Wicket hidden field in form: exception when injecting values

in wicket forms get a hidden field. I found on the web, that this hidden field is needed for some kind of event handling. (Anyone knows more details?)

I played around with XSS-Me (https://addons.mozilla.org/de/firefox/addon/7598/) a firefox plugin, that tries to find XSS vulnerabilities. What the addon does, is that it injects some values into that hidden field, and then wicket throws : WicketRuntimeException: Attempt to access unknown request listener interface null

Has anyone an idea, how this exception could be prevented? or caught?

mfg bernhard

the full trace is:

ERROR - RequestCycle               - Attempt to access unknown request listener interface null
org.apache.wicket.WicketRuntimeException: Attempt to access unknown request listener interface null
   at org.apache.wicket.markup.html.form.Form.dispatchEvent(Form.java:1327)
   at org.apache.wicket.markup.html.form.Form.onFormSubmitted(Form.java:874)
   at sun.reflect.GeneratedMethodAccessor41.invoke(Unknown Source)
   at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.j开发者_如何学Cava:25)
   at java.lang.reflect.Method.invoke(Method.java:597)
   at org.apache.wicket.RequestListenerInterface.invoke(RequestListenerInterface.java:182)
   at org.apache.wicket.request.target.component.listener.ListenerInterfaceRequestTarget.processEvents(ListenerInterfaceRequestTarget.java:73)
   at org.apache.wicket.request.AbstractRequestCycleProcessor.processEvents(AbstractRequestCycleProcessor.java:92)
   at org.apache.wicket.RequestCycle.processEventsAndRespond(RequestCycle.java:1250)
   at org.apache.wicket.RequestCycle.step(RequestCycle.java:1329)
   at org.apache.wicket.RequestCycle.steps(RequestCycle.java:1428)
   at org.apache.wicket.RequestCycle.request(RequestCycle.java:545)
   at org.apache.wicket.protocol.http.WicketFilter.doGet(WicketFilter.java:479)
   at org.apache.wicket.protocol.http.WicketFilter.doFilter(WicketFilter.java:312)
   at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1089)
   at org.mortbay.jetty.servlet.ServletHandler.handle(ServletHandler.java:365)
   at org.mortbay.jetty.security.SecurityHandler.handle(SecurityHandler.java:216)
   at org.mortbay.jetty.servlet.SessionHandler.handle(SessionHandler.java:181)
   at org.mortbay.jetty.handler.ContextHandler.handle(ContextHandler.java:712)
   at org.mortbay.jetty.webapp.WebAppContext.handle(WebAppContext.java:405)
   at org.mortbay.jetty.handler.HandlerWrapper.handle(HandlerWrapper.java:139)
   at org.mortbay.jetty.Server.handle(Server.java:295)
   at org.mortbay.jetty.HttpConnection.handleRequest(HttpConnection.java:503)
   at org.mortbay.jetty.HttpConnection$RequestHandler.content(HttpConnection.java:841)
   at org.mortbay.jetty.HttpParser.parseNext(HttpParser.java:639)
   at org.mortbay.jetty.HttpParser.parseAvailable(HttpParser.java:210)
   at org.mortbay.jetty.HttpConnection.handle(HttpConnection.java:379)
   at org.mortbay.jetty.bio.SocketConnector$Connection.run(SocketConnector.java:226)
   at org.mortbay.thread.BoundedThreadPool$PoolThread.run(BoundedThreadPool.java:442) 

---

Since Wicket is open source, you can of course understand some of this by looking at the source.

I believe that field is used for Ajax event handling, and is given a value by a JavaScript attached to the link as an onclick method at rendering. You can see where this javascript is made by looking at the source code in org.apache.wicket.markup.html.form.SubmitLink method getTriggerJavaScript and you can see the resulting markup using firebug.

Many of the methods in Wicket are final so you can't override them, and marked with Javadoc exhortations not to call them yourself, and particularly in the area of form submission where this field is used, this call happens earlier in the cycle than most of the standard hooks for subclass form handling, so trying to catch the WicketRuntimeException and handle it in a way specific to this field might be difficult.

Catching it and showing a custom error page can of course be done as described at the wiki page on error pages, and this is a good thing to do anyway.