You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ofbiz.apache.org by pr...@apache.org on 2016/06/04 13:20:59 UTC
svn commit: r1746820 -
/ofbiz/trunk/applications/accounting/template/period/EditCustomTimePeriod.ftl
Author: pranayp
Date: Sat Jun 4 13:20:58 2016
New Revision: 1746820
URL: http://svn.apache.org/viewvc?rev=1746820&view=rev
Log:
[OFBIZ-7162] Fixed security issue with delete child period in EditCustomTimePeriod.
Thanks Montalbano Florian for reporting the issue and thanks Arjun Kaushal for providing the patch.
Modified:
ofbiz/trunk/applications/accounting/template/period/EditCustomTimePeriod.ftl
Modified: ofbiz/trunk/applications/accounting/template/period/EditCustomTimePeriod.ftl
URL: http://svn.apache.org/viewvc/ofbiz/trunk/applications/accounting/template/period/EditCustomTimePeriod.ftl?rev=1746820&r1=1746819&r2=1746820&view=diff
==============================================================================
--- ofbiz/trunk/applications/accounting/template/period/EditCustomTimePeriod.ftl (original)
+++ ofbiz/trunk/applications/accounting/template/period/EditCustomTimePeriod.ftl Sat Jun 4 13:20:58 2016
@@ -60,7 +60,7 @@ under the License.
<td>${uiLabelMap.AccountingPeriodName}</td>
<td>${uiLabelMap.CommonFromDate}</td>
<td>${uiLabelMap.CommonThruDate}</td>
- <td> </td>
+ <td colspan="2"> </td>
</tr>
<tr>
<td>${currentCustomTimePeriod.customTimePeriodId}</td>
@@ -124,12 +124,16 @@ under the License.
</td>
<td class="button-col">
<input type="submit" value='${uiLabelMap.CommonUpdate}'/>
- <a href='<@o...@ofbizUrl>'>
- ${uiLabelMap.CommonDelete}</a>
+ </td>
+ </form>
+ <td class="button-col">
+ <form method="post" action='<@o...@ofbizUrl>' name='deleteCustomTimePeriodForm'>
+ <input type="hidden" name="customTimePeriodId" value="${currentCustomTimePeriod.customTimePeriodId!}" />
+ <input type="submit" value='${uiLabelMap.CommonDelete}'/>
+ </form>
</td>
</tr>
</table>
- </form>
<#else>
<div class="screenlet-body">${uiLabelMap.AccountingNoCurrentCustomTimePeriodSelected}</div>
</#if>
@@ -152,7 +156,7 @@ under the License.
<td>${uiLabelMap.AccountingPeriodName}</td>
<td>${uiLabelMap.CommonFromDate}</td>
<td>${uiLabelMap.CommonThruDate}</td>
- <td> </td>
+ <td colspan="3"> </td>
</tr>
<#assign line = 0>
<#list customTimePeriods as customTimePeriod>
@@ -213,15 +217,21 @@ under the License.
<#if nowTimestamp.after(compareDate)><#assign hasExpired = true></#if>
</#if>
<input type="text" size='13' name="thruDate" value="${customTimePeriod.thruDate?string("yyyy-MM-dd")}"<#if hasExpired> class="alert"</#if> />
- </td>
- <td class="button-col">
+ </td>
+ <td class="button-col">
<input type="submit" value='${uiLabelMap.CommonUpdate}'/>
- <a href='<@o...@ofbizUrl>'>
- ${uiLabelMap.CommonDelete}</a>
+ </td>
+ </form>
+ <td class="button-col">
+ <form method="post" action='<@o...@ofbizUrl>' name='lineForm${line}'>
+ <input type="hidden" name="customTimePeriodId" value="${customTimePeriod.customTimePeriodId!}" />
+ <input type="submit" value='${uiLabelMap.CommonDelete}'/>
+ </form>
+ </td>
+ <td class="button-col">
<a href='<@o...@ofbizUrl>'>
${uiLabelMap.CommonSetAsCurrent}</a>
</td>
- </form>
</tr>
</#list>
</table>
Re: svn commit: r1746820 -
/ofbiz/trunk/applications/accounting/template/period/EditCustomTimePeriod.f
tl
Posted by Jacques Le Roux <ja...@les7arts.com>.
