You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ofbiz.apache.org by jl...@apache.org on 2010/06/07 09:02:03 UTC
svn commit: r952119 - in /ofbiz/trunk: applications/accounting/widget/
applications/order/widget/ordermgr/ applications/party/widget/partymgr/
applications/product/widget/catalog/ applications/product/widget/facility/
specialpurpose/projectmgr/widget/f...
Author: jleroux
Date: Mon Jun 7 07:02:02 2010
New Revision: 952119
URL: http://svn.apache.org/viewvc?rev=952119&view=rev
Log:
Secure some targets. Note that they have been introduced since OFBIZ-2243 has been closed.
Please committers use only target with parameter attribute (not in URL) for link and hyperlink fields when there is an action (ie DB modification)
Modified:
ofbiz/trunk/applications/accounting/widget/InvoiceForms.xml
ofbiz/trunk/applications/accounting/widget/PaymentGatewayConfigForms.xml
ofbiz/trunk/applications/order/widget/ordermgr/OrderEntryForms.xml
ofbiz/trunk/applications/party/widget/partymgr/CommunicationEventForms.xml
ofbiz/trunk/applications/product/widget/catalog/ProductForms.xml
ofbiz/trunk/applications/product/widget/facility/ShipmentGatewayConfigForms.xml
ofbiz/trunk/specialpurpose/projectmgr/widget/forms/ProjectForms.xml
Modified: ofbiz/trunk/applications/accounting/widget/InvoiceForms.xml
URL: http://svn.apache.org/viewvc/ofbiz/trunk/applications/accounting/widget/InvoiceForms.xml?rev=952119&r1=952118&r2=952119&view=diff
==============================================================================
--- ofbiz/trunk/applications/accounting/widget/InvoiceForms.xml (original)
+++ ofbiz/trunk/applications/accounting/widget/InvoiceForms.xml Mon Jun 7 07:02:02 2010
@@ -215,7 +215,12 @@ under the License.
<field name="paymentId"><hyperlink target="paymentOverview?paymentId=${paymentId}" description="${paymentId}"/></field>
<field name="amount"><display type="currency" currency="${currencyUomId}"/></field>
<field name="origAmount"><display type="currency" currency="${origCurrencyUomId}"/></field>
- <field name="acctgTransId"><hyperlink description="${acctgTransId}" target="EditAcctgTrans?acctgTransId=${acctgTransId}&organizationPartyId=${organizationPartyId}"/></field>
+ <field name="acctgTransId">
+ <hyperlink description="${acctgTransId}" target="EditAcctgTrans">
+ <parameter param-name="acctgTransId" from-field="acctgTransId"/>
+ <parameter param-name="organizationPartyId" from-field="organizationPartyId"/>
+ </hyperlink>
+ </field>
<field name="acctgTransTypeId" title="${uiLabelMap.FormFieldTitle_acctgTransType}"><display-entity entity-name="AcctgTransType"/></field>
<field name="glJournalId" title="${uiLabelMap.FormFieldTitle_glJournal}"><display-entity entity-name="GlJournal" description="${glJournalName}"/></field>
<field name="glAccountTypeId" title="${uiLabelMap.FormFieldTitle_glAccountType}"><display-entity entity-name="GlAccountType"/></field>
Modified: ofbiz/trunk/applications/accounting/widget/PaymentGatewayConfigForms.xml
URL: http://svn.apache.org/viewvc/ofbiz/trunk/applications/accounting/widget/PaymentGatewayConfigForms.xml?rev=952119&r1=952118&r2=952119&view=diff
==============================================================================
--- ofbiz/trunk/applications/accounting/widget/PaymentGatewayConfigForms.xml (original)
+++ ofbiz/trunk/applications/accounting/widget/PaymentGatewayConfigForms.xml Mon Jun 7 07:02:02 2010
@@ -50,7 +50,9 @@ under the License.
<auto-fields-entity entity-name="PaymentGatewayConfig" default-field-type="display"/>
<field name="paymentGatewayConfigId"><hidden/></field>
<field name="description" title="${uiLabelMap.AccountingPaymentGatewayConfigDescription}">
- <hyperlink description="${description}" target="EditPaymentGatewayConfig?paymentGatewayConfigId=${paymentGatewayConfigId}"/>
+ <hyperlink description="${description}" target="EditPaymentGatewayConfig">
+ <parameter param-name="paymentGatewayConfigId" from-field="paymentGatewayConfigId"/>
+ </hyperlink>
</field>
<field name="paymentGatewayConfigTypeId" title="${uiLabelMap.AccountingPaymentGatewayConfigTypeId}">
<display-entity entity-name="PaymentGatewayConfigType" key-field-name="paymentGatewayConfigTypeId" description="${description}"/>
@@ -385,7 +387,9 @@ under the License.
<auto-fields-entity entity-name="PaymentGatewayConfigType" default-field-type="display"/>
<field name="paymentGatewayConfigTypeId"><hidden/></field>
<field name="description" title="${uiLabelMap.AccountingPaymentGatewayConfigTypeDescription}">
- <hyperlink description="${description}" target="EditPaymentGatewayConfigType?paymentGatewayConfigTypeId=${paymentGatewayConfigTypeId}"/>
+ <hyperlink description="${description}" target="EditPaymentGatewayConfigType">
+ <parameter param-name="paymentGatewayConfigTypeId" from-field="paymentGatewayConfigTypeId"/>
+ </hyperlink>
</field>
</form>
Modified: ofbiz/trunk/applications/order/widget/ordermgr/OrderEntryForms.xml
URL: http://svn.apache.org/viewvc/ofbiz/trunk/applications/order/widget/ordermgr/OrderEntryForms.xml?rev=952119&r1=952118&r2=952119&view=diff
==============================================================================
--- ofbiz/trunk/applications/order/widget/ordermgr/OrderEntryForms.xml (original)
+++ ofbiz/trunk/applications/order/widget/ordermgr/OrderEntryForms.xml Mon Jun 7 07:02:02 2010
@@ -199,7 +199,9 @@ under the License.
<form name="LookupAssociatedProducts" type="multi" use-row-submit="true" list-name="productList" title="" target="BulkAddProducts"
paginate-target="LookupAssociatedProducts" default-title-style="tableheadtext" default-widget-style="inputBox" default-tooltip-style="tabletext">
<field name="productId" title="${uiLabelMap.ProductProductId}" widget-style="buttontext">
- <hyperlink description="${productId}" target="/catalog/control/EditProductInventoryItems?productId=${productId}" target-type="inter-app"/>
+ <hyperlink description="${productId}" target="/catalog/control/EditProductInventoryItems" target-type="inter-app">
+ <parameter param-name="productId" from-field="productId"/>
+ </hyperlink>
</field>
<field name="brandName" title="${uiLabelMap.ProductBrandName}"><display/></field>
<field name="internalName"><display/></field>
Modified: ofbiz/trunk/applications/party/widget/partymgr/CommunicationEventForms.xml
URL: http://svn.apache.org/viewvc/ofbiz/trunk/applications/party/widget/partymgr/CommunicationEventForms.xml?rev=952119&r1=952118&r2=952119&view=diff
==============================================================================
--- ofbiz/trunk/applications/party/widget/partymgr/CommunicationEventForms.xml (original)
+++ ofbiz/trunk/applications/party/widget/partymgr/CommunicationEventForms.xml Mon Jun 7 07:02:02 2010
@@ -287,7 +287,9 @@ under the License.
<field name="communicationEventId"><display/></field>
<field name="contactListId" use-when="contactListId!=null">
<display-entity entity-name="ContactList" description="${contactListName}">
- <sub-hyperlink target="/marketing/control/EditContactList?contactListId=${communicationEvent.contactListId}" description="[${communicationEvent.contactListId}]" target-type="inter-app"/>
+ <sub-hyperlink target="/marketing/control/EditContactList" description="[${communicationEvent.contactListId}]" target-type="inter-app">
+ <parameter param-name="contactListId" from-field="communicationEvent.contactListId"/>
+ </sub-hyperlink>
</display-entity>
</field>
<field name="partyIdFrom" use-when=""my"==void" title="${uiLabelMap.PartyPartyFrom}">
@@ -470,7 +472,9 @@ under the License.
</service>
</actions>
<field name="orderId" title="${uiLabelMap.FormFieldTitle_orderId}">
- <hyperlink target="/ordermgr/control/orderview?orderId=${orderId}" description="${orderId}" target-type="inter-app"/>
+ <hyperlink target="/ordermgr/control/orderview" description="${orderId}" target-type="inter-app">
+ <parameter param-name="orderId" from-field="orderId"/>
+ </hyperlink>
</field>
<field name="communicationEventId">
<hyperlink description="${communicationEventId}" target="ViewCommunicationEvent">
@@ -1022,7 +1026,9 @@ under the License.
<set field="orderTypeId" from-field="orderHeader.orderTypeId"/>
</row-actions>
<field name="orderId" title="${uiLabelMap.FormFieldTitle_orderId}" widget-style="buttontext">
- <hyperlink target="/ordermgr/control/orderview?orderId=${orderId}" description="${orderId}" target-type="inter-app"/>
+ <hyperlink target="/ordermgr/control/orderview" description="${orderId}" target-type="inter-app">
+ <parameter param-name="orderId" from-field="orderId"/>
+ </hyperlink>
</field>
<field name="communicationEventId"><hidden/></field>
<field name="orderTypeId" title="${uiLabelMap.OrderOrderType}">
Modified: ofbiz/trunk/applications/product/widget/catalog/ProductForms.xml
URL: http://svn.apache.org/viewvc/ofbiz/trunk/applications/product/widget/catalog/ProductForms.xml?rev=952119&r1=952118&r2=952119&view=diff
==============================================================================
--- ofbiz/trunk/applications/product/widget/catalog/ProductForms.xml (original)
+++ ofbiz/trunk/applications/product/widget/catalog/ProductForms.xml Mon Jun 7 07:02:02 2010
@@ -1997,7 +1997,9 @@ under the License.
<form name="ListCommEvents" list-name="communicationEvents" type="list" header-row-style="header-row" default-table-style="basic-table">
<field name="communicationEventId" widget-style="buttontext">
- <hyperlink description="${communicationEventId}" target="/partymgr/control/EditCommunicationEvent?communicationEventId=${communicationEventId}" target-type="inter-app"/>
+ <hyperlink description="${communicationEventId}" target="/partymgr/control/EditCommunicationEvent" target-type="inter-app">
+ <parameter param-name="communicationEventId" from-field="communicationEventId"/>
+ </hyperlink>
</field>
<field name="subject"><display/></field>
<field name="communicationEventTypeId"><display-entity description="${description}" entity-name="CommunicationEventType" key-field-name="communicationEventTypeId"/></field>
Modified: ofbiz/trunk/applications/product/widget/facility/ShipmentGatewayConfigForms.xml
URL: http://svn.apache.org/viewvc/ofbiz/trunk/applications/product/widget/facility/ShipmentGatewayConfigForms.xml?rev=952119&r1=952118&r2=952119&view=diff
==============================================================================
--- ofbiz/trunk/applications/product/widget/facility/ShipmentGatewayConfigForms.xml (original)
+++ ofbiz/trunk/applications/product/widget/facility/ShipmentGatewayConfigForms.xml Mon Jun 7 07:02:02 2010
@@ -50,7 +50,9 @@ under the License.
<auto-fields-entity entity-name="ShipmentGatewayConfig" default-field-type="display"/>
<field name="shipmentGatewayConfigId"><hidden/></field>
<field name="description" title="${uiLabelMap.FacilityShipmentGatewayConfigDescription}">
- <hyperlink description="${description}" target="EditShipmentGatewayConfig?shipmentGatewayConfigId=${shipmentGatewayConfigId}"/>
+ <hyperlink description="${description}" target="EditShipmentGatewayConfig">
+ <parameter param-name="shipmentGatewayConfigId" from-field="shipmentGatewayConfigId"/>
+ </hyperlink>
</field>
<field name="shipmentGatewayConfTypeId" title="${uiLabelMap.FacilityShipmentGatewayConfigTypeId}">
<display-entity entity-name="ShipmentGatewayConfigType" key-field-name="shipmentGatewayConfTypeId" description="${description}"/>
@@ -313,7 +315,9 @@ under the License.
<auto-fields-entity entity-name="ShipmentGatewayConfigType" default-field-type="display"/>
<field name="shipmentGatewayConfTypeId"><hidden/></field>
<field name="description" title="${uiLabelMap.FacilityShipmentGatewayConfigTypeDescription}">
- <hyperlink description="${description}" target="EditShipmentGatewayConfigType?shipmentGatewayConfTypeId=${shipmentGatewayConfTypeId}"/>
+ <hyperlink description="${description}" target="EditShipmentGatewayConfigType">
+ <parameter param-name="shipmentGatewayConfTypeId" from-field="shipmentGatewayConfTypeId"/>
+ </hyperlink>
</field>
</form>
Modified: ofbiz/trunk/specialpurpose/projectmgr/widget/forms/ProjectForms.xml
URL: http://svn.apache.org/viewvc/ofbiz/trunk/specialpurpose/projectmgr/widget/forms/ProjectForms.xml?rev=952119&r1=952118&r2=952119&view=diff
==============================================================================
--- ofbiz/trunk/specialpurpose/projectmgr/widget/forms/ProjectForms.xml (original)
+++ ofbiz/trunk/specialpurpose/projectmgr/widget/forms/ProjectForms.xml Mon Jun 7 07:02:02 2010
@@ -340,7 +340,9 @@
<field name="estimatedStartDate" title="${uiLabelMap.WorkEffortEstimatedStartDate}"><date-time type="date"/></field>
<field name="estimatedCompletionDate" title="${uiLabelMap.WorkEffortEstimatedCompletionDate}"><date-time type="date"/></field>
<field name="edit" title=" ">
- <hyperlink target="EditTask?workEffortId=${workEffortId}" description="${uiLabelMap.CommonEdit}"/>
+ <hyperlink target="EditTask" description="${uiLabelMap.CommonEdit"}>
+ <parameter param-name="workEffortId" from-field="workEffortId}"/>
+ </hyperlink>
</field>
<field name="submitButton" title="${uiLabelMap.CommonUpdate}"><submit button-type="button"/></field>
</form>
Re: svn commit: r952119 - in /ofbiz/trunk: applications/accounting/widget/ applications/order/widget/ordermgr/ applications/party/widget/partymgr/ applications/product/widget/catalog/ applications/product/widget/facility/ specialpurpose/projectmgr/widget/f
Posted by Scott Gray <sc...@hotwaxmedia.com>.
