tags:

views:

33

answers:

1
+1  Q: 

Wicket hidden field in form: exception when injecting values

Hello,

in wicket forms get a hidden field. I found on the web, that this hidden field is needed for some kind of event handling. (Anyone knows more details?)

I played around with XSS-Me (https://addons.mozilla.org/de/firefox/addon/7598/) a firefox plugin, that tries to find XSS vulnerabilities. What the addon does, is that it injects some values into that hidden field, and then wicket throws : WicketRuntimeException: Attempt to access unknown request listener interface null

Has anyone an idea, how this exception could be prevented? or caught?

mfg bernhard

the full trace is:

ERROR - RequestCycle               - Attempt to access unknown request listener interface null
org.apache.wicket.WicketRuntimeException: Attempt to access unknown request listener interface null
   at org.apache.wicket.markup.html.form.Form.dispatchEvent(Form.java:1327)
   at org.apache.wicket.markup.html.form.Form.onFormSubmitted(Form.java:874)
   at sun.reflect.GeneratedMethodAccessor41.invoke(Unknown Source)
   at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
   at java.lang.reflect.Method.invoke(Method.java:597)
   at org.apache.wicket.RequestListenerInterface.invoke(RequestListenerInterface.java:182)
   at org.apache.wicket.request.target.component.listener.ListenerInterfaceRequestTarget.processEvents(ListenerInterfaceRequestTarget.java:73)
   at org.apache.wicket.request.AbstractRequestCycleProcessor.processEvents(AbstractRequestCycleProcessor.java:92)
   at org.apache.wicket.RequestCycle.processEventsAndRespond(RequestCycle.java:1250)
   at org.apache.wicket.RequestCycle.step(RequestCycle.java:1329)
   at org.apache.wicket.RequestCycle.steps(RequestCycle.java:1428)
   at org.apache.wicket.RequestCycle.request(RequestCycle.java:545)
   at org.apache.wicket.protocol.http.WicketFilter.doGet(WicketFilter.java:479)
   at org.apache.wicket.protocol.http.WicketFilter.doFilter(WicketFilter.java:312)
   at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1089)
   at org.mortbay.jetty.servlet.ServletHandler.handle(ServletHandler.java:365)
   at org.mortbay.jetty.security.SecurityHandler.handle(SecurityHandler.java:216)
   at org.mortbay.jetty.servlet.SessionHandler.handle(SessionHandler.java:181)
   at org.mortbay.jetty.handler.ContextHandler.handle(ContextHandler.java:712)
   at org.mortbay.jetty.webapp.WebAppContext.handle(WebAppContext.java:405)
   at org.mortbay.jetty.handler.HandlerWrapper.handle(HandlerWrapper.java:139)
   at org.mortbay.jetty.Server.handle(Server.java:295)
   at org.mortbay.jetty.HttpConnection.handleRequest(HttpConnection.java:503)
   at org.mortbay.jetty.HttpConnection$RequestHandler.content(HttpConnection.java:841)
   at org.mortbay.jetty.HttpParser.parseNext(HttpParser.java:639)
   at org.mortbay.jetty.HttpParser.parseAvailable(HttpParser.java:210)
   at org.mortbay.jetty.HttpConnection.handle(HttpConnection.java:379)
   at org.mortbay.jetty.bio.SocketConnector$Connection.run(SocketConnector.java:226)
   at org.mortbay.thread.BoundedThreadPool$PoolThread.run(BoundedThreadPool.java:442)
+1  A: 

Since Wicket is open source, you can of course understand some of this by looking at the source.

I believe that field is used for Ajax event handling, and is given a value by a JavaScript attached to the link as an onclick method at rendering. You can see where this javascript is made by looking at the source code in org.apache.wicket.markup.html.form.SubmitLink method getTriggerJavaScript and you can see the resulting markup using firebug.

Many of the methods in Wicket are final so you can't override them, and marked with Javadoc exhortations not to call them yourself, and particularly in the area of form submission where this field is used, this call happens earlier in the cycle than most of the standard hooks for subclass form handling, so trying to catch the WicketRuntimeException and handle it in a way specific to this field might be difficult.

Catching it and showing a custom error page can of course be done as described at the wiki page on error pages, and this is a good thing to do anyway.

Don Roby  2010-09-08 12:43:44
thx. I was hoping to get around that exception (do some sanity check or so) but a error page is also a solution
nebenmir  2010-09-09 10:54:59

related questions

Java Time Zone is messed up
Eclipse on win64
Automate builds for Java RCP for deployment with JNLP
Why are professors or schools picking Java over C++ to teach to students?
Is there a real benefit of using J#?
Public/Popular Websites using JavaServer Faces
Why can't I use a try block around my super() call?
Accessing post variables using Java Servlets
Personal Linux web server
Is this really widening vs autoboxing?
How can I Java webstart multiple, dependent, native libraries?
Why can't I call toString() on a Java primitive?
How do I use Java to read from a file that is actively being written?
What code analysis tools do you use for your Java projects?
IllegalArgumentException or NullPointerException for a null parameter?
How do I configure and communicate with a serial port?
What is the best way to parse strings in Java
Getting started with a custom JXTA PeerGroup
Creating a custom button in Java
How to get started "writing" a code coverage tool?
Which Build-/Configuration Management Tool?
What is the difference between an int and an Integer in Java/C#?
What is the meaning of the type safety warning in certain Java generics casts?
How would you access Object properties from within an object method?
Converting CSV File to XML in Java