Le 06/06/2016 � 20:57, Jacques Le Roux a �crit :
> So 2 same are not from Arjun's patch. So I guess he simply followed the "trend" in this page. I guess we have still a lot like that in all OFBiz.
> Some maybe introduced with subtasks of OFBIZ-2330...
I was maybe too fast on that, I checked 2 subtasks of OFBIZ-2330 and found nothing like that, remain 80- subtasks to check and certainly more in the
wide ;)
Actually we all know that using tables for layout is not a good thing, but most of OFBiz dates from 2001 to 2010...
Jacques
Re: svn commit: r1746820 - /ofbiz/trunk/applications/accounting/template/period/EditCustomTimePeriod.f
tl
Posted by Deepak Dixit <de...@hotwaxsystems.com>.
No Problem Jacques :)
Thanks & Regards
--
Deepak Dixit
www.hotwaxsystems.com
On Tue, Jun 7, 2016 at 12:31 AM, Jacques Le Roux <
jacques.le.roux@les7arts.com> wrote:
> Le 06/06/2016 à 20:57, Jacques Le Roux a écrit :
>
>> This is right Deeak,
>>
> Sorry Deepak!
>
> Jacques
>
>
Re: svn commit: r1746820 -
/ofbiz/trunk/applications/accounting/template/period/EditCustomTimePeriod.f
tl
Posted by Jacques Le Roux <ja...@les7arts.com>.
Le 06/06/2016 � 20:57, Jacques Le Roux a �crit :
> This is right Deeak,
Sorry Deepak!
Jacques
Re: svn commit: r1746820 -
/ofbiz/trunk/applications/accounting/template/period/EditCustomTimePeriod.f
tl
Posted by Jacques Le Roux <ja...@les7arts.com>.
This is right Deeak,
Moreover this is what says the "HTML Validator" plugin in Firefox (http://users.skynet.be/mgueury/mozilla/) on demo trunk (HEAD)
Result: 61 erreurs / 0 avertissements
Info: W3c Online Validation
line 286 column 49 - Erreur: The \u201ccellspacing\u201d attribute on the \u201ctable\u201d element is obsolete. Use CSS instead.
line 299 column 133 - Erreur: Start tag \u201cform\u201d seen in \u201ctable\u201d.
line 299 column 133 - Erreur: Element \u201cform\u201d not allowed as child of element \u201ctr\u201d in this context. (Suppressing further errors from this subtree.)
line 300 column 76 - Erreur: Start tag \u201cinput\u201d seen in \u201ctable\u201d.
line 300 column 76 - Erreur: Element \u201cinput\u201d not allowed as child of element \u201ctr\u201d in this context. (Suppressing further errors from this subtree.)
line 394 column 19 - Erreur: Stray end tag \u201cform\u201d.
line 394 column 19 - Erreur: Stray end tag \u201cform\u201d.
line 407 column 133 - Erreur: Start tag \u201cform\u201d seen in \u201ctable\u201d.
line 407 column 133 - Erreur: Element \u201cform\u201d not allowed as child of element \u201ctr\u201d in this context. (Suppressing further errors from this subtree.)
line 408 column 76 - Erreur: Start tag \u201cinput\u201d seen in \u201ctable\u201d.
line 408 column 76 - Erreur: Element \u201cinput\u201d not allowed as child of element \u201ctr\u201d in this context. (Suppressing further errors from this subtree.)
line 502 column 19 - Erreur: Stray end tag \u201cform\u201d.
line 502 column 19 - Erreur: Stray end tag \u201cform\u201d.
line 515 column 133 - Erreur: Start tag \u201cform\u201d seen in \u201ctable\u201d.
line 515 column 133 - Erreur: Element \u201cform\u201d not allowed as child of element \u201ctr\u201d in this context. (Suppressing further errors from this subtree.)
line 516 column 76 - Erreur: Start tag \u201cinput\u201d seen in \u201ctable\u201d.
line 516 column 76 - Erreur: Element \u201cinput\u201d not allowed as child of element \u201ctr\u201d in this context. (Suppressing further errors from this subtree.)
line 610 column 19 - Erreur: Stray end tag \u201cform\u201d.
line 610 column 19 - Erreur: Stray end tag \u201cform\u201d.
line 623 column 133 - Erreur: Start tag \u201cform\u201d seen in \u201ctable\u201d.
line 623 column 133 - Erreur: Element \u201cform\u201d not allowed as child of element \u201ctr\u201d in this context. (Suppressing further errors from this subtree.)
line 624 column 76 - Erreur: Start tag \u201cinput\u201d seen in \u201ctable\u201d.
line 624 column 76 - Erreur: Element \u201cinput\u201d not allowed as child of element \u201ctr\u201d in this context. (Suppressing further errors from this subtree.)
line 718 column 19 - Erreur: Stray end tag \u201cform\u201d.
line 718 column 19 - Erreur: Stray end tag \u201cform\u201d.
line 731 column 133 - Erreur: Start tag \u201cform\u201d seen in \u201ctable\u201d.
line 731 column 133 - Erreur: Element \u201cform\u201d not allowed as child of element \u201ctr\u201d in this context. (Suppressing further errors from this subtree.)
line 732 column 76 - Erreur: Start tag \u201cinput\u201d seen in \u201ctable\u201d.
line 732 column 76 - Erreur: Element \u201cinput\u201d not allowed as child of element \u201ctr\u201d in this context. (Suppressing further errors from this subtree.)
line 826 column 19 - Erreur: Stray end tag \u201cform\u201d.
line 826 column 19 - Erreur: Stray end tag \u201cform\u201d.
line 839 column 133 - Erreur: Start tag \u201cform\u201d seen in \u201ctable\u201d.
line 839 column 133 - Erreur: Element \u201cform\u201d not allowed as child of element \u201ctr\u201d in this context. (Suppressing further errors from this subtree.)
line 840 column 76 - Erreur: Start tag \u201cinput\u201d seen in \u201ctable\u201d.
line 840 column 76 - Erreur: Element \u201cinput\u201d not allowed as child of element \u201ctr\u201d in this context. (Suppressing further errors from this subtree.)
line 934 column 19 - Erreur: Stray end tag \u201cform\u201d.
line 934 column 19 - Erreur: Stray end tag \u201cform\u201d.
line 947 column 133 - Erreur: Start tag \u201cform\u201d seen in \u201ctable\u201d.
line 947 column 133 - Erreur: Element \u201cform\u201d not allowed as child of element \u201ctr\u201d in this context. (Suppressing further errors from this subtree.)
line 948 column 76 - Erreur: Start tag \u201cinput\u201d seen in \u201ctable\u201d.
line 948 column 76 - Erreur: Element \u201cinput\u201d not allowed as child of element \u201ctr\u201d in this context. (Suppressing further errors from this subtree.)
line 1042 column 19 - Erreur: Stray end tag \u201cform\u201d.
line 1042 column 19 - Erreur: Stray end tag \u201cform\u201d.
line 1055 column 133 - Erreur: Start tag \u201cform\u201d seen in \u201ctable\u201d.
line 1055 column 133 - Erreur: Element \u201cform\u201d not allowed as child of element \u201ctr\u201d in this context. (Suppressing further errors from this subtree.)
line 1056 column 76 - Erreur: Start tag \u201cinput\u201d seen in \u201ctable\u201d.
line 1056 column 76 - Erreur: Element \u201cinput\u201d not allowed as child of element \u201ctr\u201d in this context. (Suppressing further errors from this subtree.)
line 1150 column 19 - Erreur: Stray end tag \u201cform\u201d.
line 1150 column 19 - Erreur: Stray end tag \u201cform\u201d.
line 1163 column 133 - Erreur: Start tag \u201cform\u201d seen in \u201ctable\u201d.
line 1163 column 133 - Erreur: Element \u201cform\u201d not allowed as child of element \u201ctr\u201d in this context. (Suppressing further errors from this subtree.)
line 1164 column 76 - Erreur: Start tag \u201cinput\u201d seen in \u201ctable\u201d.
line 1164 column 76 - Erreur: Element \u201cinput\u201d not allowed as child of element \u201ctr\u201d in this context. (Suppressing further errors from this subtree.)
line 1258 column 19 - Erreur: Stray end tag \u201cform\u201d.
line 1258 column 19 - Erreur: Stray end tag \u201cform\u201d.
line 1271 column 134 - Erreur: Start tag \u201cform\u201d seen in \u201ctable\u201d.
line 1271 column 134 - Erreur: Element \u201cform\u201d not allowed as child of element \u201ctr\u201d in this context. (Suppressing further errors from this subtree.)
line 1272 column 76 - Erreur: Start tag \u201cinput\u201d seen in \u201ctable\u201d.
line 1272 column 76 - Erreur: Element \u201cinput\u201d not allowed as child of element \u201ctr\u201d in this context. (Suppressing further errors from this subtree.)
line 1366 column 19 - Erreur: Stray end tag \u201cform\u201d.
line 1366 column 19 - Erreur: Stray end tag \u201cform\u201d.
So 2 same are not from Arjun's patch. So I guess he simply followed the "trend" in this page. I guess we have still a lot like that in all OFBiz. Some
maybe introduced with subtasks of OFBIZ-2330...
I'd not call them bugs since so far browsers are accepting and rendering them. But I agree it would be good to get rid of (all of) them. This would be
another Jira ;)
Jacques
Le 06/06/2016 � 08:57, Deepak Dixit a �crit :
> Hi Arjun,
>
> Its incorrect markup, form tag is not valid child for table, you can't put
> form between td tag, You need to put this inside td.
>
> Thanks & Regards
> --
> Deepak Dixit
> www.hotwaxsystems.com
>
> On Sat, Jun 4, 2016 at 6:50 PM, <pr...@apache.org> wrote:
>
>> Author: pranayp
>> Date: Sat Jun 4 13:20:58 2016
>> New Revision: 1746820
>>
>> URL: http://svn.apache.org/viewvc?rev=1746820&view=rev
>> Log:
>> [OFBIZ-7162] Fixed security issue with delete child period in
>> EditCustomTimePeriod.
>>
>> Thanks Montalbano Florian for reporting the issue and thanks Arjun Kaushal
>> for providing the patch.
>>
>> Modified:
>>
>> ofbiz/trunk/applications/accounting/template/period/EditCustomTimePeriod.ftl
>>
>> Modified:
>> ofbiz/trunk/applications/accounting/template/period/EditCustomTimePeriod.ftl
>> URL:
>> http://svn.apache.org/viewvc/ofbiz/trunk/applications/accounting/template/period/EditCustomTimePeriod.ftl?rev=1746820&r1=1746819&r2=1746820&view=diff
>>
>> ==============================================================================
>> ---
>> ofbiz/trunk/applications/accounting/template/period/EditCustomTimePeriod.ftl
>> (original)
>> +++
>> ofbiz/trunk/applications/accounting/template/period/EditCustomTimePeriod.ftl
>> Sat Jun 4 13:20:58 2016
>> @@ -60,7 +60,7 @@ under the License.
>> <td>${uiLabelMap.AccountingPeriodName}</td>
>> <td>${uiLabelMap.CommonFromDate}</td>
>> <td>${uiLabelMap.CommonThruDate}</td>
>> - <td> </td>
>> + <td colspan="2"> </td>
>> </tr>
>> <tr>
>> <td>${currentCustomTimePeriod.customTimePeriodId}</td>
>> @@ -124,12 +124,16 @@ under the License.
>> </td>
>> <td class="button-col">
>> <input type="submit" value='${uiLabelMap.CommonUpdate}'/>
>> - <a
>> href='<@o...@ofbizUrl>'>
>> - ${uiLabelMap.CommonDelete}</a>
>> + </td>
>> + </form>
>> + <td class="button-col">
>> + <form method="post"
>> action='<@o...@ofbizUrl>'
>> name='deleteCustomTimePeriodForm'>
>> + <input type="hidden" name="customTimePeriodId"
>> value="${currentCustomTimePeriod.customTimePeriodId!}" />
>> + <input type="submit" value='${uiLabelMap.CommonDelete}'/>
>> + </form>
>> </td>
>> </tr>
>> </table>
>> - </form>
>> <#else>
>> <div
>> class="screenlet-body">${uiLabelMap.AccountingNoCurrentCustomTimePeriodSelected}</div>
>> </#if>
>> @@ -152,7 +156,7 @@ under the License.
>> <td>${uiLabelMap.AccountingPeriodName}</td>
>> <td>${uiLabelMap.CommonFromDate}</td>
>> <td>${uiLabelMap.CommonThruDate}</td>
>> - <td> </td>
>> + <td colspan="3"> </td>
>> </tr>
>> <#assign line = 0>
>> <#list customTimePeriods as customTimePeriod>
>> @@ -213,15 +217,21 @@ under the License.
>> <#if nowTimestamp.after(compareDate)><#assign hasExpired
>> = true></#if>
>> </#if>
>> <input type="text" size='13' name="thruDate"
>> value="${customTimePeriod.thruDate?string("yyyy-MM-dd")}"<#if hasExpired>
>> class="alert"</#if> />
>> - </td>
>> - <td class="button-col">
>> + </td>
>> + <td class="button-col">
>> <input type="submit" value='${uiLabelMap.CommonUpdate}'/>
>> - <a
>> href='<@o...@ofbizUrl>'>
>> - ${uiLabelMap.CommonDelete}</a>
>> + </td>
>> + </form>
>> + <td class="button-col">
>> + <form method="post"
>> action='<@o...@ofbizUrl>'
>> name='lineForm${line}'>
>> + <input type="hidden" name="customTimePeriodId"
>> value="${customTimePeriod.customTimePeriodId!}" />
>> + <input type="submit" value='${uiLabelMap.CommonDelete}'/>
>> + </form>
>> + </td>
>> + <td class="button-col">
>> <a
>> href='<@o...@ofbizUrl>'>
>> ${uiLabelMap.CommonSetAsCurrent}</a>
>> </td>
>> - </form>
>> </tr>
>> </#list>
>> </table>
>>
>>
>>
Re: svn commit: r1746820 - /ofbiz/trunk/applications/accounting/template/period/EditCustomTimePeriod.ftl
Posted by Deepak Dixit <de...@hotwaxsystems.com>.
Hi Arjun,
Its incorrect markup, form tag is not valid child for table, you can't put
form between td tag, You need to put this inside td.
Thanks & Regards
--
Deepak Dixit
www.hotwaxsystems.com
On Sat, Jun 4, 2016 at 6:50 PM, <pr...@apache.org> wrote:
> Author: pranayp
> Date: Sat Jun 4 13:20:58 2016
> New Revision: 1746820
>
> URL: http://svn.apache.org/viewvc?rev=1746820&view=rev
> Log:
> [OFBIZ-7162] Fixed security issue with delete child period in
> EditCustomTimePeriod.
>
> Thanks Montalbano Florian for reporting the issue and thanks Arjun Kaushal
> for providing the patch.
>
> Modified:
>
> ofbiz/trunk/applications/accounting/template/period/EditCustomTimePeriod.ftl
>
> Modified:
> ofbiz/trunk/applications/accounting/template/period/EditCustomTimePeriod.ftl
> URL:
> http://svn.apache.org/viewvc/ofbiz/trunk/applications/accounting/template/period/EditCustomTimePeriod.ftl?rev=1746820&r1=1746819&r2=1746820&view=diff
>
> ==============================================================================
> ---
> ofbiz/trunk/applications/accounting/template/period/EditCustomTimePeriod.ftl
> (original)
> +++
> ofbiz/trunk/applications/accounting/template/period/EditCustomTimePeriod.ftl
> Sat Jun 4 13:20:58 2016
> @@ -60,7 +60,7 @@ under the License.
> <td>${uiLabelMap.AccountingPeriodName}</td>
> <td>${uiLabelMap.CommonFromDate}</td>
> <td>${uiLabelMap.CommonThruDate}</td>
> - <td> </td>
> + <td colspan="2"> </td>
> </tr>
> <tr>
> <td>${currentCustomTimePeriod.customTimePeriodId}</td>
> @@ -124,12 +124,16 @@ under the License.
> </td>
> <td class="button-col">
> <input type="submit" value='${uiLabelMap.CommonUpdate}'/>
> - <a
> href='<@o...@ofbizUrl>'>
> - ${uiLabelMap.CommonDelete}</a>
> + </td>
> + </form>
> + <td class="button-col">
> + <form method="post"
> action='<@o...@ofbizUrl>'
> name='deleteCustomTimePeriodForm'>
> + <input type="hidden" name="customTimePeriodId"
> value="${currentCustomTimePeriod.customTimePeriodId!}" />
> + <input type="submit" value='${uiLabelMap.CommonDelete}'/>
> + </form>
> </td>
> </tr>
> </table>
> - </form>
> <#else>
> <div
> class="screenlet-body">${uiLabelMap.AccountingNoCurrentCustomTimePeriodSelected}</div>
> </#if>
> @@ -152,7 +156,7 @@ under the License.
> <td>${uiLabelMap.AccountingPeriodName}</td>
> <td>${uiLabelMap.CommonFromDate}</td>
> <td>${uiLabelMap.CommonThruDate}</td>
> - <td> </td>
> + <td colspan="3"> </td>
> </tr>
> <#assign line = 0>
> <#list customTimePeriods as customTimePeriod>
> @@ -213,15 +217,21 @@ under the License.
> <#if nowTimestamp.after(compareDate)><#assign hasExpired
> = true></#if>
> </#if>
> <input type="text" size='13' name="thruDate"
> value="${customTimePeriod.thruDate?string("yyyy-MM-dd")}"<#if hasExpired>
> class="alert"</#if> />
> - </td>
> - <td class="button-col">
> + </td>
> + <td class="button-col">
> <input type="submit" value='${uiLabelMap.CommonUpdate}'/>
> - <a
> href='<@o...@ofbizUrl>'>
> - ${uiLabelMap.CommonDelete}</a>
> + </td>
> + </form>
> + <td class="button-col">
> + <form method="post"
> action='<@o...@ofbizUrl>'
> name='lineForm${line}'>
> + <input type="hidden" name="customTimePeriodId"
> value="${customTimePeriod.customTimePeriodId!}" />
> + <input type="submit" value='${uiLabelMap.CommonDelete}'/>
> + </form>
> + </td>
> + <td class="button-col">
> <a
> href='<@o...@ofbizUrl>'>
> ${uiLabelMap.CommonSetAsCurrent}</a>
> </td>
> - </form>
> </tr>
> </#list>
> </table>
>
>
>