Thanks Jacques
Regards
Scott
On 7/06/2010, at 9:15 PM, Jacques Le Roux wrote:
> Ha well, I did not thought about that, thanks!
>
> I revert...
>
> Jacques
>
> Scott Gray wrote:
>> Hi Jacques,
>>
>> In a small way it does hurt because whenever we use "post" instead of "get" the user will be prompted "do you want to submit the
>> form again?" when they click the back button on the browser to go back to one of those screens.
>>
>> But yeah I wouldn't rely on searching alone unless you are willing to check each target before altering it.
>>
>> Regards
>> Scott
>>
>> On 7/06/2010, at 7:44 PM, Jacques Le Roux wrote:
>>
>>> I quickly used regex S/R. I wrongly put the 2 orderview (I removed a lot more) but thought the other were real actions as they
>>> have Edit as prefix in their names. Actually I did not check if they were calling an event. I just did and you are right.
>>>
>>> Anyway it does not hurt, and it's finally a good thing that I did not find any real issues :o). I think I should not care
>>> anymore. Because if we let some get through they will be detected and signaled as to be reported as a child of OFBIZ-2330
>>> (even if they don't use FTL, but I did not check that either, I suppose it's right since for one year now we got any new issue)
>>>
>>> One worry less, great!
>>>
>>> Jacques
>>>
>>> Scott Gray wrote:
>>>> On second look there were no targets in this commit that needed to be secured.
>>>>
>>>> Regards
>>>> Scott
>>>>
>>>> On 7/06/2010, at 7:18 PM, Scott Gray wrote:
>>>>
>>>>> Quite a few of those links don't actually look like they needed to be secured i.e. there is no event attached to that uri,
>>>>> orderview for example.
>>>>>
>>>>> Regards
>>>>> Scott
>>>>>
>>>>> HotWax Media
>>>>> http://www.hotwaxmedia.com
>>>>>
>>>>> On 7/06/2010, at 7:02 PM, jleroux@apache.org wrote:
>>>>>
>>>>>> Author: jleroux
>>>>>> Date: Mon Jun 7 07:02:02 2010
>>>>>> New Revision: 952119
>>>>>>
>>>>>> URL: http://svn.apache.org/viewvc?rev=952119&view=rev
>>>>>> Log:
>>>>>> Secure some targets. Note that they have been introduced since OFBIZ-2243 has been closed.
>>>>>> Please committers use only target with parameter attribute (not in URL) for link and hyperlink fields when there is an action
>>>>>> (ie DB modification)
>>>>>>
>>>>>> Modified:
>>>>>> ofbiz/trunk/applications/accounting/widget/InvoiceForms.xml
>>>>>> ofbiz/trunk/applications/accounting/widget/PaymentGatewayConfigForms.xml
>>>>>> ofbiz/trunk/applications/order/widget/ordermgr/OrderEntryForms.xml
>>>>>> ofbiz/trunk/applications/party/widget/partymgr/CommunicationEventForms.xml
>>>>>> ofbiz/trunk/applications/product/widget/catalog/ProductForms.xml
>>>>>> ofbiz/trunk/applications/product/widget/facility/ShipmentGatewayConfigForms.xml
>>>>>> ofbiz/trunk/specialpurpose/projectmgr/widget/forms/ProjectForms.xml
>>>>>>
>>>>>> Modified: ofbiz/trunk/applications/accounting/widget/InvoiceForms.xml
>>>>>> URL:
>>>>>> http://svn.apache.org/viewvc/ofbiz/trunk/applications/accounting/widget/InvoiceForms.xml?rev=952119&r1=952118&r2=952119&view=diff
>>>>>> ============================================================================== ---
>>>>>> ofbiz/trunk/applications/accounting/widget/InvoiceForms.xml (original) +++
>>>>>> ofbiz/trunk/applications/accounting/widget/InvoiceForms.xml Mon Jun 7 07:02:02 2010 @@ -215,7 +215,12 @@ under the License.
>>>>>> <field name="paymentId"><hyperlink target="paymentOverview?paymentId=${paymentId}" description="${paymentId}"/></field>
>>>>>> <field name="amount"><display type="currency" currency="${currencyUomId}"/></field>
>>>>>> <field name="origAmount"><display type="currency" currency="${origCurrencyUomId}"/></field>
>>>>>> - <field name="acctgTransId"><hyperlink description="${acctgTransId}"
>>>>>> target="EditAcctgTrans?acctgTransId=${acctgTransId}&organizationPartyId=${organizationPartyId}"/></field> + <field
>>>>>> name="acctgTransId"> + <hyperlink description="${acctgTransId}" target="EditAcctgTrans">
>>>>>> + <parameter param-name="acctgTransId" from-field="acctgTransId"/>
>>>>>> + <parameter param-name="organizationPartyId" from-field="organizationPartyId"/>
>>>>>> + </hyperlink>
>>>>>> + </field>
>>>>>> <field name="acctgTransTypeId" title="${uiLabelMap.FormFieldTitle_acctgTransType}"><display-entity
>>>>>> entity-name="AcctgTransType"/></field> <field name="glJournalId"
>>>>>> title="${uiLabelMap.FormFieldTitle_glJournal}"><display-entity entity-name="GlJournal"
>>>>>> description="${glJournalName}"/></field> <field name="glAccountTypeId"
>>>>>> title="${uiLabelMap.FormFieldTitle_glAccountType}"><display-entity entity-name="GlAccountType"/></field>
>>>>>>
>>>>>> Modified: ofbiz/trunk/applications/accounting/widget/PaymentGatewayConfigForms.xml
>>>>>> URL:
>>>>>> http://svn.apache.org/viewvc/ofbiz/trunk/applications/accounting/widget/PaymentGatewayConfigForms.xml?rev=952119&r1=952118&r2=952119&view=diff
>>>>>> ============================================================================== ---
>>>>>> ofbiz/trunk/applications/accounting/widget/PaymentGatewayConfigForms.xml (original) +++
>>>>>> ofbiz/trunk/applications/accounting/widget/PaymentGatewayConfigForms.xml Mon Jun 7 07:02:02 2010 @@ -50,7 +50,9 @@ under the
>>>>>> License. <auto-fields-entity entity-name="PaymentGatewayConfig" default-field-type="display"/>
>>>>>> <field name="paymentGatewayConfigId"><hidden/></field>
>>>>>> <field name="description" title="${uiLabelMap.AccountingPaymentGatewayConfigDescription}">
>>>>>> - <hyperlink description="${description}"
>>>>>> target="EditPaymentGatewayConfig?paymentGatewayConfigId=${paymentGatewayConfigId}"/> + <hyperlink
>>>>>> description="${description}" target="EditPaymentGatewayConfig"> + <parameter
>>>>>> param-name="paymentGatewayConfigId" from-field="paymentGatewayConfigId"/> + </hyperlink>
>>>>>> </field>
>>>>>> <field name="paymentGatewayConfigTypeId" title="${uiLabelMap.AccountingPaymentGatewayConfigTypeId}">
>>>>>> <display-entity entity-name="PaymentGatewayConfigType" key-field-name="paymentGatewayConfigTypeId"
>>>>>> description="${description}"/> @@ -385,7 +387,9 @@ under the License.
>>>>>> <auto-fields-entity entity-name="PaymentGatewayConfigType" default-field-type="display"/>
>>>>>> <field name="paymentGatewayConfigTypeId"><hidden/></field>
>>>>>> <field name="description" title="${uiLabelMap.AccountingPaymentGatewayConfigTypeDescription}">
>>>>>> - <hyperlink description="${description}"
>>>>>> target="EditPaymentGatewayConfigType?paymentGatewayConfigTypeId=${paymentGatewayConfigTypeId}"/> + <hyperlink
>>>>>> description="${description}" target="EditPaymentGatewayConfigType"> + <parameter param-name="paymentGatewayConfigTypeId"
>>>>>> from-field="paymentGatewayConfigTypeId"/> + </hyperlink>
>>>>>> </field>
>>>>>> </form>
>>>>>>
>>>>>>
>>>>>> Modified: ofbiz/trunk/applications/order/widget/ordermgr/OrderEntryForms.xml
>>>>>> URL:
>>>>>> http://svn.apache.org/viewvc/ofbiz/trunk/applications/order/widget/ordermgr/OrderEntryForms.xml?rev=952119&r1=952118&r2=952119&view=diff
>>>>>> ============================================================================== ---
>>>>>> ofbiz/trunk/applications/order/widget/ordermgr/OrderEntryForms.xml (original) +++
>>>>>> ofbiz/trunk/applications/order/widget/ordermgr/OrderEntryForms.xml Mon Jun 7 07:02:02 2010 @@ -199,7 +199,9 @@ under the
>>>>>> License. <form name="LookupAssociatedProducts" type="multi" use-row-submit="true" list-name="productList" title=""
>>>>>> target="BulkAddProducts" paginate-target="LookupAssociatedProducts" default-title-style="tableheadtext"
>>>>>> default-widget-style="inputBox" default-tooltip-style="tabletext"> <field name="productId"
>>>>>> title="${uiLabelMap.ProductProductId}" widget-style="buttontext"> - <hyperlink description="${productId}"
>>>>>> target="/catalog/control/EditProductInventoryItems?productId=${productId}" target-type="inter-app"/> + <hyperlink
>>>>>> description="${productId}" target="/catalog/control/EditProductInventoryItems" target-type="inter-app"> + <parameter
>>>>>> param-name="productId" from-field="productId"/> + </hyperlink>
>>>>>> </field>
>>>>>> <field name="brandName" title="${uiLabelMap.ProductBrandName}"><display/></field>
>>>>>> <field name="internalName"><display/></field>
>>>>>>
>>>>>> Modified: ofbiz/trunk/applications/party/widget/partymgr/CommunicationEventForms.xml
>>>>>> URL:
>>>>>> http://svn.apache.org/viewvc/ofbiz/trunk/applications/party/widget/partymgr/CommunicationEventForms.xml?rev=952119&r1=952118&r2=952119&view=diff
>>>>>> ============================================================================== ---
>>>>>> ofbiz/trunk/applications/party/widget/partymgr/CommunicationEventForms.xml (original) +++
>>>>>> ofbiz/trunk/applications/party/widget/partymgr/CommunicationEventForms.xml Mon Jun 7 07:02:02 2010 @@ -287,7 +287,9 @@ under
>>>>>> the License. <field name="communicationEventId"><display/></field>
>>>>>> <field name="contactListId" use-when="contactListId!=null">
>>>>>> <display-entity entity-name="ContactList" description="${contactListName}">
>>>>>> - <sub-hyperlink target="/marketing/control/EditContactList?contactListId=${communicationEvent.contactListId}"
>>>>>> description="[${communicationEvent.contactListId}]" target-type="inter-app"/> + <sub-hyperlink
>>>>>> target="/marketing/control/EditContactList" description="[${communicationEvent.contactListId}]" target-type="inter-app"> +
>>>>>> <parameter param-name="contactListId" from-field="communicationEvent.contactListId"/> + </sub-hyperlink>
>>>>>> </display-entity>
>>>>>> </field>
>>>>>> <field name="partyIdFrom" use-when=""my"==void" title="${uiLabelMap.PartyPartyFrom}">
>>>>>> @@ -470,7 +472,9 @@ under the License.
>>>>>> </service>
>>>>>> </actions>
>>>>>> <field name="orderId" title="${uiLabelMap.FormFieldTitle_orderId}">
>>>>>> - <hyperlink target="/ordermgr/control/orderview?orderId=${orderId}" description="${orderId}"
>>>>>> target-type="inter-app"/> + <hyperlink target="/ordermgr/control/orderview" description="${orderId}"
>>>>>> target-type="inter-app"> + <parameter param-name="orderId" from-field="orderId"/>
>>>>>> + </hyperlink>
>>>>>> </field>
>>>>>> <field name="communicationEventId">
>>>>>> <hyperlink description="${communicationEventId}" target="ViewCommunicationEvent">
>>>>>> @@ -1022,7 +1026,9 @@ under the License.
>>>>>> <set field="orderTypeId" from-field="orderHeader.orderTypeId"/>
>>>>>> </row-actions>
>>>>>> <field name="orderId" title="${uiLabelMap.FormFieldTitle_orderId}" widget-style="buttontext">
>>>>>> - <hyperlink target="/ordermgr/control/orderview?orderId=${orderId}" description="${orderId}"
>>>>>> target-type="inter-app"/> + <hyperlink target="/ordermgr/control/orderview" description="${orderId}"
>>>>>> target-type="inter-app"> + <parameter param-name="orderId" from-field="orderId"/>
>>>>>> + </hyperlink>
>>>>>> </field>
>>>>>> <field name="communicationEventId"><hidden/></field>
>>>>>> <field name="orderTypeId" title="${uiLabelMap.OrderOrderType}">
>>>>>>
>>>>>> Modified: ofbiz/trunk/applications/product/widget/catalog/ProductForms.xml
>>>>>> URL:
>>>>>> http://svn.apache.org/viewvc/ofbiz/trunk/applications/product/widget/catalog/ProductForms.xml?rev=952119&r1=952118&r2=952119&view=diff
>>>>>> ============================================================================== ---
>>>>>> ofbiz/trunk/applications/product/widget/catalog/ProductForms.xml (original) +++
>>>>>> ofbiz/trunk/applications/product/widget/catalog/ProductForms.xml Mon Jun 7 07:02:02 2010 @@ -1997,7 +1997,9 @@ under the
>>>>>> License.
