-
Notifications
You must be signed in to change notification settings - Fork 164
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Make BootstrapFileInputField
strict content security policy compliant
#901
Comments
Thanks for the report! |
Considering this is Bootstrap we are using here, I believe the change should be simple from switching to add a style attribute to adding/removing the Bootstrap CSS class |
However, this is not a thing that should be fixed in Wicket Bootstrap because it would prevent updating the fileinput component which originally comes from https://github.com/kartik-v/bootstrap-fileinput. So this should probably be fixed upstream in https://github.com/kartik-v/bootstrap-fileinput. |
Essentially, the CSP issue boils down to calls to JQuery's |
There was an upstream issue related to CSP which actually did re-implement parts of the templating/theming: kartik-v/bootstrap-fileinput#1565 However, I just checked in the latest version of bootstrap-fileinput and it still uses |
I have opened another upstream issue: kartik-v/bootstrap-fileinput#1833 |
When loading a
BootstrapFileInputField
that has no errors, it is hidden through style attributeIt is happening in Wicket Bootstrap 5.0.4
https://github.com/l0rdn1kk0n/wicket-bootstrap/blob/add49f25467d2f7ee51a5aa88eff308c6b302fb8/bootstrap-extensions/src/main/java/de/agilecoders/wicket/extensions/markup/html/bootstrap/form/fileinput/res/js/fileinput.js#L661
Below is another .hide() call and likely more similar cases exists.
Adding style attribute is not allowed in CSP strict mode.
Please fix
BootstrapFileInputField
and other components to be CSP compliant.The text was updated successfully, but these errors were encountered: