Re: svn commit: r1781366 [1/3] - in /ofbiz/trunk: applications/content/widget/compdoc/ applications/content/widget/content/ applications/product/template/ applications/product/template/store/ applications/product/webapp/catalog/WEB-INF/ framework/base/src/...

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Re: svn commit: r1781366 [1/3] - in /ofbiz/trunk: applications/content/widget/compdoc/ applications/content/widget/content/ applications/product/template/ applications/product/template/store/ applications/product/webapp/catalog/WEB-INF/ framework/base/src/...

Pranay Pandey-3
??

Log:
Implemented:
Improved:
Documented:
Completed:
Reverted:
Fixed:
(OFBIZ-)
Explanation
Thanks:

Best regards,

Pranay Pandey
HotWax Systems
http://www.hotwaxsystems.com/

On Thu, Feb 2, 2017 at 4:03 PM, <[hidden email]> wrote:

> Author: jleroux
> Date: Thu Feb  2 10:33:59 2017
> New Revision: 1781366
>
> URL: http://svn.apache.org/viewvc?rev=1781366&view=rev
> Log:
> Implemented:
> Improved:
> Documented:
> Completed:
> Reverted:
> Fixed:
> (OFBIZ-)
> Explanation
> Thanks:
>
> Added:
>     ofbiz/trunk/applications/product/webapp/catalog/WEB-INF/Owasp.CsrfGuard.js
>  (with props)
>     ofbiz/trunk/applications/product/webapp/catalog/WEB-INF/Owasp.CsrfGuard.properties
>  (with props)
>     ofbiz/trunk/applications/product/webapp/catalog/WEB-INF/controller -
> Copie.xml   (with props)
>     ofbiz/trunk/applications/product/webapp/catalog/WEB-INF/web -
> Copie.xml   (with props)
>     ofbiz/trunk/framework/webapp/config/requestHandler -
> Copie.properties   (with props)
>     ofbiz/trunk/themes/tomahawk/template/Header - Copie.ftl   (with props)
> Modified:
>     ofbiz/trunk/applications/content/widget/compdoc/
> CompDocTemplateTree.xml
>     ofbiz/trunk/applications/content/widget/content/ContentForms.xml
>     ofbiz/trunk/applications/product/template/Main.ftl
>     ofbiz/trunk/applications/product/template/store/
> EditProductStoreWebSites.ftl
>     ofbiz/trunk/framework/base/src/main/java/org/apache/
> ofbiz/base/util/template/FreeMarkerWorker.java
>     ofbiz/trunk/framework/minilang/src/main/java/org/
> apache/ofbiz/minilang/method/entityops/EntityOne.java
>     ofbiz/trunk/framework/widget/dtd/widget-common.xsd
>     ofbiz/trunk/framework/widget/src/main/java/org/apache/
> ofbiz/widget/renderer/macro/MacroFormRenderer.java
>
> Modified: ofbiz/trunk/applications/content/widget/compdoc/
> CompDocTemplateTree.xml
> URL: http://svn.apache.org/viewvc/ofbiz/trunk/applications/
> content/widget/compdoc/CompDocTemplateTree.xml?rev=
> 1781366&r1=1781365&r2=1781366&view=diff
> ============================================================
> ==================
> --- ofbiz/trunk/applications/content/widget/compdoc/CompDocTemplateTree.xml
> (original)
> +++ ofbiz/trunk/applications/content/widget/compdoc/CompDocTemplateTree.xml
> Thu Feb  2 10:33:59 2017
> @@ -22,7 +22,7 @@ under the License.
>      <tree name="CompDocTemplateTree" entity-name="Content"
> root-node-name="node-root"
>          default-render-style="simple" default-wrap-style="treeWrapper">
>          <node name="node-root" wrap-style="treeWrapper">
> -            <entity-one entity-name="Content" use-cache="false">
> +            <entity-one entity-name="Content" value-field="content"
> use-cache="false">
>                  <field-map field-name="contentId"
> from-field="rootContentId"/>
>              </entity-one>
>              <include-screen name="rootTemplateLine"
> location="component://content/widget/compdoc/CompDocScreens.xml"/>
> @@ -54,7 +54,7 @@ under the License.
>              </sub-node>
>          </node>
>          <node name="node-body" join-field-name="itemContentId"
> entity-name="AssocRevisionItemView" wrap-style="treeWrapper">
> -            <entity-one entity-name="Content" use-cache="false">
> +            <entity-one entity-name="Content" value-field="content"
> use-cache="false">
>                  <field-map field-name="contentId"
> from-field="itemContentId"/>
>              </entity-one>
>              <include-screen name="childTemplateLine"
> location="component://content/widget/compdoc/CompDocScreens.xml"/>
> @@ -90,7 +90,7 @@ under the License.
>      <tree name="CompDocInstanceTree" entity-name="Content"
> root-node-name="node-root"
>          default-render-style="simple" default-wrap-style="treeWrapper">
>          <node name="node-root">
> -            <entity-one entity-name="Content" use-cache="false">
> +            <entity-one entity-name="Content" value-field="content"
> use-cache="false">
>                  <field-map field-name="contentId"
> from-field="instanceContent.instanceOfContentId"/>
>              </entity-one>
>              <include-screen name="rootInstanceLine"
> location="component://content/widget/compdoc/CompDocScreens.xml"/>
> @@ -122,7 +122,7 @@ under the License.
>              </sub-node>
>          </node>
>          <node name="node-body" join-field-name="itemContentId"
> entity-name="AssocRevisionItemView">
> -            <entity-one entity-name="Content" use-cache="false">
> +            <entity-one entity-name="Content" value-field="content"
> use-cache="false">
>                  <field-map field-name="contentId"
> from-field="itemContentId"/>
>              </entity-one>
>              <include-screen name="childInstanceLine"
> location="component://content/widget/compdoc/CompDocScreens.xml"/>
>
> Modified: ofbiz/trunk/applications/content/widget/content/ContentForms.xml
> URL: http://svn.apache.org/viewvc/ofbiz/trunk/applications/
> content/widget/content/ContentForms.xml?rev=1781366&
> r1=1781365&r2=1781366&view=diff
> ============================================================
> ==================
> --- ofbiz/trunk/applications/content/widget/content/ContentForms.xml
> (original)
> +++ ofbiz/trunk/applications/content/widget/content/ContentForms.xml Thu
> Feb  2 10:33:59 2017
> @@ -230,9 +230,9 @@ under the License.
>      </form>
>      <!-- ContentAssoc forms -->
>      <form name="EditContentAssoc" target="updateContentAssoc" title=""
> type="single"
> -        header-row-style="header-row" default-table-style="basic-table">
> +        header-row-style="header-row" default-table-style="basic-table"
> default-entity-name="contentAssocX">
>          <actions>
> -            <entity-one entity-name="ContentAssoc" use-cache="true">
> +            <entity-one entity-name="ContentAssoc" use-cache="true"
> value-field="contentAssoc">
>                  <field-map field-name="contentId" from-field="contentId"/>
>                  <field-map field-name="contentIdTo"
> from-field="contentIdTo"/>
>                  <field-map field-name="contentAssocTypeId" from-field="
> contentAssocTypeId"/>
>
> Modified: ofbiz/trunk/applications/product/template/Main.ftl
> URL: http://svn.apache.org/viewvc/ofbiz/trunk/applications/
> product/template/Main.ftl?rev=1781366&r1=1781365&r2=1781366&view=diff
> ============================================================
> ==================
> --- ofbiz/trunk/applications/product/template/Main.ftl (original)
> +++ ofbiz/trunk/applications/product/template/Main.ftl Thu Feb  2
> 10:33:59 2017
> @@ -29,6 +29,8 @@ under the License.
>    </form>
>    <div class="label">${uiLabelMap.CommonOr}: <a href="<@ofbizUrl>EditProdCatalog</@ofbizUrl>"
> class="buttontext">${uiLabelMap.ProductCreateNewCatalog}</a></div>
>    <br />
> +<p>Output format: ${.output_format}
> +<p>Auto-escaping: ${.auto_esc?c}
>    <div class="label">${uiLabelMap.ProductEditCategoryWithCategor
> yId}:</div>
>    <form method="post" action="<@ofbizUrl>EditCategory</@ofbizUrl>"
> style="margin: 0;" name="EditCategoryForm">
>      <@htmlTemplate.lookupField name="productCategoryId"
> id="productCategoryId" formName="EditCategoryForm" fieldFormName="
> LookupProductCategory"/>
>
> Modified: ofbiz/trunk/applications/product/template/store/
> EditProductStoreWebSites.ftl
> URL: http://svn.apache.org/viewvc/ofbiz/trunk/applications/
> product/template/store/EditProductStoreWebSites.ftl?
> rev=1781366&r1=1781365&r2=1781366&view=diff
> ============================================================
> ==================
> --- ofbiz/trunk/applications/product/template/store/EditProductStoreWebSites.ftl
> (original)
> +++ ofbiz/trunk/applications/product/template/store/EditProductStoreWebSites.ftl
> Thu Feb  2 10:33:59 2017
> @@ -37,12 +37,7 @@ under the License.
>                    <td>${webSite.httpHost?default('&nbsp;')}</td>
>                    <td>${webSite.httpPort?default('&nbsp;')}</td>
>                    <td align="center">
> -                    <a href="javascript:document.
> storeUpdateWebSite_${webSite_index}.submit();" class="buttontext">${
> uiLabelMap.CommonDelete}</a>
> -                    <form name="storeUpdateWebSite_${webSite_index}"
> method="post" action="<@ofbizUrl>storeUpdateWebSite</@ofbizUrl>">
> -                        <input type="hidden" name="viewProductStoreId"
> value="${productStoreId}"/>
> -                        <input type="hidden" name="productStoreId"
> value=""/>
> -                        <input type="hidden" name="webSiteId"
> value="${webSite.webSiteId}"/>
> -                    </form>
> +                    <a href="<@ofbizUrl>storeUpdateWebSite?
> viewProductStoreId=${productStoreId}&productStoreId=&webSiteId=${
> webSite.webSiteId}</@ofbizUrl>" class="buttontext">${
> uiLabelMap.CommonDelete}</a>
>                    </td>
>                  </tr>
>                  <#-- toggle the row color -->
>
> Added: ofbiz/trunk/applications/product/webapp/catalog/WEB-
> INF/Owasp.CsrfGuard.js
> URL: http://svn.apache.org/viewvc/ofbiz/trunk/applications/
> product/webapp/catalog/WEB-INF/Owasp.CsrfGuard.js?rev=1781366&view=auto
> ============================================================
> ==================
> --- ofbiz/trunk/applications/product/webapp/catalog/WEB-INF/Owasp.CsrfGuard.js
> (added)
> +++ ofbiz/trunk/applications/product/webapp/catalog/WEB-INF/Owasp.CsrfGuard.js
> Thu Feb  2 10:33:59 2017
> @@ -0,0 +1,447 @@
> +/**
> + * The OWASP CSRFGuard Project, BSD License
> + * Eric Sheridan ([hidden email]), Copyright (c) 2011
> + * All rights reserved.
> + *
> + * Redistribution and use in source and binary forms, with or without
> + * modification, are permitted provided that the following conditions are
> met:
> + *
> + *    1. Redistributions of source code must retain the above copyright
> notice,
> + *       this list of conditions and the following disclaimer.
> + *    2. Redistributions in binary form must reproduce the above copyright
> + *       notice, this list of conditions and the following disclaimer in
> the
> + *       documentation and/or other materials provided with the
> distribution.
> + *    3. Neither the name of OWASP nor the names of its contributors may
> be used
> + *       to endorse or promote products derived from this software
> without specific
> + *       prior written permission.
> + *
> + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
> "AS IS"
> + * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
> THE
> + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
> PURPOSE
> + * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS
> BE LIABLE
> + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
> CONSEQUENTIAL DAMAGES
> + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
> SERVICES;
> + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
> CAUSED AND ON
> + * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
> + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
> OF THIS
> + * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
> + */
> +(function() {
> +    /**
> +     * Code to ensure our event always gets triggered when the DOM is
> updated.
> +     * @param obj
> +     * @param type
> +     * @param fn
> +     * @source http://www.dustindiaz.com/rock-solid-addevent/
> +     */
> +    function addEvent( obj, type, fn ) {
> +        if (obj.addEventListener) {
> +            obj.addEventListener( type, fn, false );
> +            EventCache.add(obj, type, fn);
> +        }
> +        else if (obj.attachEvent) {
> +            obj["e"+type+fn] = fn;
> +            obj[type+fn] = function() { obj["e"+type+fn]( window.event );
> }
> +            obj.attachEvent( "on"+type, obj[type+fn] );
> +            EventCache.add(obj, type, fn);
> +        }
> +        else {
> +            obj["on"+type] = obj["e"+type+fn];
> +        }
> +    }
> +
> +    var EventCache = function(){
> +        var listEvents = [];
> +        return {
> +            listEvents : listEvents,
> +            add : function(node, sEventName, fHandler){
> +                listEvents.push(arguments);
> +            },
> +            flush : function(){
> +                var i, item;
> +                for(i = listEvents.length - 1; i >= 0; i = i - 1){
> +                    item = listEvents[i];
> +                    if(item[0].removeEventListener){
> +                        item[0].removeEventListener(item[1], item[2],
> item[3]);
> +                    };
> +                    if(item[1].substring(0, 2) != "on"){
> +                        item[1] = "on" + item[1];
> +                    };
> +                    if(item[0].detachEvent){
> +                        item[0].detachEvent(item[1], item[2]);
> +                    };
> +                };
> +            }
> +        };
> +    }();
> +
> +    /** string utility functions **/
> +    String.prototype.startsWith = function(prefix) {
> +        return this.indexOf(prefix) === 0;
> +    };
> +
> +    String.prototype.endsWith = function(suffix) {
> +        return this.match(suffix+"$") == suffix;
> +    };
> +
> +    /** hook using standards based prototype **/
> +    function hijackStandard() {
> +        XMLHttpRequest.prototype._open = XMLHttpRequest.prototype.open;
> +        XMLHttpRequest.prototype.open = function(method, url, async,
> user, pass) {
> +            this.url = url;
> +
> +            this._open.apply(this, arguments);
> +        };
> +
> +        XMLHttpRequest.prototype._send = XMLHttpRequest.prototype.send;
> +        XMLHttpRequest.prototype.send = function(data) {
> +            if(this.onsend != null) {
> +                this.onsend.apply(this, arguments);
> +            }
> +
> +            this._send.apply(this, arguments);
> +        };
> +    }
> +
> +    /** ie does not properly support prototype - wrap completely **/
> +    function hijackExplorer() {
> +        var _XMLHttpRequest = window.XMLHttpRequest;
> +
> +        function alloc_XMLHttpRequest() {
> +            this.base = _XMLHttpRequest ? new _XMLHttpRequest : new
> window.ActiveXObject("Microsoft.XMLHTTP");
> +        }
> +
> +        function init_XMLHttpRequest() {
> +            return new alloc_XMLHttpRequest;
> +        }
> +
> +        init_XMLHttpRequest.prototype = alloc_XMLHttpRequest.prototype;
> +
> +        /** constants **/
> +        init_XMLHttpRequest.UNSENT = 0;
> +        init_XMLHttpRequest.OPENED = 1;
> +        init_XMLHttpRequest.HEADERS_RECEIVED = 2;
> +        init_XMLHttpRequest.LOADING = 3;
> +        init_XMLHttpRequest.DONE = 4;
> +
> +        /** properties **/
> +        init_XMLHttpRequest.prototype.status = 0;
> +        init_XMLHttpRequest.prototype.statusText = "";
> +        init_XMLHttpRequest.prototype.readyState =
> init_XMLHttpRequest.UNSENT;
> +        init_XMLHttpRequest.prototype.responseText = "";
> +        init_XMLHttpRequest.prototype.responseXML = null;
> +        init_XMLHttpRequest.prototype.onsend = null;
> +
> +        init_XMLHttpRequest.url = null;
> +        init_XMLHttpRequest.onreadystatechange = null;
> +
> +        /** methods **/
> +        init_XMLHttpRequest.prototype.open = function(method, url,
> async, user, pass) {
> +            var self = this;
> +            this.url = url;
> +
> +            this.base.onreadystatechange = function() {
> +                try { self.status = self.base.status; } catch (e) { }
> +                try { self.statusText = self.base.statusText; } catch (e)
> { }
> +                try { self.readyState = self.base.readyState; } catch (e)
> { }
> +                try { self.responseText = self.base.responseText; }
> catch(e) { }
> +                try { self.responseXML = self.base.responseXML; }
> catch(e) { }
> +
> +                if(self.onreadystatechange != null) {
> +                    self.onreadystatechange.apply(this, arguments);
> +                }
> +            }
> +
> +            this.base.open(method, url, async, user, pass);
> +        };
> +
> +        init_XMLHttpRequest.prototype.send = function(data) {
> +            if(this.onsend != null) {
> +                this.onsend.apply(this, arguments);
> +            }
> +
> +            this.base.send(data);
> +        };
> +
> +        init_XMLHttpRequest.prototype.abort = function() {
> +            this.base.abort();
> +        };
> +
> +        init_XMLHttpRequest.prototype.getAllResponseHeaders = function()
> {
> +            return this.base.getAllResponseHeaders();
> +        };
> +
> +        init_XMLHttpRequest.prototype.getResponseHeader = function(name)
> {
> +            return this.base.getResponseHeader(name);
> +        };
> +
> +        init_XMLHttpRequest.prototype.setRequestHeader = function(name,
> value) {
> +            return this.base.setRequestHeader(name, value);
> +        };
> +
> +        /** hook **/
> +        window.XMLHttpRequest = init_XMLHttpRequest;
> +    }
> +
> +    /** check if valid domain based on domainStrict **/
> +    function isValidDomain(current, target) {
> +        var result = false;
> +
> +        /** check exact or subdomain match **/
> +        if(current == target) {
> +            result = true;
> +        } else if(%DOMAIN_STRICT% == false) {
> +            if(target.charAt(0) == '.') {
> +                result = current.endsWith(target);
> +            } else {
> +                result = current.endsWith('.' + target);
> +            }
> +        }
> +
> +        return result;
> +    }
> +
> +    /** determine if uri/url points to valid domain **/
> +    function isValidUrl(src) {
> +        var result = false;
> +
> +        /** parse out domain to make sure it points to our own **/
> +        if(src.substring(0, 7) == "http://" || src.substring(0, 8) ==
> "https://") {
> +            var token = "://";
> +            var index = src.indexOf(token);
> +            var part = src.substring(index + token.length);
> +            var domain = "";
> +
> +            /** parse up to end, first slash, or anchor **/
> +            for(var i=0; i<part.length; i++) {
> +                var character = part.charAt(i);
> +
> +                if(character == '/' || character == ':' || character ==
> '#') {
> +                    break;
> +                } else {
> +                    domain += character;
> +                }
> +            }
> +
> +            result = isValidDomain(document.domain, domain);
> +            /** explicitly skip anchors **/
> +        } else if(src.charAt(0) == '#') {
> +            result = false;
> +            /** ensure it is a local resource without a protocol **/
> +        } else if(!src.startsWith("//") && (src.charAt(0) == '/' ||
> src.indexOf(':') == -1)) {
> +            result = true;
> +        }
> +
> +        return result;
> +    }
> +
> +    /** parse uri from url **/
> +    function parseUri(url) {
> +        var uri = "";
> +        var token = "://";
> +        var index = url.indexOf(token);
> +        var part = "";
> +
> +        /**
> +         * ensure to skip protocol and prepend context path for
> non-qualified
> +         * resources (ex: "protect.html" vs
> +         * "/Owasp.CsrfGuard.Test/protect.html").
> +         */
> +        if(index > 0) {
> +            part = url.substring(index + token.length);
> +        } else if(url.charAt(0) != '/') {
> +            part = "%CONTEXT_PATH%/" + url;
> +        } else {
> +            part = url;
> +        }
> +
> +        /** parse up to end or query string **/
> +        var uriContext = (index == -1);
> +
> +        for(var i=0; i<part.length; i++) {
> +            var character = part.charAt(i);
> +
> +            if(character == '/') {
> +                uriContext = true;
> +            } else if(uriContext == true && (character == '?' ||
> character == '#')) {
> +                uriContext = false;
> +                break;
> +            }
> +
> +            if(uriContext == true) {
> +                uri += character;
> +            }
> +        }
> +
> +        return uri;
> +    }
> +
> +    /** inject tokens as hidden fields into forms **/
> +    function injectTokenForm(form, tokenName, tokenValue,
> pageTokens,injectGetForms) {
> +
> +        if (!injectGetForms) {
> +            var method = form.getAttribute("method");
> +
> +            if ((typeof method != 'undefined') && method != null &&
> method.toLowerCase() == "get") {
> +                return;
> +            }
> +        }
> +
> +        var value = tokenValue;
> +        var action = form.getAttribute("action");
> +
> +        if(action != null && isValidUrl(action)) {
> +            var uri = parseUri(action);
> +            value = pageTokens[uri] != null ? pageTokens[uri] :
> tokenValue;
> +        }
> +
> +        var hidden = document.createElement("input");
> +
> +        hidden.setAttribute("type", "hidden");
> +        hidden.setAttribute("name", tokenName);
> +        hidden.setAttribute("value", value);
> +
> +        form.appendChild(hidden);
> +    }
> +
> +    /** inject tokens as query string parameters into url **/
> +    function injectTokenAttribute(element, attr, tokenName, tokenValue,
> pageTokens) {
> +        var location = element.getAttribute(attr);
> +
> +        if(location != null && isValidUrl(location)) {
> +            var uri = parseUri(location);
> +            var value = (pageTokens[uri] != null ? pageTokens[uri] :
> tokenValue);
> +
> +            if(location.indexOf('?') != -1) {
> +                location = location + '&' + tokenName + '=' + value;
> +            } else {
> +                location = location + '?' + tokenName + '=' + value;
> +            }
> +
> +            try {
> +                element.setAttribute(attr, location);
> +            } catch (e) {
> +                // attempted to set/update unsupported attribute
> +            }
> +        }
> +    }
> +
> +    /** inject csrf prevention tokens throughout dom **/
> +    function injectTokens(tokenName, tokenValue) {
> +        /** obtain reference to page tokens if enabled **/
> +        var pageTokens = {};
> +
> +        if(%TOKENS_PER_PAGE% == true) {
> +            pageTokens = requestPageTokens();
> +        }
> +
> +        /** iterate over all elements and injection token **/
> +        var all = document.all ? document.all :
> document.getElementsByTagName('*');
> +        var len = all.length;
> +
> +        //these are read from the csrf guard config file(s)
> +        var injectForms = %INJECT_FORMS%;
> +        var injectGetForms = %INJECT_GET_FORMS%;
> +        var injectFormAttributes = %INJECT_FORM_ATTRIBUTES%;
> +        var injectAttributes = %INJECT_ATTRIBUTES%;
> +
> +        for(var i=0; i<len; i++) {
> +            var element = all[i];
> +
> +            /** inject into form **/
> +            if(element.tagName.toLowerCase() == "form") {
> +                if(injectForms) {
> +                    injectTokenForm(element, tokenName, tokenValue,
> pageTokens,injectGetForms);
> +                }
> +                if (injectFormAttributes) {
> +                    injectTokenAttribute(element, "action", tokenName,
> tokenValue, pageTokens);
> +                }
> +                /** inject into attribute **/
> +            } else if(injectAttributes) {
> +                injectTokenAttribute(element, "src", tokenName,
> tokenValue, pageTokens);
> +                injectTokenAttribute(element, "href", tokenName,
> tokenValue, pageTokens);
> +            }
> +        }
> +    }
> +
> +    /** obtain array of page specific tokens **/
> +    function requestPageTokens() {
> +        var xhr = window.XMLHttpRequest ? new window.XMLHttpRequest : new
> window.ActiveXObject("Microsoft.XMLHTTP");
> +        var pageTokens = {};
> +
> +        xhr.open("POST", "%SERVLET_PATH%", false);
> +        xhr.send(null);
> +
> +        var text = xhr.responseText;
> +        var name = "";
> +        var value = "";
> +        var nameContext = true;
> +
> +        for(var i=0; i<text.length; i++) {
> +            var character = text.charAt(i);
> +
> +            if(character == ':') {
> +                nameContext = false;
> +            } else if(character != ',') {
> +                if(nameContext == true) {
> +                    name += character;
> +                } else {
> +                    value += character;
> +                }
> +            }
> +
> +            if(character == ',' || (i + 1) >= text.length) {
> +                pageTokens[name] = value;
> +                name = "";
> +                value = "";
> +                nameContext = true;
> +            }
> +        }
> +
> +        return pageTokens;
> +    }
> +
> +    /**
> +     * Only inject the tokens if the JavaScript was referenced from HTML
> that
> +     * was served by us. Otherwise, the code was referenced from
> malicious HTML
> +     * which may be trying to steal tokens using JavaScript hijacking
> techniques.
> +     * The token is now removed and fetched using another POST request to
> solve,
> +     * the token hijacking problem.
> +     */
> +    if(isValidDomain(document.domain, "%DOMAIN_ORIGIN%")) {
> +        /** optionally include Ajax support **/
> +        if(%INJECT_XHR% == true) {
> +            if(navigator.appName == "Microsoft Internet Explorer") {
> +                hijackExplorer();
> +            } else {
> +                hijackStandard();
> +            }
> +
> +        var xhr = window.XMLHttpRequest ? new window.XMLHttpRequest : new
> window.ActiveXObject("Microsoft.XMLHTTP");
> +        var csrfToken = {};
> +        xhr.open("POST", "%SERVLET_PATH%", false);
> +        xhr.setRequestHeader("FETCH-CSRF-TOKEN", "1");
> +        xhr.send(null);
> +
> +        var token_pair = xhr.responseText;
> +        token_pair = token_pair.split(":");
> +        var token_name = token_pair[0];
> +        var token_value = token_pair[1];
> +
> +            XMLHttpRequest.prototype.onsend = function(data) {
> +                if(isValidUrl(this.url)) {
> +                    this.setRequestHeader("X-Requested-With",
> "XMLHttpRequest")
> +                    this.setRequestHeader(token_name, token_value);
> +                }
> +            };
> +        }
> +
> +        /** update nodes in DOM after load **/
> +        addEvent(window,'unload',EventCache.flush);
> +        addEvent(window,'DOMContentLoaded', function() {
> +            injectTokens(token_name, token_value);
> +        });
> +    } else {
> +        alert("OWASP CSRFGuard JavaScript was included from within an
> unauthorized domain!");
> +    }
> +})();
>
> Propchange: ofbiz/trunk/applications/product/webapp/catalog/WEB-
> INF/Owasp.CsrfGuard.js
> ------------------------------------------------------------
> ------------------
>     svn:eol-style = native
>
> Propchange: ofbiz/trunk/applications/product/webapp/catalog/WEB-
> INF/Owasp.CsrfGuard.js
> ------------------------------------------------------------
> ------------------
>     svn:keywords = Date Rev Author URL Id
>
> Propchange: ofbiz/trunk/applications/product/webapp/catalog/WEB-
> INF/Owasp.CsrfGuard.js
> ------------------------------------------------------------
> ------------------
>     svn:mime-type = text/plain
>
> Added: ofbiz/trunk/applications/product/webapp/catalog/WEB-
> INF/Owasp.CsrfGuard.properties
> URL: http://svn.apache.org/viewvc/ofbiz/trunk/applications/
> product/webapp/catalog/WEB-INF/Owasp.CsrfGuard.
> properties?rev=1781366&view=auto
> ============================================================
> ==================
> --- ofbiz/trunk/applications/product/webapp/catalog/WEB-INF/Owasp.CsrfGuard.properties
> (added)
> +++ ofbiz/trunk/applications/product/webapp/catalog/WEB-INF/Owasp.CsrfGuard.properties
> Thu Feb  2 10:33:59 2017
> @@ -0,0 +1,417 @@
> +# The OWASP CSRFGuard Project, BSD License
> +# Eric Sheridan ([hidden email]), Copyright (c) 2011
> +# All rights reserved.
> +#
> +# Redistribution and use in source and binary forms, with or without
> +# modification, are permitted provided that the following conditions are
> met:
> +#
> +# 1. Redistributions of source code must retain the above copyright
> notice,
> +#    this list of conditions and the following disclaimer.
> +# 2. Redistributions in binary form must reproduce the above copyright
> +#    notice, this list of conditions and the following disclaimer in the
> +#    documentation and/or other materials provided with the distribution.
> +# 3. Neither the name of OWASP nor the names of its contributors may be
> used
> +#    to endorse or promote products derived from this software without
> specific
> +#    prior written permission.
> +#
> +# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS
> IS"
> +# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
> THE
> +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
> PURPOSE
> +# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS
> BE LIABLE
> +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
> CONSEQUENTIAL DAMAGES
> +# (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
> SERVICES;
> +# LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED
> AND ON
> +# ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
> +# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
> OF THIS
> +# SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
> +
> +# From: https://github.com/esheri3/OWASP-CSRFGuard/blob/master/
> csrfguard-test/src/main/webapp/WEB-INF/csrfguard.properties
> +
> +# Common substitutions
> +# %servletContext%  is the servlet context (e.g. the configured app
> prefix or war file name, or blank.
> +# e.g. if you deploy a default warfile as someApp.war, then
> %servletContext% will be /someApp
> +# if there isnt a context it will be the empty string.  So to use this in
> the configuration, use e.g. %servletContext%/something.html
> +# which will translate to e.g. /someApp/something.html
> +
> +# Logger
> +#
> +# The logger property (org.owasp.csrfguard.Logger) defines the qualified
> class name of
> +# the object responsible for processing all log messages produced by
> CSRFGuard. The default
> +# CSRFGuard logger is org.owasp.csrfguard.log.ConsoleLogger. This class
> logs all messages
> +# to System.out which JavaEE application servers redirect to a vendor
> specific log file.
> +# Developers can customize the logging behavior of CSRFGuard by
> implementing the
> +# org.owasp.csrfguard.log.ILogger interface and setting the logger
> property to the new
> +# logger's qualified class name. The following configuration snippet
> instructs OWASP CSRFGuard
> +# to capture all log messages to the console:
> +#
> +# org.owasp.csrfguard.Logger=org.owasp.csrfguard.log.ConsoleLogger
> +org.owasp.csrfguard.Logger=org.owasp.csrfguard.log.JavaLogger
> +
> +# Which configuration provider factory you want to use.  The default is
> org.owasp.csrfguard.config.PropertiesConfigurationProviderFactory
> +# Another configuration provider has more features including config
> overlays: org.owasp.csrfguard.config.overlay.
> ConfigurationOverlayProviderFactory
> +# The default configuration provider is: org.owasp.csrfguard.config.
> overlay.ConfigurationAutodetectProviderFactory
> +# which will look for an overlay file, it is there, and the factory
> inside that file is set it will use it, otherwise will be
> PropertiesConfigurationProviderFactory
> +# it needs to implement org.owasp.csrfguard.config.
> ConfigurationProviderFactory
> +org.owasp.csrfguard.configuration.provider.factory =
> org.owasp.csrfguard.config.overlay.ConfigurationAutodetectProviderFactory
> +
> +
> +# If csrfguard filter is enabled
> +org.owasp.csrfguard.Enabled = false
> +
> +# If csrf guard filter should check even if there is no session for the
> user
> +# Note: this changed around 2014/04, the default behavior used to be to
> +# not check if there is no session.  If you want the legacy behavior (if
> your app
> +# is not susceptible to CSRF if the user has no session), set this to
> false
> +org.owasp.csrfguard.ValidateWhenNoSessionExists = true
> +
> +# New Token Landing Page
> +#
> +# The new token landing page property (org.owasp.csrfguard.NewTokenLandingPage)
> defines where
> +# to send a user if the token is being generated for the first time, and
> the use new token landing
> +# page boolean property (org.owasp.csrfguard.UseNewTokenLandingPage)
> determines if any redirect happens.
> +# UseNewTokenLandingPage defaults to false if NewTokenLandingPage is not
> specified, and to true
> +# if it is specified.. If UseNewTokenLandingPage is set true then this
> request is generated
> +# using auto-posting forms and will only contain the CSRF prevention
> token parameter, if
> +# applicable. All query-string or form parameters sent with the original
> request will be
> +# discarded. If this property is not defined, CSRFGuard will instead
> auto-post the user to the
> +# original context and servlet path. The following configuration snippet
> instructs OWASP CSRFGuard to
> +# redirect the user to %servletContext%/index.html when the user visits a
> protected resource
> +# without having a corresponding CSRF token present in the HttpSession
> object:
> +#
> +org.owasp.csrfguard.NewTokenLandingPage=%servletContext%/control/login/*
> +
> +# Protected Methods
> +#
> +# The protected methods property (org.owasp.csrfguard.ProtectedMethods)
> defines a comma
> +# separated list of HTTP request methods that should be protected by
> CSRFGuard. The default
> +# list is an empty list which will cause all HTTP methods to be
> protected, thus preserving
> +# legacy behavior. This setting allows the user to inform CSRFGuard that
> only requests of the
> +# given types should be considered for protection. All HTTP methods not
> in the list will be
> +# considered safe (i.e. view only / unable to modify data). This should
> be used only when the
> +# user has concrete knowledge that all requests made via methods not in
> the list
> +# are safe (i.e. do not apply an action to any data) since it can
> actually introduce new
> +# security vulnerabilities. For example: the user thinks that all
> actionable requests are
> +# only available by POST requests when in fact some are available via GET
> requests. If the
> +# user has excluded GET requests from the list then they have introduced
> a vulnerability.
> +# The following configuration snippet instructs OWASP CSRFGuard to
> protect only the POST,
> +# PUT, and DELETE HTTP methods.
> +#
> +# org.owasp.csrfguard.ProtectedMethods=POST,PUT,DELETE
> +
> +# or you can configure all to be protected, and specify which is
> unprotected.  This is the preferred approach
> +
> +# org.owasp.csrfguard.UnprotectedMethods=GET
> +
> +# Unique Per-Page Tokens
> +#
> +# The unique token per-page property (org.owasp.csrfguard.TokenPerPage)
> is a boolean value that
> +# determines if CSRFGuard should make use of unique per-page (i.e. URI)
> prevention tokens as
> +# opposed to unique per-session prevention tokens. When a user requests a
> protected resource,
> +# CSRFGuard will determine if a page specific token has been previously
> generated. If a page
> +# specific token has not yet been previously generated, CSRFGuard will
> verify the request was
> +# submitted with the per-session token intact. After verifying the
> presence of the per-session token,
> +# CSRFGuard will create a page specific token that is required for all
> subsequent requests to the
> +# associated resource. The per-session CSRF token can only be used when
> requesting a resource for
> +# the first time. All subsequent requests must have the per-page token
> intact or the request will
> +# be treated as a CSRF attack. This behavior can be changed with the
> org.owasp.csrfguard.TokenPerPagePrecreate
> +# property. Enabling this property will make CSRFGuard calculate the per
> page token prior to a first
> +# visit. This option only works with JSTL token injection and is useful
> for preserving the validity of
> +# links if the user pushes the back button. There may be a performance
> impact when enabling this option
> +# if the .jsp has a large number of proctected links that need tokens to
> be calculated.