>>>>>>
>>>>>> <form name="ListCommEvents" list-name="communicationEvents" type="list" header-row-style="header-row"
>>>>>> default-table-style="basic-table"> <field name="communicationEventId" widget-style="buttontext">
>>>>>> - <hyperlink description="${communicationEventId}"
>>>>>> target="/partymgr/control/EditCommunicationEvent?communicationEventId=${communicationEventId}" target-type="inter-app"/> +
>>>>>> <hyperlink description="${communicationEventId}" target="/partymgr/control/EditCommunicationEvent" target-type="inter-app"> +
>>>>>> <parameter param-name="communicationEventId" from-field="communicationEventId"/> + </hyperlink>
>>>>>> </field>
>>>>>> <field name="subject"><display/></field>
>>>>>> <field name="communicationEventTypeId"><display-entity description="${description}" entity-name="CommunicationEventType"
>>>>>> key-field-name="communicationEventTypeId"/></field>
>>>>>>
>>>>>> Modified: ofbiz/trunk/applications/product/widget/facility/ShipmentGatewayConfigForms.xml
>>>>>> URL:
>>>>>> http://svn.apache.org/viewvc/ofbiz/trunk/applications/product/widget/facility/ShipmentGatewayConfigForms.xml?rev=952119&r1=952118&r2=952119&view=diff
>>>>>> ============================================================================== ---
>>>>>> ofbiz/trunk/applications/product/widget/facility/ShipmentGatewayConfigForms.xml (original) +++
>>>>>> ofbiz/trunk/applications/product/widget/facility/ShipmentGatewayConfigForms.xml Mon Jun 7 07:02:02 2010 @@ -50,7 +50,9 @@
>>>>>> under the License. <auto-fields-entity entity-name="ShipmentGatewayConfig" default-field-type="display"/>
>>>>>> <field name="shipmentGatewayConfigId"><hidden/></field>
>>>>>> <field name="description" title="${uiLabelMap.FacilityShipmentGatewayConfigDescription}">
>>>>>> - <hyperlink description="${description}"
>>>>>> target="EditShipmentGatewayConfig?shipmentGatewayConfigId=${shipmentGatewayConfigId}"/> + <hyperlink
>>>>>> description="${description}" target="EditShipmentGatewayConfig"> + <parameter
>>>>>> param-name="shipmentGatewayConfigId" from-field="shipmentGatewayConfigId"/> + </hyperlink>
>>>>>> </field>
>>>>>> <field name="shipmentGatewayConfTypeId" title="${uiLabelMap.FacilityShipmentGatewayConfigTypeId}">
>>>>>> <display-entity entity-name="ShipmentGatewayConfigType" key-field-name="shipmentGatewayConfTypeId"
>>>>>> description="${description}"/> @@ -313,7 +315,9 @@ under the License.
>>>>>> <auto-fields-entity entity-name="ShipmentGatewayConfigType" default-field-type="display"/>
>>>>>> <field name="shipmentGatewayConfTypeId"><hidden/></field>
>>>>>> <field name="description" title="${uiLabelMap.FacilityShipmentGatewayConfigTypeDescription}">
>>>>>> - <hyperlink description="${description}"
>>>>>> target="EditShipmentGatewayConfigType?shipmentGatewayConfTypeId=${shipmentGatewayConfTypeId}"/> + <hyperlink
>>>>>> description="${description}" target="EditShipmentGatewayConfigType"> + <parameter
>>>>>> param-name="shipmentGatewayConfTypeId" from-field="shipmentGatewayConfTypeId"/> + </hyperlink>
>>>>>> </field>
>>>>>> </form>
>>>>>>
>>>>>>
>>>>>> Modified: ofbiz/trunk/specialpurpose/projectmgr/widget/forms/ProjectForms.xml
>>>>>> URL:
>>>>>> http://svn.apache.org/viewvc/ofbiz/trunk/specialpurpose/projectmgr/widget/forms/ProjectForms.xml?rev=952119&r1=952118&r2=952119&view=diff
>>>>>> ============================================================================== ---
>>>>>> ofbiz/trunk/specialpurpose/projectmgr/widget/forms/ProjectForms.xml (original) +++
>>>>>> ofbiz/trunk/specialpurpose/projectmgr/widget/forms/ProjectForms.xml Mon Jun 7 07:02:02 2010 @@ -340,7 +340,9 @@
>>>>>> <field name="estimatedStartDate" title="${uiLabelMap.WorkEffortEstimatedStartDate}"><date-time type="date"/></field>
>>>>>> <field name="estimatedCompletionDate" title="${uiLabelMap.WorkEffortEstimatedCompletionDate}"><date-time
>>>>>> type="date"/></field> <field name="edit" title=" ">
>>>>>> - <hyperlink target="EditTask?workEffortId=${workEffortId}" description="${uiLabelMap.CommonEdit}"/>
>>>>>> + <hyperlink target="EditTask" description="${uiLabelMap.CommonEdit"}>
>>>>>> + <parameter param-name="workEffortId" from-field="workEffortId}"/>
>>>>>> + </hyperlink>
>>>>>> </field>
>>>>>> <field name="submitButton" title="${uiLabelMap.CommonUpdate}"><submit button-type="button"/></field>
>>>>>> </form>
>
>
Re: svn commit: r952119 - in /ofbiz/trunk: applications/accounting/widget/ applications/order/widget/ordermgr/ applications/party/widget/partymgr/ applications/product/widget/catalog/ applications/product/widget/facility/ specialpurpose/projectmgr/widget/f
Posted by Jacques Le Roux <ja...@les7arts.com>.
Ha well, I did not thought about that, thanks!
I revert...
Jacques
Scott Gray wrote:
> Hi Jacques,
>
> In a small way it does hurt because whenever we use "post" instead of "get" the user will be prompted "do you want to submit the
> form again?" when they click the back button on the browser to go back to one of those screens.
>
> But yeah I wouldn't rely on searching alone unless you are willing to check each target before altering it.
>
> Regards
> Scott
>
> On 7/06/2010, at 7:44 PM, Jacques Le Roux wrote:
>
>> I quickly used regex S/R. I wrongly put the 2 orderview (I removed a lot more) but thought the other were real actions as they
>> have Edit as prefix in their names. Actually I did not check if they were calling an event. I just did and you are right.
>>
>> Anyway it does not hurt, and it's finally a good thing that I did not find any real issues :o). I think I should not care
>> anymore. Because if we let some get through they will be detected and signaled as to be reported as a child of OFBIZ-2330
>> (even if they don't use FTL, but I did not check that either, I suppose it's right since for one year now we got any new issue)
>>
>> One worry less, great!
>>
>> Jacques
>>
>> Scott Gray wrote:
>>> On second look there were no targets in this commit that needed to be secured.
>>>
>>> Regards
>>> Scott
>>>
>>> On 7/06/2010, at 7:18 PM, Scott Gray wrote:
>>>
>>>> Quite a few of those links don't actually look like they needed to be secured i.e. there is no event attached to that uri,
>>>> orderview for example.
>>>>
>>>> Regards
>>>> Scott
>>>>
>>>> HotWax Media
>>>> http://www.hotwaxmedia.com
>>>>
>>>> On 7/06/2010, at 7:02 PM, jleroux@apache.org wrote:
>>>>
>>>>> Author: jleroux
>>>>> Date: Mon Jun 7 07:02:02 2010
>>>>> New Revision: 952119
>>>>>
>>>>> URL: http://svn.apache.org/viewvc?rev=952119&view=rev
>>>>> Log:
>>>>> Secure some targets. Note that they have been introduced since OFBIZ-2243 has been closed.
>>>>> Please committers use only target with parameter attribute (not in URL) for link and hyperlink fields when there is an action
>>>>> (ie DB modification)
>>>>>
>>>>> Modified:
>>>>> ofbiz/trunk/applications/accounting/widget/InvoiceForms.xml
>>>>> ofbiz/trunk/applications/accounting/widget/PaymentGatewayConfigForms.xml
>>>>> ofbiz/trunk/applications/order/widget/ordermgr/OrderEntryForms.xml
>>>>> ofbiz/trunk/applications/party/widget/partymgr/CommunicationEventForms.xml
>>>>> ofbiz/trunk/applications/product/widget/catalog/ProductForms.xml
>>>>> ofbiz/trunk/applications/product/widget/facility/ShipmentGatewayConfigForms.xml
>>>>> ofbiz/trunk/specialpurpose/projectmgr/widget/forms/ProjectForms.xml
>>>>>
>>>>> Modified: ofbiz/trunk/applications/accounting/widget/InvoiceForms.xml
>>>>> URL:
>>>>> http://svn.apache.org/viewvc/ofbiz/trunk/applications/accounting/widget/InvoiceForms.xml?rev=952119&r1=952118&r2=952119&view=diff
>>>>> ============================================================================== ---
>>>>> ofbiz/trunk/applications/accounting/widget/InvoiceForms.xml (original) +++
>>>>> ofbiz/trunk/applications/accounting/widget/InvoiceForms.xml Mon Jun 7 07:02:02 2010 @@ -215,7 +215,12 @@ under the License.
>>>>> <field name="paymentId"><hyperlink target="paymentOverview?paymentId=${paymentId}" description="${paymentId}"/></field>
>>>>> <field name="amount"><display type="currency" currency="${currencyUomId}"/></field>
>>>>> <field name="origAmount"><display type="currency" currency="${origCurrencyUomId}"/></field>
>>>>> - <field name="acctgTransId"><hyperlink description="${acctgTransId}"
>>>>> target="EditAcctgTrans?acctgTransId=${acctgTransId}&organizationPartyId=${organizationPartyId}"/></field> + <field
>>>>> name="acctgTransId"> + <hyperlink description="${acctgTransId}" target="EditAcctgTrans">
>>>>> + <parameter param-name="acctgTransId" from-field="acctgTransId"/>
>>>>> + <parameter param-name="organizationPartyId" from-field="organizationPartyId"/>
>>>>> + </hyperlink>
>>>>> + </field>
>>>>> <field name="acctgTransTypeId" title="${uiLabelMap.FormFieldTitle_acctgTransType}"><display-entity
>>>>> entity-name="AcctgTransType"/></field> <field name="glJournalId"
>>>>> title="${uiLabelMap.FormFieldTitle_glJournal}"><display-entity entity-name="GlJournal"
>>>>> description="${glJournalName}"/></field> <field name="glAccountTypeId"
>>>>> title="${uiLabelMap.FormFieldTitle_glAccountType}"><display-entity entity-name="GlAccountType"/></field>
>>>>>
>>>>> Modified: ofbiz/trunk/applications/accounting/widget/PaymentGatewayConfigForms.xml
>>>>> URL:
>>>>> http://svn.apache.org/viewvc/ofbiz/trunk/applications/accounting/widget/PaymentGatewayConfigForms.xml?rev=952119&r1=952118&r2=952119&view=diff
>>>>> ============================================================================== ---
>>>>> ofbiz/trunk/applications/accounting/widget/PaymentGatewayConfigForms.xml (original) +++
>>>>> ofbiz/trunk/applications/accounting/widget/PaymentGatewayConfigForms.xml Mon Jun 7 07:02:02 2010 @@ -50,7 +50,9 @@ under the
>>>>> License. <auto-fields-entity entity-name="PaymentGatewayConfig" default-field-type="display"/>
>>>>> <field name="paymentGatewayConfigId"><hidden/></field>
>>>>> <field name="description" title="${uiLabelMap.AccountingPaymentGatewayConfigDescription}">
>>>>> - <hyperlink description="${description}"
>>>>> target="EditPaymentGatewayConfig?paymentGatewayConfigId=${paymentGatewayConfigId}"/> + <hyperlink
>>>>> description="${description}" target="EditPaymentGatewayConfig"> + <parameter
>>>>> param-name="paymentGatewayConfigId" from-field="paymentGatewayConfigId"/> + </hyperlink>
>>>>> </field>
>>>>> <field name="paymentGatewayConfigTypeId" title="${uiLabelMap.AccountingPaymentGatewayConfigTypeId}">
>>>>> <display-entity entity-name="PaymentGatewayConfigType" key-field-name="paymentGatewayConfigTypeId"
>>>>> description="${description}"/> @@ -385,7 +387,9 @@ under the License.
>>>>> <auto-fields-entity entity-name="PaymentGatewayConfigType" default-field-type="display"/>
>>>>> <field name="paymentGatewayConfigTypeId"><hidden/></field>
>>>>> <field name="description" title="${uiLabelMap.AccountingPaymentGatewayConfigTypeDescription}">
>>>>> - <hyperlink description="${description}"
>>>>> target="EditPaymentGatewayConfigType?paymentGatewayConfigTypeId=${paymentGatewayConfigTypeId}"/> + <hyperlink
>>>>> description="${description}" target="EditPaymentGatewayConfigType"> + <parameter param-name="paymentGatewayConfigTypeId"
>>>>> from-field="paymentGatewayConfigTypeId"/> + </hyperlink>
>>>>> </field>
>>>>> </form>
>>>>>
>>>>>
>>>>> Modified: ofbiz/trunk/applications/order/widget/ordermgr/OrderEntryForms.xml
>>>>> URL:
>>>>> http://svn.apache.org/viewvc/ofbiz/trunk/applications/order/widget/ordermgr/OrderEntryForms.xml?rev=952119&r1=952118&r2=952119&view=diff
>>>>> ============================================================================== ---
>>>>> ofbiz/trunk/applications/order/widget/ordermgr/OrderEntryForms.xml (original) +++
>>>>> ofbiz/trunk/applications/order/widget/ordermgr/OrderEntryForms.xml Mon Jun 7 07:02:02 2010 @@ -199,7 +199,9 @@ under the
>>>>> License. <form name="LookupAssociatedProducts" type="multi" use-row-submit="true" list-name="productList" title=""
>>>>> target="BulkAddProducts" paginate-target="LookupAssociatedProducts" default-title-style="tableheadtext"
>>>>> default-widget-style="inputBox" default-tooltip-style="tabletext"> <field name="productId"
>>>>> title="${uiLabelMap.ProductProductId}" widget-style="buttontext"> - <hyperlink description="${productId}"
>>>>> target="/catalog/control/EditProductInventoryItems?productId=${productId}" target-type="inter-app"/> + <hyperlink
>>>>> description="${productId}" target="/catalog/control/EditProductInventoryItems" target-type="inter-app"> + <parameter
>>>>> param-name="productId" from-field="productId"/> + </hyperlink>
>>>>> </field>
>>>>> <field name="brandName" title="${uiLabelMap.ProductBrandName}"><display/></field>
>>>>> <field name="internalName"><display/></field>
>>>>>
>>>>> Modified: ofbiz/trunk/applications/party/widget/partymgr/CommunicationEventForms.xml
>>>>> URL:
>>>>> http://svn.apache.org/viewvc/ofbiz/trunk/applications/party/widget/partymgr/CommunicationEventForms.xml?rev=952119&r1=952118&r2=952119&view=diff
>>>>> ============================================================================== ---
>>>>> ofbiz/trunk/applications/party/widget/partymgr/CommunicationEventForms.xml (original) +++
>>>>> ofbiz/trunk/applications/party/widget/partymgr/CommunicationEventForms.xml Mon Jun 7 07:02:02 2010 @@ -287,7 +287,9 @@ under
>>>>> the License. <field name="communicationEventId"><display/></field>
>>>>> <field name="contactListId" use-when="contactListId!=null">
>>>>> <display-entity entity-name="ContactList" description="${contactListName}">
>>>>> - <sub-hyperlink target="/marketing/control/EditContactList?contactListId=${communicationEvent.contactListId}"
>>>>> description="[${communicationEvent.contactListId}]" target-type="inter-app"/> + <sub-hyperlink
>>>>> target="/marketing/control/EditContactList" description="[${communicationEvent.contactListId}]" target-type="inter-app"> +
>>>>> <parameter param-name="contactListId" from-field="communicationEvent.contactListId"/> + </sub-hyperlink>
>>>>> </display-entity>
>>>>> </field>
>>>>> <field name="partyIdFrom" use-when=""my"==void" title="${uiLabelMap.PartyPartyFrom}">
>>>>> @@ -470,7 +472,9 @@ under the License.
