primefaces: AutoComplete: Custom rendering with links causes CSP issues

Describe the bug

Hi, we have autocomplete component with commandLinks used as autocomplete result items: obrazek

Without CSP it works fine. When we turn CSP on, it reports problems in JS console.

First errors occur when text entered in autocompelte and reuslts are rendered in page (each result item has it’s error) Second type of error occurs when item clicked.

obrazek

Please see reproducer project attached below.

Reproducer

XHTML snippet:

<h:form>
            <p:commandButton id="leftmenuSearchButton" type="button" icon="fa fa-search" />

            <p:overlayPanel for="leftmenuSearchButton" widgetVar="leftMenuSearchPanel" at="right top"
                            onHide="PF('leftMenuSearchAutocompleteWidgetVar').clear();">
                <p:autoComplete id="leftMenuSearchAutocomplete" var="_leftMenuSearchResultItem"
                                widgetVar="leftMenuSearchAutocompleteWidgetVar" minQueryLength="1"
                                completeMethod="#{testView.searchAutocomplete}">
                    <p:ajax event="query" ignoreAutoUpdate="true"/>
                    <p:column>
                        <p:commandLink action="#{testView.invokeCommand}" oncomplete="PF('leftMenuSearchPanel').hide();">
                            <h:outputText value="#{_leftMenuSearchResultItem.label}" />
                            <f:param name="commandLinkItemId" value="#{_leftMenuSearchResultItem.id}"/>

                            <p:confirm source="this" header="Really?" message="Are you sure?"
                                       disabled="#{not _leftMenuSearchResultItem.showConfirm}"
                                       icon="ui-icon-alert"/>
                        </p:commandLink>
                    </p:column>
                </p:autoComplete>
            </p:overlayPanel>
        </h:form>

Whole reproducer project: pf-xxxx.zip

Expected behavior

I would expect that it would work with or without CSP the same.

PrimeFaces edition

Elite

PrimeFaces version

13.0.1

Theme

No response

JSF implementation

Mojarra

JSF version

2.3.17

Java version

Browser(s)

No response

About this issue

Original URL
State: closed
Created 10 months ago
Comments: 22 (15 by maintainers)

Commits related to this issue

Fix #10654: CSP handling of encodeIndexedId — committed to melloware/primefaces by melloware 10 months ago
Fix #10654: CSP handling of encodeIndexedId — committed to melloware/primefaces by melloware 10 months ago
Fix #10654: CSP handling of encodeIndexedId — committed to melloware/primefaces by melloware 10 months ago
Fix #10654: CSP handling of encodeIndexedId (#10664) * Fix #10658: CSP wrap FastStringWriter * Fix #10654: CSP handling of encodeIndexedId — committed to primefaces/primefaces by melloware 10 months ago
Fix #10654/#10658: 13.0.2 CSP fixes — committed to melloware/primefaces by melloware 10 months ago
Fix #10654/#10658: 13.0.2 CSP fixes — committed to melloware/primefaces by melloware 10 months ago
Fix #10654: CSP handling of encodeIndexedId — committed to melloware/primefaces by melloware 10 months ago
Fix #10654/#10658: 13.0.2 CSP fixes — committed to melloware/primefaces by melloware 10 months ago
Fix #10654: CSP handling of encodeIndexedId (#10672) — committed to primefaces/primefaces by melloware 10 months ago
Fix #10654/#10658: 13.0.2 CSP fixes (#10670) — committed to primefaces/primefaces by melloware 10 months ago

Most upvoted comments

OK I am merging this fix into 13.0.2!

melloware on Sep 15, 2023

OK I was able to fix it.

melloware on Sep 15, 2023