> +# Use of the unique token per page property is currently experimental
> +# but provides a significant amount of improved security. Consider the
> exposure of a CSRF token using
> +# the legacy unique per-session model. Exposure of this token facilitates
> the attacker's ability to
> +# carry out a CSRF attack against the victim's active session for any
> resource exposed by the web
> +# application. Now consider the exposure of a CSRF token using the
> experimental unique token per-page
> +# model. Exposure of this token would only allow the attacker to carry
> out a CSRF attack against the
> +# victim's active session for a small subset of resources exposed by the
> web application. Use of the
> +# unique token per-page property is a strong defense in depth strategy
> significantly reducing the
> +# impact of exposed CSRF prevention tokens. The following configuration
> snippet instructs OWASP
> +# CSRFGuard to utilize the unique token per-page model:
> +#
> +# org.owasp.csrfguard.TokenPerPage=true
> +# org.owasp.csrfguard.TokenPerPagePrecreate=false
> +org.owasp.csrfguard.TokenPerPage=true
> +org.owasp.csrfguard.TokenPerPagePrecreate=false
> +
> +# Token Rotation
> +#
> +# The rotate token property (org.owasp.csrfguard.Rotate) is a boolean
> value that determines if
> +# CSRFGuard should generate and utilize a new token after verifying the
> previous token. Rotation
> +# helps minimize the window of opportunity an attacker has to leverage
> the victim's stolen token
> +# in a targeted CSRF attack. However, this functionality generally causes
> navigation problems in
> +# most applications. Specifically, the 'Back' button in the browser will
> often cease to function
> +# properly. When a user hits the 'Back' button and interacts with the
> HTML, the browser may submit
> +# an old token causing CSRFGuard to incorrectly believe this request is a
> CSRF attack in progress
> +# (i.e. a 'false positive'). Users can prevent this scenario by
> preventing the caching of HTML pages
> +# containing FORM submissions using the cache-control header. However,
> this may also introduce
> +# performance problems as the browser will have to request HTML on a more
> frequent basis. The following
> +# configuration snippet enables token rotation:
> +#
> +# org.owasp.csrfguard.Rotate=true
> +
> +# Ajax and XMLHttpRequest Support
> +#
> +# The Ajax property (org.owasp.csrfguard.Ajax) is a boolean value that
> indicates whether or not OWASP
> +# CSRFGuard should support the injection and verification of unique
> per-session prevention tokens for
> +# XMLHttpRequests. To leverage Ajax support, the user must not only set
> this property to true but must
> +# also reference the JavaScript DOM Manipulation code using a script
> element. This dynamic script will
> +# override the send method of the XMLHttpRequest object to ensure the
> submission of an X-Requested-With
> +# header name value pair coupled with the submission of a custom header
> name value pair for each request.
> +# The name of the custom header is the value of the token name property
> and the value of the header is
> +# always the unique per-session token value. This custom header is
> analogous to the HTTP parameter name
> +# value pairs submitted via traditional GET and POST requests. If the
> X-Requested-With header was sent
> +# in the HTTP request, then CSRFGuard will look for the presence and
> ensure the validity of the unique
> +# per-session token in the custom header name value pair. Note that
> verification of these headers takes
> +# precedence over verification of the CSRF token supplied as an HTTP
> parameter. More specifically,
> +# CSRFGuard does not verify the presence of the CSRF token if the Ajax
> support property is enabled and
> +# the corresponding X-Requested-With and custom headers are embedded
> within the request. The following
> +# configuration snippet instructs OWASP CSRFGuard to support Ajax
> requests by verifying the presence and
> +# correctness of the X-Requested-With and custom headers:
> +#
> +# org.owasp.csrfguard.Ajax=true
> +org.owasp.csrfguard.Ajax=true
> +
> +# The default behavior of CSRFGuard is to protect all pages. Pages marked
> as unprotected will not be protected.
> +# If the Protect property is enabled, this behavior is reversed. Pages
> must be marked as protected to be protected.
> +# All other pages will not be protected. This is useful when the
> CsrfGuardFilter is aggressively mapped (ex: /*),
> +# but you only want to protect a few pages.
> +#
> +# org.owasp.csrfguard.Protect=true
> +
> +# Unprotected Pages:
> +#
> +# The unprotected pages property (org.owasp.csrfguard.unprotected.*)
> defines a series of pages that
> +# should not be protected by CSRFGuard. Such configurations are useful
> when the CsrfGuardFilter is
> +# aggressively mapped (ex: /*). The syntax of the property name is
> org.owasp.csrfguard.unprotected.[PageName],
> +# where PageName is some arbitrary identifier that can be used to
> reference a resource. The syntax of
> +# defining the uri of unprotected pages is the same as the syntax used by
> the JavaEE container for uri mapping.
> +# Specifically, CSRFGuard will identify the first match (if any) between
> the requested uri and an unprotected
> +# page in order of declaration. Match criteria is as follows:
> +#
> +# Case 1: exact match between request uri and unprotected page
> +# Case 2: longest path prefix match, beginning / and ending /*
> +# Case 3: extension match, beginning *.
> +# Case 4: if the value starts with ^ and ends with $, it will be
> evaulated as a regex.  Note that before the
> +#   regex is compiled, any common variables will be substituted (e.g.
> %servletContext%)
> +# Default: requested resource must be validated by CSRFGuard
> +#
> +# The following code snippet illustrates the four use cases over four
> examples. The first two examples
> +# (Tag and JavaScriptServlet) look for direct URI matches. The third
> example (Html) looks for all resources
> +# ending in a .html extension. The next example (Public) looks for all
> resources prefixed with the URI path /MySite/Public/*.
> +# The last example looks for resources that end in Public.do
> +#
> +# org.owasp.csrfguard.unprotected.Tag=%servletContext%/tag.jsp
> +# org.owasp.csrfguard.unprotected.JavaScriptServlet=%servletContext%/
> JavaScriptServlet
> +# org.owasp.csrfguard.unprotected.Html=*.html
> +# org.owasp.csrfguard.unprotected.Public=%servletContext%/Public/*
> +# regex example starts with ^ and ends with $, and the %servletContext%
> is evaluated before the regex
> +# org.owasp.csrfguard.unprotected.PublicServlet=^%
> servletContext%/.*Public\.do$
> +
> +#org.owasp.csrfguard.unprotected.Default=%servletContext%/
> +#org.owasp.csrfguard.unprotected.Upload=%servletContext%/upload.html
> +org.owasp.csrfguard.unprotected.JavaScriptServlet=
> %servletContext%/control/JavaScriptServlet
> +#org.owasp.csrfguard.unprotected.Ajax=%servletContext%/ajax.html
> +#org.owasp.csrfguard.unprotected.Error=%servletContext%/error.html
> +#org.owasp.csrfguard.unprotected.Error=%servletContext%/error.jsp
> +#org.owasp.csrfguard.unprotected.Index=%servletContext%/index.html
> +#org.owasp.csrfguard.unprotected.JavaScript=%servletContext%/javascript.