>>>>> </service>
>>>>> </actions>
>>>>> <field name="orderId" title="${uiLabelMap.FormFieldTitle_orderId}">
>>>>> - <hyperlink target="/ordermgr/control/orderview?orderId=${orderId}" description="${orderId}"
>>>>> target-type="inter-app"/> + <hyperlink target="/ordermgr/control/orderview" description="${orderId}"
>>>>> target-type="inter-app"> + <parameter param-name="orderId" from-field="orderId"/>
>>>>> + </hyperlink>
>>>>> </field>
>>>>> <field name="communicationEventId">
>>>>> <hyperlink description="${communicationEventId}" target="ViewCommunicationEvent">
>>>>> @@ -1022,7 +1026,9 @@ under the License.
>>>>> <set field="orderTypeId" from-field="orderHeader.orderTypeId"/>
>>>>> </row-actions>
>>>>> <field name="orderId" title="${uiLabelMap.FormFieldTitle_orderId}" widget-style="buttontext">
>>>>> - <hyperlink target="/ordermgr/control/orderview?orderId=${orderId}" description="${orderId}"
>>>>> target-type="inter-app"/> + <hyperlink target="/ordermgr/control/orderview" description="${orderId}"
>>>>> target-type="inter-app"> + <parameter param-name="orderId" from-field="orderId"/>
>>>>> + </hyperlink>
>>>>> </field>
>>>>> <field name="communicationEventId"><hidden/></field>
>>>>> <field name="orderTypeId" title="${uiLabelMap.OrderOrderType}">
>>>>>
>>>>> Modified: ofbiz/trunk/applications/product/widget/catalog/ProductForms.xml
>>>>> URL:
>>>>> http://svn.apache.org/viewvc/ofbiz/trunk/applications/product/widget/catalog/ProductForms.xml?rev=952119&r1=952118&r2=952119&view=diff
>>>>> ============================================================================== ---
>>>>> ofbiz/trunk/applications/product/widget/catalog/ProductForms.xml (original) +++
>>>>> ofbiz/trunk/applications/product/widget/catalog/ProductForms.xml Mon Jun 7 07:02:02 2010 @@ -1997,7 +1997,9 @@ under the
>>>>> License.
>>>>>
>>>>> <form name="ListCommEvents" list-name="communicationEvents" type="list" header-row-style="header-row"
>>>>> default-table-style="basic-table"> <field name="communicationEventId" widget-style="buttontext">
>>>>> - <hyperlink description="${communicationEventId}"
>>>>> target="/partymgr/control/EditCommunicationEvent?communicationEventId=${communicationEventId}" target-type="inter-app"/> +
>>>>> <hyperlink description="${communicationEventId}" target="/partymgr/control/EditCommunicationEvent" target-type="inter-app"> +
>>>>> <parameter param-name="communicationEventId" from-field="communicationEventId"/> + </hyperlink>
>>>>> </field>
>>>>> <field name="subject"><display/></field>
>>>>> <field name="communicationEventTypeId"><display-entity description="${description}" entity-name="CommunicationEventType"
>>>>> key-field-name="communicationEventTypeId"/></field>
>>>>>
>>>>> Modified: ofbiz/trunk/applications/product/widget/facility/ShipmentGatewayConfigForms.xml
>>>>> URL:
>>>>> http://svn.apache.org/viewvc/ofbiz/trunk/applications/product/widget/facility/ShipmentGatewayConfigForms.xml?rev=952119&r1=952118&r2=952119&view=diff
>>>>> ============================================================================== ---
>>>>> ofbiz/trunk/applications/product/widget/facility/ShipmentGatewayConfigForms.xml (original) +++
>>>>> ofbiz/trunk/applications/product/widget/facility/ShipmentGatewayConfigForms.xml Mon Jun 7 07:02:02 2010 @@ -50,7 +50,9 @@
>>>>> under the License. <auto-fields-entity entity-name="ShipmentGatewayConfig" default-field-type="display"/>
>>>>> <field name="shipmentGatewayConfigId"><hidden/></field>
>>>>> <field name="description" title="${uiLabelMap.FacilityShipmentGatewayConfigDescription}">
>>>>> - <hyperlink description="${description}"
>>>>> target="EditShipmentGatewayConfig?shipmentGatewayConfigId=${shipmentGatewayConfigId}"/> + <hyperlink
>>>>> description="${description}" target="EditShipmentGatewayConfig"> + <parameter
>>>>> param-name="shipmentGatewayConfigId" from-field="shipmentGatewayConfigId"/> + </hyperlink>
>>>>> </field>
>>>>> <field name="shipmentGatewayConfTypeId" title="${uiLabelMap.FacilityShipmentGatewayConfigTypeId}">
>>>>> <display-entity entity-name="ShipmentGatewayConfigType" key-field-name="shipmentGatewayConfTypeId"
>>>>> description="${description}"/> @@ -313,7 +315,9 @@ under the License.
>>>>> <auto-fields-entity entity-name="ShipmentGatewayConfigType" default-field-type="display"/>
>>>>> <field name="shipmentGatewayConfTypeId"><hidden/></field>
>>>>> <field name="description" title="${uiLabelMap.FacilityShipmentGatewayConfigTypeDescription}">
>>>>> - <hyperlink description="${description}"
>>>>> target="EditShipmentGatewayConfigType?shipmentGatewayConfTypeId=${shipmentGatewayConfTypeId}"/> + <hyperlink
>>>>> description="${description}" target="EditShipmentGatewayConfigType"> + <parameter
>>>>> param-name="shipmentGatewayConfTypeId" from-field="shipmentGatewayConfTypeId"/> + </hyperlink>
>>>>> </field>
>>>>> </form>
>>>>>
>>>>>
>>>>> Modified: ofbiz/trunk/specialpurpose/projectmgr/widget/forms/ProjectForms.xml
>>>>> URL:
>>>>> http://svn.apache.org/viewvc/ofbiz/trunk/specialpurpose/projectmgr/widget/forms/ProjectForms.xml?rev=952119&r1=952118&r2=952119&view=diff
>>>>> ============================================================================== ---
>>>>> ofbiz/trunk/specialpurpose/projectmgr/widget/forms/ProjectForms.xml (original) +++
>>>>> ofbiz/trunk/specialpurpose/projectmgr/widget/forms/ProjectForms.xml Mon Jun 7 07:02:02 2010 @@ -340,7 +340,9 @@
>>>>> <field name="estimatedStartDate" title="${uiLabelMap.WorkEffortEstimatedStartDate}"><date-time type="date"/></field>
>>>>> <field name="estimatedCompletionDate" title="${uiLabelMap.WorkEffortEstimatedCompletionDate}"><date-time
>>>>> type="date"/></field> <field name="edit" title=" ">
>>>>> - <hyperlink target="EditTask?workEffortId=${workEffortId}" description="${uiLabelMap.CommonEdit}"/>
>>>>> + <hyperlink target="EditTask" description="${uiLabelMap.CommonEdit"}>
>>>>> + <parameter param-name="workEffortId" from-field="workEffortId}"/>
>>>>> + </hyperlink>
>>>>> </field>
>>>>> <field name="submitButton" title="${uiLabelMap.CommonUpdate}"><submit button-type="button"/></field>
>>>>> </form>
Re: svn commit: r952119 - in /ofbiz/trunk: applications/accounting/widget/ applications/order/widget/ordermgr/ applications/party/widget/partymgr/ applications/product/widget/catalog/ applications/product/widget/facility/ specialpurpose/projectmgr/widget/f
Posted by Scott Gray <sc...@hotwaxmedia.com>.
Hi Jacques,
In a small way it does hurt because whenever we use "post" instead of "get" the user will be prompted "do you want to submit the form again?" when they click the back button on the browser to go back to one of those screens.
But yeah I wouldn't rely on searching alone unless you are willing to check each target before altering it.
Regards
Scott
On 7/06/2010, at 7:44 PM, Jacques Le Roux wrote:
> I quickly used regex S/R. I wrongly put the 2 orderview (I removed a lot more) but thought the other were real actions as they have Edit as prefix in their names. Actually I did not check if they were calling an event. I just did and you are right.
>
> Anyway it does not hurt, and it's finally a good thing that I did not find any real issues :o). I think I should not care anymore. Because if we let some get through they will be detected and signaled as to be reported as a child of OFBIZ-2330 (even if they don't use FTL, but I did not check that either, I suppose it's right since for one year now we got any new issue)
>
> One worry less, great!
>
> Jacques
>
> Scott Gray wrote:
>> On second look there were no targets in this commit that needed to be secured.
>>
>> Regards
>> Scott
>>
>> On 7/06/2010, at 7:18 PM, Scott Gray wrote:
>>
>>> Quite a few of those links don't actually look like they needed to be secured i.e. there is no event attached to that uri,
>>> orderview for example.
>>>
>>> Regards
>>> Scott
>>>
>>> HotWax Media
>>> http://www.hotwaxmedia.com
>>>
>>> On 7/06/2010, at 7:02 PM, jleroux@apache.org wrote:
>>>
>>>> Author: jleroux
>>>> Date: Mon Jun 7 07:02:02 2010
>>>> New Revision: 952119
>>>>
>>>> URL: http://svn.apache.org/viewvc?rev=952119&view=rev
>>>> Log:
>>>> Secure some targets. Note that they have been introduced since OFBIZ-2243 has been closed.
>>>> Please committers use only target with parameter attribute (not in URL) for link and hyperlink fields when there is an action
>>>> (ie DB modification)
>>>>
>>>> Modified:
>>>> ofbiz/trunk/applications/accounting/widget/InvoiceForms.xml
>>>> ofbiz/trunk/applications/accounting/widget/PaymentGatewayConfigForms.xml
>>>> ofbiz/trunk/applications/order/widget/ordermgr/OrderEntryForms.xml
>>>> ofbiz/trunk/applications/party/widget/partymgr/CommunicationEventForms.xml
>>>> ofbiz/trunk/applications/product/widget/catalog/ProductForms.xml
>>>> ofbiz/trunk/applications/product/widget/facility/ShipmentGatewayConfigForms.xml
>>>> ofbiz/trunk/specialpurpose/projectmgr/widget/forms/ProjectForms.xml
>>>>
>>>> Modified: ofbiz/trunk/applications/accounting/widget/InvoiceForms.xml
>>>> URL:
>>>> http://svn.apache.org/viewvc/ofbiz/trunk/applications/accounting/widget/InvoiceForms.xml?rev=952119&r1=952118&r2=952119&view=diff
>>>> ============================================================================== ---
>>>> ofbiz/trunk/applications/accounting/widget/InvoiceForms.xml (original) +++
>>>> ofbiz/trunk/applications/accounting/widget/InvoiceForms.xml Mon Jun 7 07:02:02 2010 @@ -215,7 +215,12 @@ under the License.
>>>> <field name="paymentId"><hyperlink target="paymentOverview?paymentId=${paymentId}" description="${paymentId}"/></field>
>>>> <field name="amount"><display type="currency" currency="${currencyUomId}"/></field>
>>>> <field name="origAmount"><display type="currency" currency="${origCurrencyUomId}"/></field>
>>>> - <field name="acctgTransId"><hyperlink description="${acctgTransId}"
>>>> target="EditAcctgTrans?acctgTransId=${acctgTransId}&organizationPartyId=${organizationPartyId}"/></field> + <field
>>>> name="acctgTransId"> + <hyperlink description="${acctgTransId}" target="EditAcctgTrans">
>>>> + <parameter param-name="acctgTransId" from-field="acctgTransId"/>
>>>> + <parameter param-name="organizationPartyId" from-field="organizationPartyId"/>
>>>> + </hyperlink>
>>>> + </field>
>>>> <field name="acctgTransTypeId" title="${uiLabelMap.FormFieldTitle_acctgTransType}"><display-entity
>>>> entity-name="AcctgTransType"/></field> <field name="glJournalId"
>>>> title="${uiLabelMap.FormFieldTitle_glJournal}"><display-entity entity-name="GlJournal"
>>>> description="${glJournalName}"/></field> <field name="glAccountTypeId"
>>>> title="${uiLabelMap.FormFieldTitle_glAccountType}"><display-entity entity-name="GlAccountType"/></field>
>>>>
>>>> Modified: ofbiz/trunk/applications/accounting/widget/PaymentGatewayConfigForms.xml
>>>> URL:
>>>> http://svn.apache.org/viewvc/ofbiz/trunk/applications/accounting/widget/PaymentGatewayConfigForms.xml?rev=952119&r1=952118&r2=952119&view=diff
>>>> ============================================================================== ---
>>>> ofbiz/trunk/applications/accounting/widget/PaymentGatewayConfigForms.xml (original) +++
>>>> ofbiz/trunk/applications/accounting/widget/PaymentGatewayConfigForms.xml Mon Jun 7 07:02:02 2010 @@ -50,7 +50,9 @@ under the
>>>> License. <auto-fields-entity entity-name="PaymentGatewayConfig" default-field-type="display"/>
>>>> <field name="paymentGatewayConfigId"><hidden/></field>
>>>> <field name="description" title="${uiLabelMap.AccountingPaymentGatewayConfigDescription}">
>>>> - <hyperlink description="${description}"
>>>> target="EditPaymentGatewayConfig?paymentGatewayConfigId=${paymentGatewayConfigId}"/> + <hyperlink
>>>> description="${description}" target="EditPaymentGatewayConfig"> + <parameter param-name="paymentGatewayConfigId"
>>>> from-field="paymentGatewayConfigId"/> + </hyperlink>
>>>> </field>
>>>> <field name="paymentGatewayConfigTypeId" title="${uiLabelMap.AccountingPaymentGatewayConfigTypeId}">
>>>> <display-entity entity-name="PaymentGatewayConfigType" key-field-name="paymentGatewayConfigTypeId"
>>>> description="${description}"/> @@ -385,7 +387,9 @@ under the License.
>>>> <auto-fields-entity entity-name="PaymentGatewayConfigType" default-field-type="display"/>
>>>> <field name="paymentGatewayConfigTypeId"><hidden/></field>
>>>> <field name="description" title="${uiLabelMap.AccountingPaymentGatewayConfigTypeDescription}">
>>>> - <hyperlink description="${description}"
>>>> target="EditPaymentGatewayConfigType?paymentGatewayConfigTypeId=${paymentGatewayConfigTypeId}"/> + <hyperlink
>>>> description="${description}" target="EditPaymentGatewayConfigType"> + <parameter param-name="paymentGatewayConfigTypeId"
>>>> from-field="paymentGatewayConfigTypeId"/> + </hyperlink>
>>>> </field>
>>>> </form>
>>>>
>>>>
>>>> Modified: ofbiz/trunk/applications/order/widget/ordermgr/OrderEntryForms.xml
>>>> URL:
>>>> http://svn.apache.org/viewvc/ofbiz/trunk/applications/order/widget/ordermgr/OrderEntryForms.xml?rev=952119&r1=952118&r2=952119&view=diff
>>>> ============================================================================== ---
>>>> ofbiz/trunk/applications/order/widget/ordermgr/OrderEntryForms.xml (original) +++
>>>> ofbiz/trunk/applications/order/widget/ordermgr/OrderEntryForms.xml Mon Jun 7 07:02:02 2010 @@ -199,7 +199,9 @@ under the
>>>> License. <form name="LookupAssociatedProducts" type="multi" use-row-submit="true" list-name="productList" title=""
>>>> target="BulkAddProducts" paginate-target="LookupAssociatedProducts" default-title-style="tableheadtext"
>>>> default-widget-style="inputBox" default-tooltip-style="tabletext"> <field name="productId"
>>>> title="${uiLabelMap.ProductProductId}" widget-style="buttontext"> - <hyperlink description="${productId}"
>>>> target="/catalog/control/EditProductInventoryItems?productId=${productId}" target-type="inter-app"/> + <hyperlink
>>>> description="${productId}" target="/catalog/control/EditProductInventoryItems" target-type="inter-app"> + <parameter
>>>> param-name="productId" from-field="productId"/> + </hyperlink>
>>>> </field>
>>>> <field name="brandName" title="${uiLabelMap.ProductBrandName}"><display/></field>
>>>> <field name="internalName"><display/></field>
>>>>
>>>> Modified: ofbiz/trunk/applications/party/widget/partymgr/CommunicationEventForms.xml
>>>> URL:
>>>> http://svn.apache.org/viewvc/ofbiz/trunk/applications/party/widget/partymgr/CommunicationEventForms.xml?rev=952119&r1=952118&r2=952119&view=diff
>>>> ============================================================================== ---
>>>> ofbiz/trunk/applications/party/widget/partymgr/CommunicationEventForms.xml (original) +++
>>>> ofbiz/trunk/applications/party/widget/partymgr/CommunicationEventForms.xml Mon Jun 7 07:02:02 2010 @@ -287,7 +287,9 @@ under
>>>> the License. <field name="communicationEventId"><display/></field>
>>>> <field name="contactListId" use-when="contactListId!=null">
>>>> <display-entity entity-name="ContactList" description="${contactListName}">
>>>> - <sub-hyperlink target="/marketing/control/EditContactList?contactListId=${communicationEvent.contactListId}"
>>>> description="[${communicationEvent.contactListId}]" target-type="inter-app"/> + <sub-hyperlink
>>>> target="/marketing/control/EditContactList" description="[${communicationEvent.contactListId}]" target-type="inter-app"> +
>>>> <parameter param-name="contactListId" from-field="communicationEvent.contactListId"/> + </sub-hyperlink>
>>>> </display-entity>
>>>> </field>
>>>> <field name="partyIdFrom" use-when=""my"==void" title="${uiLabelMap.PartyPartyFrom}">
>>>> @@ -470,7 +472,9 @@ under the License.
>>>> </service>
>>>> </actions>
>>>> <field name="orderId" title="${uiLabelMap.FormFieldTitle_orderId}">
>>>> - <hyperlink target="/ordermgr/control/orderview?orderId=${orderId}" description="${orderId}"
>>>> target-type="inter-app"/> + <hyperlink target="/ordermgr/control/orderview" description="${orderId}"
>>>> target-type="inter-app"> + <parameter param-name="orderId" from-field="orderId"/>
>>>> + </hyperlink>
>>>> </field>
>>>> <field name="communicationEventId">
>>>> <hyperlink description="${communicationEventId}" target="ViewCommunicationEvent">
>>>> @@ -1022,7 +1026,9 @@ under the License.
>>>> <set field="orderTypeId" from-field="orderHeader.orderTypeId"/>
>>>> </row-actions>
>>>> <field name="orderId" title="${uiLabelMap.FormFieldTitle_orderId}" widget-style="buttontext">
>>>> - <hyperlink target="/ordermgr/control/orderview?orderId=${orderId}" description="${orderId}"
>>>> target-type="inter-app"/> + <hyperlink target="/ordermgr/control/orderview" description="${orderId}"
>>>> target-type="inter-app"> + <parameter param-name="orderId" from-field="orderId"/>
>>>> + </hyperlink>
>>>> </field>
>>>> <field name="communicationEventId"><hidden/></field>
>>>> <field name="orderTypeId" title="${uiLabelMap.OrderOrderType}">
>>>>
>>>> Modified: ofbiz/trunk/applications/product/widget/catalog/ProductForms.xml
>>>> URL:
>>>> http://svn.apache.org/viewvc/ofbiz/trunk/applications/product/widget/catalog/ProductForms.xml?rev=952119&r1=952118&r2=952119&view=diff
>>>> ============================================================================== ---
>>>> ofbiz/trunk/applications/product/widget/catalog/ProductForms.xml (original) +++
>>>> ofbiz/trunk/applications/product/widget/catalog/ProductForms.xml Mon Jun 7 07:02:02 2010 @@ -1997,7 +1997,9 @@ under the
>>>> License.
>>>>
>>>> <form name="ListCommEvents" list-name="communicationEvents" type="list" header-row-style="header-row"
>>>> default-table-style="basic-table"> <field name="communicationEventId" widget-style="buttontext">
>>>> - <hyperlink description="${communicationEventId}"
>>>> target="/partymgr/control/EditCommunicationEvent?communicationEventId=${communicationEventId}" target-type="inter-app"/> +
>>>> <hyperlink description="${communicationEventId}" target="/partymgr/control/EditCommunicationEvent" target-type="inter-app"> +
>>>> <parameter param-name="communicationEventId" from-field="communicationEventId"/> + </hyperlink>
>>>> </field>
>>>> <field name="subject"><display/></field>
>>>> <field name="communicationEventTypeId"><display-entity description="${description}" entity-name="CommunicationEventType"
>>>> key-field-name="communicationEventTypeId"/></field>
>>>>
>>>> Modified: ofbiz/trunk/applications/product/widget/facility/ShipmentGatewayConfigForms.xml
>>>> URL:
>>>> http://svn.apache.org/viewvc/ofbiz/trunk/applications/product/widget/facility/ShipmentGatewayConfigForms.xml?rev=952119&r1=952118&r2=952119&view=diff
>>>> ============================================================================== ---
>>>> ofbiz/trunk/applications/product/widget/facility/ShipmentGatewayConfigForms.xml (original) +++
>>>> ofbiz/trunk/applications/product/widget/facility/ShipmentGatewayConfigForms.xml Mon Jun 7 07:02:02 2010 @@ -50,7 +50,9 @@
>>>> under the License. <auto-fields-entity entity-name="ShipmentGatewayConfig" default-field-type="display"/>
>>>> <field name="shipmentGatewayConfigId"><hidden/></field>
>>>> <field name="description" title="${uiLabelMap.FacilityShipmentGatewayConfigDescription}">
>>>> - <hyperlink description="${description}"
>>>> target="EditShipmentGatewayConfig?shipmentGatewayConfigId=${shipmentGatewayConfigId}"/> + <hyperlink
>>>> description="${description}" target="EditShipmentGatewayConfig"> + <parameter
>>>> param-name="shipmentGatewayConfigId" from-field="shipmentGatewayConfigId"/> + </hyperlink>
>>>> </field>
>>>> <field name="shipmentGatewayConfTypeId" title="${uiLabelMap.FacilityShipmentGatewayConfigTypeId}">
>>>> <display-entity entity-name="ShipmentGatewayConfigType" key-field-name="shipmentGatewayConfTypeId"
>>>> description="${description}"/> @@ -313,7 +315,9 @@ under the License.
>>>> <auto-fields-entity entity-name="ShipmentGatewayConfigType" default-field-type="display"/>
>>>> <field name="shipmentGatewayConfTypeId"><hidden/></field>
>>>> <field name="description" title="${uiLabelMap.FacilityShipmentGatewayConfigTypeDescription}">
>>>> - <hyperlink description="${description}"
>>>> target="EditShipmentGatewayConfigType?shipmentGatewayConfTypeId=${shipmentGatewayConfTypeId}"/> + <hyperlink
>>>> description="${description}" target="EditShipmentGatewayConfigType"> + <parameter
>>>> param-name="shipmentGatewayConfTypeId" from-field="shipmentGatewayConfTypeId"/> + </hyperlink>
>>>> </field>
>>>> </form>
>>>>
>>>>
>>>> Modified: ofbiz/trunk/specialpurpose/projectmgr/widget/forms/ProjectForms.xml
>>>> URL:
>>>> http://svn.apache.org/viewvc/ofbiz/trunk/specialpurpose/projectmgr/widget/forms/ProjectForms.xml?rev=952119&r1=952118&r2=952119&view=diff
>>>> ============================================================================== ---
>>>> ofbiz/trunk/specialpurpose/projectmgr/widget/forms/ProjectForms.xml (original) +++
>>>> ofbiz/trunk/specialpurpose/projectmgr/widget/forms/ProjectForms.xml Mon Jun 7 07:02:02 2010 @@ -340,7 +340,9 @@
>>>> <field name="estimatedStartDate" title="${uiLabelMap.WorkEffortEstimatedStartDate}"><date-time type="date"/></field>
>>>> <field name="estimatedCompletionDate" title="${uiLabelMap.WorkEffortEstimatedCompletionDate}"><date-time
>>>> type="date"/></field> <field name="edit" title=" ">
>>>> - <hyperlink target="EditTask?workEffortId=${workEffortId}" description="${uiLabelMap.CommonEdit}"/>
>>>> + <hyperlink target="EditTask" description="${uiLabelMap.CommonEdit"}>
>>>> + <parameter param-name="workEffortId" from-field="workEffortId}"/>
>>>> + </hyperlink>
>>>> </field>
>>>> <field name="submitButton" title="${uiLabelMap.CommonUpdate}"><submit button-type="button"/></field>
>>>> </form>
>
>
Re: svn commit: r952119 - in /ofbiz/trunk: applications/accounting/widget/ applications/order/widget/ordermgr/ applications/party/widget/partymgr/ applications/product/widget/catalog/ applications/product/widget/facility/ specialpurpose/projectmgr/widget/f
Posted by Jacques Le Roux <ja...@les7arts.com>.
I quickly used regex S/R. I wrongly put the 2 orderview (I removed a lot more) but thought the other were real actions as they have
Edit as prefix in their names. Actually I did not check if they were calling an event. I just did and you are right.
Anyway it does not hurt, and it's finally a good thing that I did not find any real issues :o). I think I should not care anymore.
Because if we let some get through they will be detected and signaled as to be reported as a child of OFBIZ-2330 (even if they
don't use FTL, but I did not check that either, I suppose it's right since for one year now we got any new issue)
One worry less, great!
Jacques
Scott Gray wrote:
> On second look there were no targets in this commit that needed to be secured.
>
> Regards
> Scott
>
> On 7/06/2010, at 7:18 PM, Scott Gray wrote:
>
>> Quite a few of those links don't actually look like they needed to be secured i.e. there is no event attached to that uri,
>> orderview for example.
>>
>> Regards
>> Scott
>>
>> HotWax Media
>> http://www.hotwaxmedia.com
>>
>> On 7/06/2010, at 7:02 PM, jleroux@apache.org wrote:
>>
>>> Author: jleroux
>>> Date: Mon Jun 7 07:02:02 2010
>>> New Revision: 952119
>>>
>>> URL: http://svn.apache.org/viewvc?rev=952119&view=rev
>>> Log:
>>> Secure some targets. Note that they have been introduced since OFBIZ-2243 has been closed.
>>> Please committers use only target with parameter attribute (not in URL) for link and hyperlink fields when there is an action
>>> (ie DB modification)
>>>
>>> Modified:
>>> ofbiz/trunk/applications/accounting/widget/InvoiceForms.xml
>>> ofbiz/trunk/applications/accounting/widget/PaymentGatewayConfigForms.xml
>>> ofbiz/trunk/applications/order/widget/ordermgr/OrderEntryForms.xml
>>> ofbiz/trunk/applications/party/widget/partymgr/CommunicationEventForms.xml
>>> ofbiz/trunk/applications/product/widget/catalog/ProductForms.xml
>>> ofbiz/trunk/applications/product/widget/facility/ShipmentGatewayConfigForms.xml
>>> ofbiz/trunk/specialpurpose/projectmgr/widget/forms/ProjectForms.xml
>>>
>>> Modified: ofbiz/trunk/applications/accounting/widget/InvoiceForms.xml
>>> URL:
>>> http://svn.apache.org/viewvc/ofbiz/trunk/applications/accounting/widget/InvoiceForms.xml?rev=952119&r1=952118&r2=952119&view=diff
>>> ============================================================================== ---
>>> ofbiz/trunk/applications/accounting/widget/InvoiceForms.xml (original) +++
>>> ofbiz/trunk/applications/accounting/widget/InvoiceForms.xml Mon Jun 7 07:02:02 2010 @@ -215,7 +215,12 @@ under the License.
>>> <field name="paymentId"><hyperlink target="paymentOverview?paymentId=${paymentId}" description="${paymentId}"/></field>
>>> <field name="amount"><display type="currency" currency="${currencyUomId}"/></field>
>>> <field name="origAmount"><display type="currency" currency="${origCurrencyUomId}"/></field>
>>> - <field name="acctgTransId"><hyperlink description="${acctgTransId}"
>>> target="EditAcctgTrans?acctgTransId=${acctgTransId}&organizationPartyId=${organizationPartyId}"/></field> + <field
>>> name="acctgTransId"> + <hyperlink description="${acctgTransId}" target="EditAcctgTrans">
>>> + <parameter param-name="acctgTransId" from-field="acctgTransId"/>
>>> + <parameter param-name="organizationPartyId" from-field="organizationPartyId"/>
>>> + </hyperlink>
>>> + </field>
>>> <field name="acctgTransTypeId" title="${uiLabelMap.FormFieldTitle_acctgTransType}"><display-entity
>>> entity-name="AcctgTransType"/></field> <field name="glJournalId"
>>> title="${uiLabelMap.FormFieldTitle_glJournal}"><display-entity entity-name="GlJournal"
>>> description="${glJournalName}"/></field> <field name="glAccountTypeId"
>>> title="${uiLabelMap.FormFieldTitle_glAccountType}"><display-entity entity-name="GlAccountType"/></field>
>>>
>>> Modified: ofbiz/trunk/applications/accounting/widget/PaymentGatewayConfigForms.xml
>>> URL:
>>> http://svn.apache.org/viewvc/ofbiz/trunk/applications/accounting/widget/PaymentGatewayConfigForms.xml?rev=952119&r1=952118&r2=952119&view=diff
>>> ============================================================================== ---
>>> ofbiz/trunk/applications/accounting/widget/PaymentGatewayConfigForms.xml (original) +++
>>> ofbiz/trunk/applications/accounting/widget/PaymentGatewayConfigForms.xml Mon Jun 7 07:02:02 2010 @@ -50,7 +50,9 @@ under the
>>> License. <auto-fields-entity entity-name="PaymentGatewayConfig" default-field-type="display"/>
>>> <field name="paymentGatewayConfigId"><hidden/></field>
>>> <field name="description" title="${uiLabelMap.AccountingPaymentGatewayConfigDescription}">
>>> - <hyperlink description="${description}"
>>> target="EditPaymentGatewayConfig?paymentGatewayConfigId=${paymentGatewayConfigId}"/> + <hyperlink
>>> description="${description}" target="EditPaymentGatewayConfig"> + <parameter param-name="paymentGatewayConfigId"
>>> from-field="paymentGatewayConfigId"/> + </hyperlink>
>>> </field>
>>> <field name="paymentGatewayConfigTypeId" title="${uiLabelMap.AccountingPaymentGatewayConfigTypeId}">
>>> <display-entity entity-name="PaymentGatewayConfigType" key-field-name="paymentGatewayConfigTypeId"
>>> description="${description}"/> @@ -385,7 +387,9 @@ under the License.
>>> <auto-fields-entity entity-name="PaymentGatewayConfigType" default-field-type="display"/>
>>> <field name="paymentGatewayConfigTypeId"><hidden/></field>
>>> <field name="description" title="${uiLabelMap.AccountingPaymentGatewayConfigTypeDescription}">
>>> - <hyperlink description="${description}"
>>> target="EditPaymentGatewayConfigType?paymentGatewayConfigTypeId=${paymentGatewayConfigTypeId}"/> + <hyperlink
>>> description="${description}" target="EditPaymentGatewayConfigType"> + <parameter param-name="paymentGatewayConfigTypeId"
>>> from-field="paymentGatewayConfigTypeId"/> + </hyperlink>
>>> </field>
>>> </form>
>>>
>>>
>>> Modified: ofbiz/trunk/applications/order/widget/ordermgr/OrderEntryForms.xml
>>> URL:
>>> http://svn.apache.org/viewvc/ofbiz/trunk/applications/order/widget/ordermgr/OrderEntryForms.xml?rev=952119&r1=952118&r2=952119&view=diff
>>> ============================================================================== ---
>>> ofbiz/trunk/applications/order/widget/ordermgr/OrderEntryForms.xml (original) +++
>>> ofbiz/trunk/applications/order/widget/ordermgr/OrderEntryForms.xml Mon Jun 7 07:02:02 2010 @@ -199,7 +199,9 @@ under the
>>> License. <form name="LookupAssociatedProducts" type="multi" use-row-submit="true" list-name="productList" title=""
>>> target="BulkAddProducts" paginate-target="LookupAssociatedProducts" default-title-style="tableheadtext"
>>> default-widget-style="inputBox" default-tooltip-style="tabletext"> <field name="productId"
>>> title="${uiLabelMap.ProductProductId}" widget-style="buttontext"> - <hyperlink description="${productId}"
>>> target="/catalog/control/EditProductInventoryItems?productId=${productId}" target-type="inter-app"/> + <hyperlink
>>> description="${productId}" target="/catalog/control/EditProductInventoryItems" target-type="inter-app"> + <parameter
>>> param-name="productId" from-field="productId"/> + </hyperlink>
>>> </field>
>>> <field name="brandName" title="${uiLabelMap.ProductBrandName}"><display/></field>
>>> <field name="internalName"><display/></field>
>>>
>>> Modified: ofbiz/trunk/applications/party/widget/partymgr/CommunicationEventForms.xml
>>> URL:
>>> http://svn.apache.org/viewvc/ofbiz/trunk/applications/party/widget/partymgr/CommunicationEventForms.xml?rev=952119&r1=952118&r2=952119&view=diff
>>> ============================================================================== ---
>>> ofbiz/trunk/applications/party/widget/partymgr/CommunicationEventForms.xml (original) +++
>>> ofbiz/trunk/applications/party/widget/partymgr/CommunicationEventForms.xml Mon Jun 7 07:02:02 2010 @@ -287,7 +287,9 @@ under
>>> the License. <field name="communicationEventId"><display/></field>
>>> <field name="contactListId" use-when="contactListId!=null">
>>> <display-entity entity-name="ContactList" description="${contactListName}">
>>> - <sub-hyperlink target="/marketing/control/EditContactList?contactListId=${communicationEvent.contactListId}"
>>> description="[${communicationEvent.contactListId}]" target-type="inter-app"/> + <sub-hyperlink
>>> target="/marketing/control/EditContactList" description="[${communicationEvent.contactListId}]" target-type="inter-app"> +
>>> <parameter param-name="contactListId" from-field="communicationEvent.contactListId"/> + </sub-hyperlink>
>>> </display-entity>
>>> </field>
>>> <field name="partyIdFrom" use-when=""my"==void" title="${uiLabelMap.PartyPartyFrom}">
>>> @@ -470,7 +472,9 @@ under the License.
>>> </service>
>>> </actions>
>>> <field name="orderId" title="${uiLabelMap.FormFieldTitle_orderId}">
>>> - <hyperlink target="/ordermgr/control/orderview?orderId=${orderId}" description="${orderId}"
>>> target-type="inter-app"/> + <hyperlink target="/ordermgr/control/orderview" description="${orderId}"
>>> target-type="inter-app"> + <parameter param-name="orderId" from-field="orderId"/>
>>> + </hyperlink>
>>> </field>
>>> <field name="communicationEventId">
>>> <hyperlink description="${communicationEventId}" target="ViewCommunicationEvent">
>>> @@ -1022,7 +1026,9 @@ under the License.
>>> <set field="orderTypeId" from-field="orderHeader.orderTypeId"/>
>>> </row-actions>
>>> <field name="orderId" title="${uiLabelMap.FormFieldTitle_orderId}" widget-style="buttontext">
>>> - <hyperlink target="/ordermgr/control/orderview?orderId=${orderId}" description="${orderId}"
>>> target-type="inter-app"/> + <hyperlink target="/ordermgr/control/orderview" description="${orderId}"
>>> target-type="inter-app"> + <parameter param-name="orderId" from-field="orderId"/>
>>> + </hyperlink>
>>> </field>
>>> <field name="communicationEventId"><hidden/></field>
>>> <field name="orderTypeId" title="${uiLabelMap.OrderOrderType}">
>>>
>>> Modified: ofbiz/trunk/applications/product/widget/catalog/ProductForms.xml
>>> URL:
>>> http://svn.apache.org/viewvc/ofbiz/trunk/applications/product/widget/catalog/ProductForms.xml?rev=952119&r1=952118&r2=952119&view=diff
>>> ============================================================================== ---
>>> ofbiz/trunk/applications/product/widget/catalog/ProductForms.xml (original) +++
>>> ofbiz/trunk/applications/product/widget/catalog/ProductForms.xml Mon Jun 7 07:02:02 2010 @@ -1997,7 +1997,9 @@ under the
>>> License.
>>>
>>> <form name="ListCommEvents" list-name="communicationEvents" type="list" header-row-style="header-row"
>>> default-table-style="basic-table"> <field name="communicationEventId" widget-style="buttontext">
>>> - <hyperlink description="${communicationEventId}"
>>> target="/partymgr/control/EditCommunicationEvent?communicationEventId=${communicationEventId}" target-type="inter-app"/> +
>>> <hyperlink description="${communicationEventId}" target="/partymgr/control/EditCommunicationEvent" target-type="inter-app"> +
>>> <parameter param-name="communicationEventId" from-field="communicationEventId"/> + </hyperlink>
>>> </field>
>>> <field name="subject"><display/></field>
>>> <field name="communicationEventTypeId"><display-entity description="${description}" entity-name="CommunicationEventType"
>>> key-field-name="communicationEventTypeId"/></field>
>>>
>>> Modified: ofbiz/trunk/applications/product/widget/facility/ShipmentGatewayConfigForms.xml
>>> URL:
>>> http://svn.apache.org/viewvc/ofbiz/trunk/applications/product/widget/facility/ShipmentGatewayConfigForms.xml?rev=952119&r1=952118&r2=952119&view=diff
>>> ============================================================================== ---
>>> ofbiz/trunk/applications/product/widget/facility/ShipmentGatewayConfigForms.xml (original) +++
>>> ofbiz/trunk/applications/product/widget/facility/ShipmentGatewayConfigForms.xml Mon Jun 7 07:02:02 2010 @@ -50,7 +50,9 @@
>>> under the License. <auto-fields-entity entity-name="ShipmentGatewayConfig" default-field-type="display"/>
>>> <field name="shipmentGatewayConfigId"><hidden/></field>
>>> <field name="description" title="${uiLabelMap.FacilityShipmentGatewayConfigDescription}">
>>> - <hyperlink description="${description}"
>>> target="EditShipmentGatewayConfig?shipmentGatewayConfigId=${shipmentGatewayConfigId}"/> + <hyperlink
>>> description="${description}" target="EditShipmentGatewayConfig"> + <parameter
>>> param-name="shipmentGatewayConfigId" from-field="shipmentGatewayConfigId"/> + </hyperlink>
>>> </field>
>>> <field name="shipmentGatewayConfTypeId" title="${uiLabelMap.FacilityShipmentGatewayConfigTypeId}">
>>> <display-entity entity-name="ShipmentGatewayConfigType" key-field-name="shipmentGatewayConfTypeId"
>>> description="${description}"/> @@ -313,7 +315,9 @@ under the License.
>>> <auto-fields-entity entity-name="ShipmentGatewayConfigType" default-field-type="display"/>
>>> <field name="shipmentGatewayConfTypeId"><hidden/></field>
>>> <field name="description" title="${uiLabelMap.FacilityShipmentGatewayConfigTypeDescription}">
>>> - <hyperlink description="${description}"
>>> target="EditShipmentGatewayConfigType?shipmentGatewayConfTypeId=${shipmentGatewayConfTypeId}"/> + <hyperlink
>>> description="${description}" target="EditShipmentGatewayConfigType"> + <parameter
>>> param-name="shipmentGatewayConfTypeId" from-field="shipmentGatewayConfTypeId"/> + </hyperlink>
>>> </field>
>>> </form>
>>>
>>>
>>> Modified: ofbiz/trunk/specialpurpose/projectmgr/widget/forms/ProjectForms.xml
>>> URL:
>>> http://svn.apache.org/viewvc/ofbiz/trunk/specialpurpose/projectmgr/widget/forms/ProjectForms.xml?rev=952119&r1=952118&r2=952119&view=diff
>>> ============================================================================== ---
>>> ofbiz/trunk/specialpurpose/projectmgr/widget/forms/ProjectForms.xml (original) +++
>>> ofbiz/trunk/specialpurpose/projectmgr/widget/forms/ProjectForms.xml Mon Jun 7 07:02:02 2010 @@ -340,7 +340,9 @@
>>> <field name="estimatedStartDate" title="${uiLabelMap.WorkEffortEstimatedStartDate}"><date-time type="date"/></field>
>>> <field name="estimatedCompletionDate" title="${uiLabelMap.WorkEffortEstimatedCompletionDate}"><date-time
>>> type="date"/></field> <field name="edit" title=" ">
>>> - <hyperlink target="EditTask?workEffortId=${workEffortId}" description="${uiLabelMap.CommonEdit}"/>
>>> + <hyperlink target="EditTask" description="${uiLabelMap.CommonEdit"}>
>>> + <parameter param-name="workEffortId" from-field="workEffortId}"/>
>>> + </hyperlink>
>>> </field>
>>> <field name="submitButton" title="${uiLabelMap.CommonUpdate}"><submit button-type="button"/></field>
>>> </form>
Re: svn commit: r952119 - in /ofbiz/trunk: applications/accounting/widget/ applications/order/widget/ordermgr/ applications/party/widget/partymgr/ applications/product/widget/catalog/ applications/product/widget/facility/ specialpurpose/projectmgr/widget/f...
Posted by Scott Gray <sc...@hotwaxmedia.com>.
On second look there were no targets in this commit that needed to be secured.
Regards
Scott
On 7/06/2010, at 7:18 PM, Scott Gray wrote:
> Quite a few of those links don't actually look like they needed to be secured i.e. there is no event attached to that uri, orderview for example.
>
> Regards
> Scott
>
> HotWax Media
> http://www.hotwaxmedia.com
>
> On 7/06/2010, at 7:02 PM, jleroux@apache.org wrote:
>
>> Author: jleroux
>> Date: Mon Jun 7 07:02:02 2010
>> New Revision: 952119
>>
>> URL: http://svn.apache.org/viewvc?rev=952119&view=rev
>> Log:
>> Secure some targets. Note that they have been introduced since OFBIZ-2243 has been closed.
>> Please committers use only target with parameter attribute (not in URL) for link and hyperlink fields when there is an action (ie DB modification)
>>
>> Modified:
>> ofbiz/trunk/applications/accounting/widget/InvoiceForms.xml
>> ofbiz/trunk/applications/accounting/widget/PaymentGatewayConfigForms.xml
>> ofbiz/trunk/applications/order/widget/ordermgr/OrderEntryForms.xml
>> ofbiz/trunk/applications/party/widget/partymgr/CommunicationEventForms.xml
>> ofbiz/trunk/applications/product/widget/catalog/ProductForms.xml
>> ofbiz/trunk/applications/product/widget/facility/ShipmentGatewayConfigForms.xml
>> ofbiz/trunk/specialpurpose/projectmgr/widget/forms/ProjectForms.xml
>>
>> Modified: ofbiz/trunk/applications/accounting/widget/InvoiceForms.xml
>> URL: http://svn.apache.org/viewvc/ofbiz/trunk/applications/accounting/widget/InvoiceForms.xml?rev=952119&r1=952118&r2=952119&view=diff
>> ==============================================================================
>> --- ofbiz/trunk/applications/accounting/widget/InvoiceForms.xml (original)
>> +++ ofbiz/trunk/applications/accounting/widget/InvoiceForms.xml Mon Jun 7 07:02:02 2010
>> @@ -215,7 +215,12 @@ under the License.
>> <field name="paymentId"><hyperlink target="paymentOverview?paymentId=${paymentId}" description="${paymentId}"/></field>
>> <field name="amount"><display type="currency" currency="${currencyUomId}"/></field>
>> <field name="origAmount"><display type="currency" currency="${origCurrencyUomId}"/></field>
>> - <field name="acctgTransId"><hyperlink description="${acctgTransId}" target="EditAcctgTrans?acctgTransId=${acctgTransId}&organizationPartyId=${organizationPartyId}"/></field>
>> + <field name="acctgTransId">
>> + <hyperlink description="${acctgTransId}" target="EditAcctgTrans">
>> + <parameter param-name="acctgTransId" from-field="acctgTransId"/>
>> + <parameter param-name="organizationPartyId" from-field="organizationPartyId"/>
>> + </hyperlink>
>> + </field>
>> <field name="acctgTransTypeId" title="${uiLabelMap.FormFieldTitle_acctgTransType}"><display-entity entity-name="AcctgTransType"/></field>
>> <field name="glJournalId" title="${uiLabelMap.FormFieldTitle_glJournal}"><display-entity entity-name="GlJournal" description="${glJournalName}"/></field>
>> <field name="glAccountTypeId" title="${uiLabelMap.FormFieldTitle_glAccountType}"><display-entity entity-name="GlAccountType"/></field>
>>
>> Modified: ofbiz/trunk/applications/accounting/widget/PaymentGatewayConfigForms.xml
>> URL: http://svn.apache.org/viewvc/ofbiz/trunk/applications/accounting/widget/PaymentGatewayConfigForms.xml?rev=952119&r1=952118&r2=952119&view=diff
>> ==============================================================================
>> --- ofbiz/trunk/applications/accounting/widget/PaymentGatewayConfigForms.xml (original)
>> +++ ofbiz/trunk/applications/accounting/widget/PaymentGatewayConfigForms.xml Mon Jun 7 07:02:02 2010
>> @@ -50,7 +50,9 @@ under the License.
>> <auto-fields-entity entity-name="PaymentGatewayConfig" default-field-type="display"/>
>> <field name="paymentGatewayConfigId"><hidden/></field>
>> <field name="description" title="${uiLabelMap.AccountingPaymentGatewayConfigDescription}">
>> - <hyperlink description="${description}" target="EditPaymentGatewayConfig?paymentGatewayConfigId=${paymentGatewayConfigId}"/>
>> + <hyperlink description="${description}" target="EditPaymentGatewayConfig">
>> + <parameter param-name="paymentGatewayConfigId" from-field="paymentGatewayConfigId"/>
>> + </hyperlink>
>> </field>
>> <field name="paymentGatewayConfigTypeId" title="${uiLabelMap.AccountingPaymentGatewayConfigTypeId}">
>> <display-entity entity-name="PaymentGatewayConfigType" key-field-name="paymentGatewayConfigTypeId" description="${description}"/>
>> @@ -385,7 +387,9 @@ under the License.
>> <auto-fields-entity entity-name="PaymentGatewayConfigType" default-field-type="display"/>
>> <field name="paymentGatewayConfigTypeId"><hidden/></field>
>> <field name="description" title="${uiLabelMap.AccountingPaymentGatewayConfigTypeDescription}">
>> - <hyperlink description="${description}" target="EditPaymentGatewayConfigType?paymentGatewayConfigTypeId=${paymentGatewayConfigTypeId}"/>
>> + <hyperlink description="${description}" target="EditPaymentGatewayConfigType">
>> + <parameter param-name="paymentGatewayConfigTypeId" from-field="paymentGatewayConfigTypeId"/>
>> + </hyperlink>
>> </field>
>> </form>
>>
>>
>> Modified: ofbiz/trunk/applications/order/widget/ordermgr/OrderEntryForms.xml
>> URL: http://svn.apache.org/viewvc/ofbiz/trunk/applications/order/widget/ordermgr/OrderEntryForms.xml?rev=952119&r1=952118&r2=952119&view=diff
>> ==============================================================================
>> --- ofbiz/trunk/applications/order/widget/ordermgr/OrderEntryForms.xml (original)
>> +++ ofbiz/trunk/applications/order/widget/ordermgr/OrderEntryForms.xml Mon Jun 7 07:02:02 2010
>> @@ -199,7 +199,9 @@ under the License.
>> <form name="LookupAssociatedProducts" type="multi" use-row-submit="true" list-name="productList" title="" target="BulkAddProducts"
>> paginate-target="LookupAssociatedProducts" default-title-style="tableheadtext" default-widget-style="inputBox" default-tooltip-style="tabletext">
>> <field name="productId" title="${uiLabelMap.ProductProductId}" widget-style="buttontext">
>> - <hyperlink description="${productId}" target="/catalog/control/EditProductInventoryItems?productId=${productId}" target-type="inter-app"/>
>> + <hyperlink description="${productId}" target="/catalog/control/EditProductInventoryItems" target-type="inter-app">
>> + <parameter param-name="productId" from-field="productId"/>
>> + </hyperlink>
>> </field>
>> <field name="brandName" title="${uiLabelMap.ProductBrandName}"><display/></field>
>> <field name="internalName"><display/></field>
>>
>> Modified: ofbiz/trunk/applications/party/widget/partymgr/CommunicationEventForms.xml
>> URL: http://svn.apache.org/viewvc/ofbiz/trunk/applications/party/widget/partymgr/CommunicationEventForms.xml?rev=952119&r1=952118&r2=952119&view=diff
>> ==============================================================================
>> --- ofbiz/trunk/applications/party/widget/partymgr/CommunicationEventForms.xml (original)
>> +++ ofbiz/trunk/applications/party/widget/partymgr/CommunicationEventForms.xml Mon Jun 7 07:02:02 2010
>> @@ -287,7 +287,9 @@ under the License.
>> <field name="communicationEventId"><display/></field>
>> <field name="contactListId" use-when="contactListId!=null">
>> <display-entity entity-name="ContactList" description="${contactListName}">
>> - <sub-hyperlink target="/marketing/control/EditContactList?contactListId=${communicationEvent.contactListId}" description="[${communicationEvent.contactListId}]" target-type="inter-app"/>
>> + <sub-hyperlink target="/marketing/control/EditContactList" description="[${communicationEvent.contactListId}]" target-type="inter-app">
>> + <parameter param-name="contactListId" from-field="communicationEvent.contactListId"/>
>> + </sub-hyperlink>
>> </display-entity>
>> </field>
>> <field name="partyIdFrom" use-when=""my"==void" title="${uiLabelMap.PartyPartyFrom}">
>> @@ -470,7 +472,9 @@ under the License.
>> </service>
>> </actions>
>> <field name="orderId" title="${uiLabelMap.FormFieldTitle_orderId}">
>> - <hyperlink target="/ordermgr/control/orderview?orderId=${orderId}" description="${orderId}" target-type="inter-app"/>
>> + <hyperlink target="/ordermgr/control/orderview" description="${orderId}" target-type="inter-app">
>> + <parameter param-name="orderId" from-field="orderId"/>
>> + </hyperlink>
>> </field>
>> <field name="communicationEventId">
>> <hyperlink description="${communicationEventId}" target="ViewCommunicationEvent">
>> @@ -1022,7 +1026,9 @@ under the License.
>> <set field="orderTypeId" from-field="orderHeader.orderTypeId"/>
>> </row-actions>
>> <field name="orderId" title="${uiLabelMap.FormFieldTitle_orderId}" widget-style="buttontext">
>> - <hyperlink target="/ordermgr/control/orderview?orderId=${orderId}" description="${orderId}" target-type="inter-app"/>
>> + <hyperlink target="/ordermgr/control/orderview" description="${orderId}" target-type="inter-app">
>> + <parameter param-name="orderId" from-field="orderId"/>
>> + </hyperlink>
>> </field>
>> <field name="communicationEventId"><hidden/></field>
>> <field name="orderTypeId" title="${uiLabelMap.OrderOrderType}">
>>
>> Modified: ofbiz/trunk/applications/product/widget/catalog/ProductForms.xml
>> URL: http://svn.apache.org/viewvc/ofbiz/trunk/applications/product/widget/catalog/ProductForms.xml?rev=952119&r1=952118&r2=952119&view=diff
>> ==============================================================================
>> --- ofbiz/trunk/applications/product/widget/catalog/ProductForms.xml (original)
>> +++ ofbiz/trunk/applications/product/widget/catalog/ProductForms.xml Mon Jun 7 07:02:02 2010
>> @@ -1997,7 +1997,9 @@ under the License.
>>
>> <form name="ListCommEvents" list-name="communicationEvents" type="list" header-row-style="header-row" default-table-style="basic-table">
>> <field name="communicationEventId" widget-style="buttontext">
>> - <hyperlink description="${communicationEventId}" target="/partymgr/control/EditCommunicationEvent?communicationEventId=${communicationEventId}" target-type="inter-app"/>
>> + <hyperlink description="${communicationEventId}" target="/partymgr/control/EditCommunicationEvent" target-type="inter-app">
>> + <parameter param-name="communicationEventId" from-field="communicationEventId"/>
>> + </hyperlink>
>> </field>
>> <field name="subject"><display/></field>
>> <field name="communicationEventTypeId"><display-entity description="${description}" entity-name="CommunicationEventType" key-field-name="communicationEventTypeId"/></field>
>>
>> Modified: ofbiz/trunk/applications/product/widget/facility/ShipmentGatewayConfigForms.xml
>> URL: http://svn.apache.org/viewvc/ofbiz/trunk/applications/product/widget/facility/ShipmentGatewayConfigForms.xml?rev=952119&r1=952118&r2=952119&view=diff
>> ==============================================================================
>> --- ofbiz/trunk/applications/product/widget/facility/ShipmentGatewayConfigForms.xml (original)
>> +++ ofbiz/trunk/applications/product/widget/facility/ShipmentGatewayConfigForms.xml Mon Jun 7 07:02:02 2010
>> @@ -50,7 +50,9 @@ under the License.
>> <auto-fields-entity entity-name="ShipmentGatewayConfig" default-field-type="display"/>
>> <field name="shipmentGatewayConfigId"><hidden/></field>
>> <field name="description" title="${uiLabelMap.FacilityShipmentGatewayConfigDescription}">
>> - <hyperlink description="${description}" target="EditShipmentGatewayConfig?shipmentGatewayConfigId=${shipmentGatewayConfigId}"/>
>> + <hyperlink description="${description}" target="EditShipmentGatewayConfig">
>> + <parameter param-name="shipmentGatewayConfigId" from-field="shipmentGatewayConfigId"/>
>> + </hyperlink>
>> </field>
>> <field name="shipmentGatewayConfTypeId" title="${uiLabelMap.FacilityShipmentGatewayConfigTypeId}">
>> <display-entity entity-name="ShipmentGatewayConfigType" key-field-name="shipmentGatewayConfTypeId" description="${description}"/>
>> @@ -313,7 +315,9 @@ under the License.
>> <auto-fields-entity entity-name="ShipmentGatewayConfigType" default-field-type="display"/>
>> <field name="shipmentGatewayConfTypeId"><hidden/></field>
>> <field name="description" title="${uiLabelMap.FacilityShipmentGatewayConfigTypeDescription}">
>> - <hyperlink description="${description}" target="EditShipmentGatewayConfigType?shipmentGatewayConfTypeId=${shipmentGatewayConfTypeId}"/>
>> + <hyperlink description="${description}" target="EditShipmentGatewayConfigType">
>> + <parameter param-name="shipmentGatewayConfTypeId" from-field="shipmentGatewayConfTypeId"/>
>> + </hyperlink>
>> </field>
>> </form>
>>
>>
>> Modified: ofbiz/trunk/specialpurpose/projectmgr/widget/forms/ProjectForms.xml
>> URL: http://svn.apache.org/viewvc/ofbiz/trunk/specialpurpose/projectmgr/widget/forms/ProjectForms.xml?rev=952119&r1=952118&r2=952119&view=diff
>> ==============================================================================
>> --- ofbiz/trunk/specialpurpose/projectmgr/widget/forms/ProjectForms.xml (original)
>> +++ ofbiz/trunk/specialpurpose/projectmgr/widget/forms/ProjectForms.xml Mon Jun 7 07:02:02 2010
>> @@ -340,7 +340,9 @@
>> <field name="estimatedStartDate" title="${uiLabelMap.WorkEffortEstimatedStartDate}"><date-time type="date"/></field>
>> <field name="estimatedCompletionDate" title="${uiLabelMap.WorkEffortEstimatedCompletionDate}"><date-time type="date"/></field>
>> <field name="edit" title=" ">
>> - <hyperlink target="EditTask?workEffortId=${workEffortId}" description="${uiLabelMap.CommonEdit}"/>
>> + <hyperlink target="EditTask" description="${uiLabelMap.CommonEdit"}>
>> + <parameter param-name="workEffortId" from-field="workEffortId}"/>
>> + </hyperlink>
>> </field>
>> <field name="submitButton" title="${uiLabelMap.CommonUpdate}"><submit button-type="button"/></field>
>> </form>
>>
>>
>
Re: svn commit: r952119 - in /ofbiz/trunk: applications/accounting/widget/ applications/order/widget/ordermgr/ applications/party/widget/partymgr/ applications/product/widget/catalog/ applications/product/widget/facility/ specialpurpose/projectmgr/widget/f...
Posted by Scott Gray <sc...@hotwaxmedia.com>.
Quite a few of those links don't actually look like they needed to be secured i.e. there is no event attached to that uri, orderview for example.
