wizard/WizardStep.java index 7f9bd843d69..f69b29f1eb6 100644 --- a/wicket-extensions/src/main/java/org/apache/wicket/extensions/wizard/WizardStep.java +++ b/wicket-extensions/src/main/java/org/apache/wicket/extensions/wizard/WizardStep.java @@ -16,12 +16,6 @@ */ package org.apache.wicket.extensions.wizard; -import java.util.ArrayList; -import java.util.Arrays; -import java.util.HashSet; -import java.util.List; -import java.util.Set; - import org.apache.wicket.Component; import org.apache.wicket.extensions.wizard.dynamic.DynamicWizardModel; import org.apache.wicket.markup.html.basic.Label; @@ -34,6 +28,7 @@ import org.apache.wicket.model.IModel; import org.apache.wicket.model.Model; +import java.util.*; /** * default implementation of {@link IWizardStep}. It is also a panel, which is used as the view @@ -149,44 +144,51 @@ private final boolean isActiveStep() /** * Default header for wizards. */ - private final class Header extends Panel - { - private static final long serialVersionUID = 1L; - - /** - * Construct. - * - * @param id - * The component id - * @param wizard - * The containing wizard - */ - public Header(final String id, final IWizard wizard) - { - super(id); - setDefaultModel(new CompoundPropertyModel(wizard)); - add(new Label("title", new AbstractReadOnlyModel() - { - private static final long serialVersionUID = 1L; - - @Override - public String getObject() - { - return getTitle(); - } - }).setEscapeModelStrings(false)); - add(new Label("summary", new AbstractReadOnlyModel() - { - private static final long serialVersionUID = 1L; - - @Override - public String getObject() - { - return getSummary(); - } - }).setEscapeModelStrings(false)); - } - } + private final class Header extends Panel + { + private static final long serialVersionUID = 1L; + + /** + * Construct. + * + * @param id + * The component id + * @param wizard + * The containing wizard + */ + public Header(final String id, final IWizard wizard) + { + super(id); + setDefaultModel(new CompoundPropertyModel(wizard)); + } + + @Override + protected void onInitialize() { + super.onInitialize(); + + add(new Label("title", new AbstractReadOnlyModel() + { + private static final long serialVersionUID = 1L; + + @Override + public String getObject() + { + return getTitle(); + } + }).setEscapeModelStrings(getEscapeModelStrings())); + add(new Label("summary", new AbstractReadOnlyModel() + { + private static final long serialVersionUID = 1L; + + @Override + public String getObject() + { + return getSummary(); + } + }).setEscapeModelStrings(getEscapeModelStrings())); + } + + } private static final long serialVersionUID = 1L; From d2ef3ff2d0ede768d6b94633a8593c0345350b72 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thomas=20Go=CC=88tz?= Date: Tue, 15 May 2012 10:23:04 +0200 Subject: [PATCH 2/3] WICKET-4219: Enable markup escaping of WizardStep's labels by default due to security aspects setEscapeModelStrings is now called in label's onConfigure() --- .../wicket/extensions/wizard/WizardStep.java | 37 ++++++++++++++----- 1 file changed, 27 insertions(+), 10 deletions(-) diff --git a/wicket-extensions/src/main/java/org/apache/wicket/extensions/wizard/WizardStep.java b/wicket-extensions/src/main/java/org/apache/wicket/extensions/wizard/WizardStep.java index f69b29f1eb6..279a5581713 100644 --- a/wicket-extensions/src/main/java/org/apache/wicket/extensions/wizard/WizardStep.java +++ b/wicket-extensions/src/main/java/org/apache/wicket/extensions/wizard/WizardStep.java @@ -166,26 +166,43 @@ public Header(final String id, final IWizard wizard) protected void onInitialize() { super.onInitialize(); - add(new Label("title", new AbstractReadOnlyModel() - { + // Title + final AbstractReadOnlyModel titleModel = new AbstractReadOnlyModel() { private static final long serialVersionUID = 1L; @Override - public String getObject() - { + public String getObject() { return getTitle(); } - }).setEscapeModelStrings(getEscapeModelStrings())); - add(new Label("summary", new AbstractReadOnlyModel() - { + }; + add(new Label("title", titleModel) { private static final long serialVersionUID = 1L; @Override - public String getObject() - { + protected void onConfigure() { + super.onConfigure(); + setEscapeModelStrings(Header.this.getEscapeModelStrings()); + } + }); + + // Summary + final AbstractReadOnlyModel summaryModel = new AbstractReadOnlyModel() { + private static final long serialVersionUID = 1L; + + @Override + public String getObject() { return getSummary(); } - }).setEscapeModelStrings(getEscapeModelStrings())); + }; + add(new Label("summary", summaryModel) { + private static final long serialVersionUID = 1L; + + @Override + protected void onConfigure() { + super.onConfigure(); + setEscapeModelStrings(Header.this.getEscapeModelStrings()); + } + }); } } From 33fb23834cca2c7cd862cf8c2172265a0404bda2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thomas=20Go=CC=88tz?= Date: Tue, 15 May 2012 10:37:19 +0200 Subject: [PATCH 3/3] WICKET-4219: Enable markup escaping of WizardStep's labels by default due to security aspects introduced HeaderLabel as inner class --- .../wicket/extensions/wizard/WizardStep.java | 51 ++++++++++++------- 1 file changed, 34 insertions(+), 17 deletions(-) diff --git a/wicket-extensions/src/main/java/org/apache/wicket/extensions/wizard/WizardStep.java b/wicket-extensions/src/main/java/org/apache/wicket/extensions/wizard/WizardStep.java index 279a5581713..d1f4a1a5349 100644 --- a/wicket-extensions/src/main/java/org/apache/wicket/extensions/wizard/WizardStep.java +++ b/wicket-extensions/src/main/java/org/apache/wicket/extensions/wizard/WizardStep.java @@ -175,15 +175,7 @@ public String getObject() { return getTitle(); } }; - add(new Label("title", titleModel) { - private static final long serialVersionUID = 1L; - - @Override - protected void onConfigure() { - super.onConfigure(); - setEscapeModelStrings(Header.this.getEscapeModelStrings()); - } - }); + add(new HeaderLabel("title", titleModel, this)); // Summary final AbstractReadOnlyModel summaryModel = new AbstractReadOnlyModel() { @@ -194,15 +186,40 @@ public String getObject() { return getSummary(); } }; - add(new Label("summary", summaryModel) { - private static final long serialVersionUID = 1L; + add(new HeaderLabel("summary", summaryModel, this)); + } - @Override - protected void onConfigure() { - super.onConfigure(); - setEscapeModelStrings(Header.this.getEscapeModelStrings()); - } - }); + } + + /** + * Default label for title and summary, calls {@link Header#getEscapeModelStrings()} + * to determine wether it's model strings should be escaped or not. + */ + private static final class HeaderLabel extends Label + { + private static final long serialVersionUID = 1L; + private final Header header; + + /** + * Construct. + * + * @param id + * The component id + * @param model + * The model + * @param header + * The wizard's header + */ + private HeaderLabel(String id, IModel model, Header header) { + super(id, model); + this.header = header; + } + + @Override + protected void onConfigure() { + super.onConfigure(); + // Header decides about escaping of model strings + setEscapeModelStrings(header.getEscapeModelStrings()); } }