> html
> +#org.owasp.csrfguard.unprotected.Tag=%servletContext%/tag.jsp
> +#org.owasp.csrfguard.unprotected.Redirect=%servletContext%/redirect.jsp
> +#org.owasp.csrfguard.unprotected.Forward=%servletContext%/forward.jsp
> +#org.owasp.csrfguard.unprotected.Session=%servletContext%/session.jsp
> +org.owasp.csrfguard.unprotected.Session=%servletContext%/favicon.ico
> +org.owasp.csrfguard.unprotected.Session=%servletContext%/control/login/*
> +org.owasp.csrfguard.unprotected.Index=%servletContext%/index.jsp
> +
> +# Actions: Responding to Attacks
> +#
> +# The actions directive (org.owasp.csrfguard.action.*) gives the user the
> ability to specify one or more
> +# actions that should be invoked when a CSRF attack is detected. Every
> action must implement the
> +# org.owasp.csrfguard.action.IAction interface either directly or
> indirectly through the
> +# org.owasp.csrfguard.action.AbstractAction helper class. Many actions
> accept parameters that can be specified
> +# along with the action class declaration. These parameters are consumed
> at runtime and impact the behavior of
> +# the associated action.
> +#
> +# The syntax for defining and configuring CSRFGuard actions is relatively
> straight forward. Let us assume we wish
> +# to redirect the user to a default page when a CSRF attack is detected.
> A redirect action already exists within
> +# the CSRFGuard bundle and is available via the class name
> org.owasp.csrfguard.actions.Redirect. In order to enable
> +# this action, we capture the following declaration in the
> Owasp.CsrfGuard.properties file:
> +#
> +# syntax: org.owasp.csrfguard.action.[actionName]=[className]
> +# example: org.owasp.csrfguard.action.class.Redirect=org.owasp.
> csrfguard.actions.Redirect
> +#
> +# The aforementioned directive declares an action called "Redirect" (i.e.
> [actionName]) referencing the Java class
> +# "org.owasp.csrfguard.actions.Redirect" (i.e. [className]). Anytime a
> CSRF attack is detected, the Redirect action
> +# will be executed. You may be asking yourself, "but how do I specify
> where the user is redirected?"; this is where
> +# action parameters come into play. In order to specify the redirect
> location, we capture the following declaration
> +# in the Owasp.CsrfGuard.properties file:
> +#
> +# syntax: org.owasp.csrfguard.action.[actionName].[parameterName]=[
> parameterValue]
> +# example: org.owasp.csrfguard.action.Redirect.ErrorPage=%
> servletContext%/error.html
> +#
> +# The aforementioned directive declares an action parameter called
> "ErrorPage" (i.e. [parameterName]) with the value
> +# of "%servletContext%/error.html" (i.e. [parameterValue]) for the action
> "Redirect" (i.e. [actionName]). The
> +# Redirect action expects the "ErrorPage" parameter to be defined and
> will redirect the user to this location when
> +# an attack is detected.
> +#
> +#org.owasp.csrfguard.action.Empty=org.owasp.csrfguard.action.Empty
> +org.owasp.csrfguard.action.Log=org.owasp.csrfguard.action.Log
> +org.owasp.csrfguard.action.Log.Message=potential cross-site request
> forgery (CSRF) attack thwarted (user:%user%, ip:%remote_ip%,
> method:%request_method%, uri:%request_uri%, error:%exception_message%)
> +#org.owasp.csrfguard.action.Invalidate=org.owasp.
> csrfguard.action.Invalidate
> +#org.owasp.csrfguard.action.Redirect=org.owasp.csrfguard.action.Redirect
> +#org.owasp.csrfguard.action.Redirect.Page=%servletContext%/error.html
> +#org.owasp.csrfguard.action.RequestAttribute=org.owasp.csrfguard.action.
> RequestAttribute
> +#org.owasp.csrfguard.action.RequestAttribute.
> AttributeName=Owasp_CsrfGuard_Exception_Key
> +#org.owasp.csrfguard.action.Rotate=org.owasp.csrfguard.action.Rotate
> +org.owasp.csrfguard.action.SessionAttribute=org.owasp.csrfguard.action.
> SessionAttribute
> +org.owasp.csrfguard.action.SessionAttribute.
> AttributeName=Owasp_CsrfGuard_Exception_Key
> +#org.owasp.csrfguard.action.Error=org.owasp.csrfguard.action.Error
> +#org.owasp.csrfguard.action.Error.Code=403
> +#org.owasp.csrfguard.action.Error.Message=Security violation.
> +
> +# Token Name
> +#
> +# The token name property (org.owasp.csrfguard.TokenName) defines the
> name of the HTTP parameter
> +# to contain the value of the OWASP CSRFGuard token for each request. The
> following configuration
> +# snippet sets the CSRFGuard token parameter name to the value
> OWASP_CSRFTOKEN:
> +#
> +# org.owasp.csrfguard.TokenName=OWASP_CSRFTOKEN
> +org.owasp.csrfguard.TokenName=OWASP_CSRFTOKEN
> +
> +# Session Key
> +#
> +# The session key property (org.owasp.csrfguard.SessionKey) defines the
> string literal used to save
> +# and lookup the CSRFGuard token from the session. This value is used by
> the filter and the tag
> +# libraries to retrieve and set the token value in the session.
> Developers can use this key to
> +# programmatically lookup the token within their own code. The following
> configuration snippet sets
> +# the session key to the value OWASP_CSRFTOKEN:
> +#
> +# org.owasp.csrfguard.SessionKey=OWASP_CSRFTOKEN
> +org.owasp.csrfguard.SessionKey=OWASP_CSRFTOKEN
> +
> +# Token Length
> +#
> +# The token length property (org.owasp.csrfguard.TokenLength) defines
> the number of characters that
> +# should be found within the CSRFGuard token. Note that characters are
> delimited by dashes (-) in groups
> +# of four. For cosmetic reasons, users are encourage to ensure the token
> length is divisible by four.
> +# The following configuration snippet sets the token length property to
> 32 characters:
> +#
> +# org.owasp.csrfguard.TokenLength=32
> +org.owasp.csrfguard.TokenLength=32
> +
> +# Pseudo-random Number Generator
> +#
> +# The pseudo-random number generator property (org.owasp.csrfguard.PRNG)
> defines what PRNG should be used
> +# to generate the OWASP CSRFGuard token. Always ensure this value
> references a cryptographically strong
> +# pseudo-random number generator algorithm. The following configuration
> snippet sets the pseudo-random number
> +# generator to SHA1PRNG:
> +#
> +# org.owasp.csrfguard.PRNG=SHA1PRNG
> +org.owasp.csrfguard.PRNG=SHA1PRNG
> +
> +# Pseudo-random Number Generator Provider
> +
> +# The pseudo-random number generator provider property
> (org.owasp.csrfguard.PRNG.Provider) defines which
> +# provider's implementation of org.owasp.csrfguard.PRNG we should
> utilize. The following configuration
> +# snippet instructs the JVM to leverage SUN's implementation of the
> algorithm denoted by the
> +# org.owasp.csrfguard.PRNG property:
> +
> +# org.owasp.csrfguard.PRNG.Provider=SUN
> +org.owasp.csrfguard.PRNG.Provider=SUN
> +
> +# If not specifying the print config option in the web.xml, you can
> specify it here, to print the config
> +# on startup
> +org.owasp.csrfguard.Config.Print = true
> +
> +###########################
> +## Javascript servlet settings if not set in web.xml
> +## https://www.owasp.org/index.php/CSRFGuard_3_Token_Injection
> +###########################
> +
> +# leave this blank and blank in web.xml and it will read from
> META-INF/csrfguard.js from the jarfile
> +# Denotes the location of the JavaScript template file that should be
> consumed and dynamically
> +# augmented by the JavaScriptServlet class. The default value is
> WEB-INF/Owasp.CsrfGuard.js.