Regards
Scott
HotWax Media
http://www.hotwaxmedia.com
On 7/06/2010, at 7:02 PM, jleroux@apache.org wrote:
> Author: jleroux
> Date: Mon Jun 7 07:02:02 2010
> New Revision: 952119
>
> URL: http://svn.apache.org/viewvc?rev=952119&view=rev
> Log:
> Secure some targets. Note that they have been introduced since OFBIZ-2243 has been closed.
> Please committers use only target with parameter attribute (not in URL) for link and hyperlink fields when there is an action (ie DB modification)
>
> Modified:
> ofbiz/trunk/applications/accounting/widget/InvoiceForms.xml
> ofbiz/trunk/applications/accounting/widget/PaymentGatewayConfigForms.xml
> ofbiz/trunk/applications/order/widget/ordermgr/OrderEntryForms.xml
> ofbiz/trunk/applications/party/widget/partymgr/CommunicationEventForms.xml
> ofbiz/trunk/applications/product/widget/catalog/ProductForms.xml
> ofbiz/trunk/applications/product/widget/facility/ShipmentGatewayConfigForms.xml
> ofbiz/trunk/specialpurpose/projectmgr/widget/forms/ProjectForms.xml
>
> Modified: ofbiz/trunk/applications/accounting/widget/InvoiceForms.xml
> URL: http://svn.apache.org/viewvc/ofbiz/trunk/applications/accounting/widget/InvoiceForms.xml?rev=952119&r1=952118&r2=952119&view=diff
> ==============================================================================
> --- ofbiz/trunk/applications/accounting/widget/InvoiceForms.xml (original)
> +++ ofbiz/trunk/applications/accounting/widget/InvoiceForms.xml Mon Jun 7 07:02:02 2010
> @@ -215,7 +215,12 @@ under the License.
> <field name="paymentId"><hyperlink target="paymentOverview?paymentId=${paymentId}" description="${paymentId}"/></field>
> <field name="amount"><display type="currency" currency="${currencyUomId}"/></field>
> <field name="origAmount"><display type="currency" currency="${origCurrencyUomId}"/></field>
> - <field name="acctgTransId"><hyperlink description="${acctgTransId}" target="EditAcctgTrans?acctgTransId=${acctgTransId}&organizationPartyId=${organizationPartyId}"/></field>
> + <field name="acctgTransId">
> + <hyperlink description="${acctgTransId}" target="EditAcctgTrans">
> + <parameter param-name="acctgTransId" from-field="acctgTransId"/>
> + <parameter param-name="organizationPartyId" from-field="organizationPartyId"/>
> + </hyperlink>
> + </field>
> <field name="acctgTransTypeId" title="${uiLabelMap.FormFieldTitle_acctgTransType}"><display-entity entity-name="AcctgTransType"/></field>
> <field name="glJournalId" title="${uiLabelMap.FormFieldTitle_glJournal}"><display-entity entity-name="GlJournal" description="${glJournalName}"/></field>
> <field name="glAccountTypeId" title="${uiLabelMap.FormFieldTitle_glAccountType}"><display-entity entity-name="GlAccountType"/></field>
>
> Modified: ofbiz/trunk/applications/accounting/widget/PaymentGatewayConfigForms.xml
> URL: http://svn.apache.org/viewvc/ofbiz/trunk/applications/accounting/widget/PaymentGatewayConfigForms.xml?rev=952119&r1=952118&r2=952119&view=diff
> ==============================================================================
> --- ofbiz/trunk/applications/accounting/widget/PaymentGatewayConfigForms.xml (original)
> +++ ofbiz/trunk/applications/accounting/widget/PaymentGatewayConfigForms.xml Mon Jun 7 07:02:02 2010
> @@ -50,7 +50,9 @@ under the License.
> <auto-fields-entity entity-name="PaymentGatewayConfig" default-field-type="display"/>
> <field name="paymentGatewayConfigId"><hidden/></field>
> <field name="description" title="${uiLabelMap.AccountingPaymentGatewayConfigDescription}">
> - <hyperlink description="${description}" target="EditPaymentGatewayConfig?paymentGatewayConfigId=${paymentGatewayConfigId}"/>
> + <hyperlink description="${description}" target="EditPaymentGatewayConfig">
> + <parameter param-name="paymentGatewayConfigId" from-field="paymentGatewayConfigId"/>
> + </hyperlink>
> </field>
> <field name="paymentGatewayConfigTypeId" title="${uiLabelMap.AccountingPaymentGatewayConfigTypeId}">
> <display-entity entity-name="PaymentGatewayConfigType" key-field-name="paymentGatewayConfigTypeId" description="${description}"/>
> @@ -385,7 +387,9 @@ under the License.
> <auto-fields-entity entity-name="PaymentGatewayConfigType" default-field-type="display"/>
> <field name="paymentGatewayConfigTypeId"><hidden/></field>
> <field name="description" title="${uiLabelMap.AccountingPaymentGatewayConfigTypeDescription}">
> - <hyperlink description="${description}" target="EditPaymentGatewayConfigType?paymentGatewayConfigTypeId=${paymentGatewayConfigTypeId}"/>
> + <hyperlink description="${description}" target="EditPaymentGatewayConfigType">
> + <parameter param-name="paymentGatewayConfigTypeId" from-field="paymentGatewayConfigTypeId"/>
> + </hyperlink>
> </field>
> </form>
>
>
> Modified: ofbiz/trunk/applications/order/widget/ordermgr/OrderEntryForms.xml
> URL: http://svn.apache.org/viewvc/ofbiz/trunk/applications/order/widget/ordermgr/OrderEntryForms.xml?rev=952119&r1=952118&r2=952119&view=diff
> ==============================================================================
> --- ofbiz/trunk/applications/order/widget/ordermgr/OrderEntryForms.xml (original)
> +++ ofbiz/trunk/applications/order/widget/ordermgr/OrderEntryForms.xml Mon Jun 7 07:02:02 2010
> @@ -199,7 +199,9 @@ under the License.
> <form name="LookupAssociatedProducts" type="multi" use-row-submit="true" list-name="productList" title="" target="BulkAddProducts"
> paginate-target="LookupAssociatedProducts" default-title-style="tableheadtext" default-widget-style="inputBox" default-tooltip-style="tabletext">
> <field name="productId" title="${uiLabelMap.ProductProductId}" widget-style="buttontext">
> - <hyperlink description="${productId}" target="/catalog/control/EditProductInventoryItems?productId=${productId}" target-type="inter-app"/>
> + <hyperlink description="${productId}" target="/catalog/control/EditProductInventoryItems" target-type="inter-app">
> + <parameter param-name="productId" from-field="productId"/>
> + </hyperlink>
> </field>
> <field name="brandName" title="${uiLabelMap.ProductBrandName}"><display/></field>
> <field name="internalName"><display/></field>
>
> Modified: ofbiz/trunk/applications/party/widget/partymgr/CommunicationEventForms.xml
> URL: http://svn.apache.org/viewvc/ofbiz/trunk/applications/party/widget/partymgr/CommunicationEventForms.xml?rev=952119&r1=952118&r2=952119&view=diff
> ==============================================================================
> --- ofbiz/trunk/applications/party/widget/partymgr/CommunicationEventForms.xml (original)
> +++ ofbiz/trunk/applications/party/widget/partymgr/CommunicationEventForms.xml Mon Jun 7 07:02:02 2010
> @@ -287,7 +287,9 @@ under the License.
> <field name="communicationEventId"><display/></field>
> <field name="contactListId" use-when="contactListId!=null">
> <display-entity entity-name="ContactList" description="${contactListName}">
> - <sub-hyperlink target="/marketing/control/EditContactList?contactListId=${communicationEvent.contactListId}" description="[${communicationEvent.contactListId}]" target-type="inter-app"/>
> + <sub-hyperlink target="/marketing/control/EditContactList" description="[${communicationEvent.contactListId}]" target-type="inter-app">
> + <parameter param-name="contactListId" from-field="communicationEvent.contactListId"/>
> + </sub-hyperlink>
> </display-entity>
> </field>
> <field name="partyIdFrom" use-when=""my"==void" title="${uiLabelMap.PartyPartyFrom}">
> @@ -470,7 +472,9 @@ under the License.
> </service>
> </actions>
> <field name="orderId" title="${uiLabelMap.FormFieldTitle_orderId}">
> - <hyperlink target="/ordermgr/control/orderview?orderId=${orderId}" description="${orderId}" target-type="inter-app"/>
> + <hyperlink target="/ordermgr/control/orderview" description="${orderId}" target-type="inter-app">
> + <parameter param-name="orderId" from-field="orderId"/>
> + </hyperlink>
> </field>
> <field name="communicationEventId">
> <hyperlink description="${communicationEventId}" target="ViewCommunicationEvent">
> @@ -1022,7 +1026,9 @@ under the License.
> <set field="orderTypeId" from-field="orderHeader.orderTypeId"/>
> </row-actions>
> <field name="orderId" title="${uiLabelMap.FormFieldTitle_orderId}" widget-style="buttontext">
> - <hyperlink target="/ordermgr/control/orderview?orderId=${orderId}" description="${orderId}" target-type="inter-app"/>
> + <hyperlink target="/ordermgr/control/orderview" description="${orderId}" target-type="inter-app">
> + <parameter param-name="orderId" from-field="orderId"/>
> + </hyperlink>
> </field>
> <field name="communicationEventId"><hidden/></field>
> <field name="orderTypeId" title="${uiLabelMap.OrderOrderType}">
>
> Modified: ofbiz/trunk/applications/product/widget/catalog/ProductForms.xml
> URL: http://svn.apache.org/viewvc/ofbiz/trunk/applications/product/widget/catalog/ProductForms.xml?rev=952119&r1=952118&r2=952119&view=diff
> ==============================================================================
> --- ofbiz/trunk/applications/product/widget/catalog/ProductForms.xml (original)
> +++ ofbiz/trunk/applications/product/widget/catalog/ProductForms.xml Mon Jun 7 07:02:02 2010
> @@ -1997,7 +1997,9 @@ under the License.
>
> <form name="ListCommEvents" list-name="communicationEvents" type="list" header-row-style="header-row" default-table-style="basic-table">
> <field name="communicationEventId" widget-style="buttontext">
> - <hyperlink description="${communicationEventId}" target="/partymgr/control/EditCommunicationEvent?communicationEventId=${communicationEventId}" target-type="inter-app"/>
> + <hyperlink description="${communicationEventId}" target="/partymgr/control/EditCommunicationEvent" target-type="inter-app">
> + <parameter param-name="communicationEventId" from-field="communicationEventId"/>
> + </hyperlink>
> </field>
> <field name="subject"><display/></field>
> <field name="communicationEventTypeId"><display-entity description="${description}" entity-name="CommunicationEventType" key-field-name="communicationEventTypeId"/></field>
>
> Modified: ofbiz/trunk/applications/product/widget/facility/ShipmentGatewayConfigForms.xml
> URL: http://svn.apache.org/viewvc/ofbiz/trunk/applications/product/widget/facility/ShipmentGatewayConfigForms.xml?rev=952119&r1=952118&r2=952119&view=diff
> ==============================================================================
> --- ofbiz/trunk/applications/product/widget/facility/ShipmentGatewayConfigForms.xml (original)
> +++ ofbiz/trunk/applications/product/widget/facility/ShipmentGatewayConfigForms.xml Mon Jun 7 07:02:02 2010
> @@ -50,7 +50,9 @@ under the License.
> <auto-fields-entity entity-name="ShipmentGatewayConfig" default-field-type="display"/>
> <field name="shipmentGatewayConfigId"><hidden/></field>
> <field name="description" title="${uiLabelMap.FacilityShipmentGatewayConfigDescription}">
> - <hyperlink description="${description}" target="EditShipmentGatewayConfig?shipmentGatewayConfigId=${shipmentGatewayConfigId}"/>
> + <hyperlink description="${description}" target="EditShipmentGatewayConfig">
> + <parameter param-name="shipmentGatewayConfigId" from-field="shipmentGatewayConfigId"/>
> + </hyperlink>
> </field>
> <field name="shipmentGatewayConfTypeId" title="${uiLabelMap.FacilityShipmentGatewayConfigTypeId}">
> <display-entity entity-name="ShipmentGatewayConfigType" key-field-name="shipmentGatewayConfTypeId" description="${description}"/>
> @@ -313,7 +315,9 @@ under the License.
> <auto-fields-entity entity-name="ShipmentGatewayConfigType" default-field-type="display"/>
> <field name="shipmentGatewayConfTypeId"><hidden/></field>
> <field name="description" title="${uiLabelMap.FacilityShipmentGatewayConfigTypeDescription}">
> - <hyperlink description="${description}" target="EditShipmentGatewayConfigType?shipmentGatewayConfTypeId=${shipmentGatewayConfTypeId}"/>
> + <hyperlink description="${description}" target="EditShipmentGatewayConfigType">
> + <parameter param-name="shipmentGatewayConfTypeId" from-field="shipmentGatewayConfTypeId"/>
> + </hyperlink>
> </field>
> </form>
>
>
> Modified: ofbiz/trunk/specialpurpose/projectmgr/widget/forms/ProjectForms.xml
> URL: http://svn.apache.org/viewvc/ofbiz/trunk/specialpurpose/projectmgr/widget/forms/ProjectForms.xml?rev=952119&r1=952118&r2=952119&view=diff
> ==============================================================================
> --- ofbiz/trunk/specialpurpose/projectmgr/widget/forms/ProjectForms.xml (original)
> +++ ofbiz/trunk/specialpurpose/projectmgr/widget/forms/ProjectForms.xml Mon Jun 7 07:02:02 2010
> @@ -340,7 +340,9 @@
> <field name="estimatedStartDate" title="${uiLabelMap.WorkEffortEstimatedStartDate}"><date-time type="date"/></field>
> <field name="estimatedCompletionDate" title="${uiLabelMap.WorkEffortEstimatedCompletionDate}"><date-time type="date"/></field>
> <field name="edit" title=" ">
> - <hyperlink target="EditTask?workEffortId=${workEffortId}" description="${uiLabelMap.CommonEdit}"/>
> + <hyperlink target="EditTask" description="${uiLabelMap.CommonEdit"}>
> + <parameter param-name="workEffortId" from-field="workEffortId}"/>
> + </hyperlink>
> </field>
> <field name="submitButton" title="${uiLabelMap.CommonUpdate}"><submit button-type="button"/></field>
> </form>
>
>