You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@ofbiz.apache.org by Jacques Le Roux <ja...@les7arts.com> on 2009/04/05 13:11:06 UTC

Secure URLs, sequel...

We have also  targets with params in forms : look for <<form(.*)target=(.*)\?(.*)=(.*)>> and <<form.(*)\R(.*)target=(.*)\?(.*)=(.*)>>.
So I think we should extend the param-name scheme for forms also...

Jacques

Re: Secure URLs, sequel...

Posted by David E Jones <da...@hotwaxmedia.com>.

On Apr 5, 2009, at 5:11 AM, Jacques Le Roux wrote:

> We have also  targets with params in forms : look for  
> <<form(.*)target=(.*)\?(.*)=(.*)>> and <<form.(*)\R(.*)target=(.*)\? 
> (.*)=(.*)>>.
> So I think we should extend the param-name scheme for forms also...

If it is a parameter on the form target it is easy, the parameter is  
just a form field... probably a hidden field. In other words we would  
use the form -> field element and the field -> hidden element.

-David

Re: Secure URLs, sequel...

Posted by Jacques Le Roux <ja...@les7arts.com>.

If nobody see a problem with that I will add the same scheme to forms soon, and this this will be backported to R9.04 (security fix)

Jacques

From: "Jacques Le Roux" <ja...@les7arts.com>
We have also  targets with params in forms : look for <<form(.*)target=(.*)\?(.*)=(.*)>> and 
<<form.(*)\R(.*)target=(.*)\?(.*)=(.*)>>.
So I think we should extend the param-name scheme for forms also...

Jacques