> +# Use of this property and the existence of the specified template file
> is required.
> +#org.owasp.csrfguard.JavascriptServlet.sourceFile =
> WEB-INF/Owasp.CsrfGuard.js
> +org.owasp.csrfguard.JavascriptServlet.sourceFile =
> WEB-INF/Owasp.CsrfGuard.js
> +
> +# Boolean value that determines whether or not the dynamic JavaScript
> code should be strict
> +# with regards to what links it should inject the CSRF prevention token.
> With a value of true,
> +# the JavaScript code will only place the token in links that point to
> the same exact domain
> +# from which the HTML originated. With a value of false, the JavaScript
> code will place the
> +# token in links that not only point to the same exact domain from which
> the HTML originated,
> +# but sub-domains as well.
> +org.owasp.csrfguard.JavascriptServlet.domainStrict = true
> +
> +# Allows the developer to specify the value of the Cache-Control header
> in the HTTP response
> +# when serving the dynamic JavaScript file. The default value is private,
> maxage=28800.
> +# Caching of the dynamic JavaScript file is intended to minimize traffic
> and improve performance.
> +# Note that the Cache-Control header is always set to "no-store" when
> either the "Rotate"
> +# "TokenPerPage" options is set to true in Owasp.CsrfGuard.properties.
> +org.owasp.csrfguard.JavascriptServlet.cacheControl = private,
> maxage=28800
> +
> +# Allows the developer to specify a regular expression describing the
> required value of the
> +# Referer header. Any attempts to access the servlet with a Referer
> header that does not
> +# match the captured expression is discarded. Inclusion of referer header
> checking is to
> +# help minimize the risk of JavaScript Hijacking attacks that attempt to
> steal tokens from
> +# the dynamically generated JavaScript. While the primary defenses
> against JavaScript
> +# Hijacking attacks are implemented within the dynamic JavaScript itself,
> referer header
> +# checking is implemented to achieve defense in depth.
> +org.owasp.csrfguard.JavascriptServlet.refererPattern = .*
> +
> +# Similar to javascript servlet referer pattern, but this will make sure
> the referer of the
> +# javascript servlet matches the domain of the request.  If there is no
> referer (proxy strips it?)
> +# then it will not fail.  Generally this is a good idea to be true.
> +org.owasp.csrfguard.JavascriptServlet.refererMatchDomain = true
> +
> +# Boolean value that determines whether or not the dynamic JavaScript
> code should
> +# inject the CSRF prevention token as a hidden field into HTML forms. The
> default
> +# value is true. Developers are strongly discouraged from disabling this
> property
> +# as most server-side state changing actions are triggered via a POST
> request.
> +org.owasp.csrfguard.JavascriptServlet.injectIntoForms = true
> +
> +# if the token should be injected in GET forms (which will be on the URL)
> +# if the HTTP method GET is unprotected, then this should likely be false
> +org.owasp.csrfguard.JavascriptServlet.injectGetForms = true
> +
> +# if the token should be injected in the action in forms
> +# note, if injectIntoForms is true, then this might not need to be true
> +org.owasp.csrfguard.JavascriptServlet.injectFormAttributes = true
> +
> +
> +# Boolean value that determines whether or not the dynamic JavaScript
> code should
> +# inject the CSRF prevention token in the query string of src and href
> attributes.
> +# Injecting the CSRF prevention token in a URL resource increases its
> general risk
> +# of exposure to unauthorized parties. However, most JavaEE web
> applications respond
> +# in the exact same manner to HTTP requests and their associated
> parameters regardless
> +# of the HTTP method. The risk associated with not protecting GET
> requests in this
> +# situation is perceived greater than the risk of exposing the token in
> protected GET
> +# requests. As a result, the default value of this attribute is set to
> true. Developers
> +# that are confident their server-side state changing controllers will
> only respond to
> +# POST requests (i.e. discarding GET requests) are strongly encouraged to
> disable this property.
> +org.owasp.csrfguard.JavascriptServlet.injectIntoAttributes = true
> +
> +
> +org.owasp.csrfguard.JavascriptServlet.xRequestedWith = OWASP CSRFGuard
> Project
> +
> +###########################
> +## Config overlay settings if you have the provider above set to
> ConfigurationOverlayProvider
> +## This CSRF config provider uses Internet2 Configuration Overlays
> (documented on Internet2 wiki)
> +## By default the configuration is read from the
> Owasp.CsrfGuard.properties
> +## (which should not be edited), and the Owasp.CsrfGuard.overlay.properties
> overlays
> +## the base settings.  See the Owasp.CsrfGuard.properties for the possible
> +## settings that can be applied to the Owasp.CsrfGuard.overlay.properties
> +###########################
> +
> +# comma separated config files that override each other (files on the
> right override the left)
> +# each should start with file: or classpath:
> +# e.g. classpath:Owasp.CsrfGuard.properties,
> file:c:/temp/myFile.properties
> +org.owasp.csrfguard.configOverlay.hierarchy = classpath:Owasp.CsrfGuard.properties,
> classpath:Owasp.CsrfGuard.overlay.properties
> +
> +# seconds between checking to see if the config files are updated
> +org.owasp.csrfguard.configOverlay.secondsBetweenUpdateChecks = 60
> +
> +
> +###########################
> +
>
> Propchange: ofbiz/trunk/applications/product/webapp/catalog/WEB-
> INF/Owasp.CsrfGuard.properties
> ------------------------------------------------------------
> ------------------
>     svn:eol-style = native
>
> Propchange: ofbiz/trunk/applications/product/webapp/catalog/WEB-
> INF/Owasp.CsrfGuard.properties
> ------------------------------------------------------------
> ------------------
>     svn:keywords = Date Rev Author URL Id
>
> Propchange: ofbiz/trunk/applications/product/webapp/catalog/WEB-
> INF/Owasp.CsrfGuard.properties
> ------------------------------------------------------------
> ------------------
>     svn:mime-type = text/plain
>
>
>
Reply | Threaded
Open this post in threaded view
|

Re: svn commit: r1781366 [1/3] - in /ofbiz/trunk: applications/content/widget/compdoc/ applications/content/widget/content/ applications/product/template/ applications/product/template/store/ applications/product/webapp/catalog/WEB-INF/ framework/base/src/...

Gil Portenseigne
Hello Pranay,

Jacques reverted it just after, he did not commited it on purpose.

Regards,

Gil


Le 02/02/2017 à 13:52, Pranay Pandey a écrit :

> ??
>
> Log:
> Implemented:
> Improved:
> Documented:
> Completed:
> Reverted:
> Fixed:
> (OFBIZ-)
> Explanation
> Thanks:
>
> Best regards,
>
> Pranay Pandey
> HotWax Systems
> http://www.hotwaxsystems.com/
>
> On Thu, Feb 2, 2017 at 4:03 PM, <[hidden email]> wrote:
>
>> Author: jleroux
>> Date: Thu Feb  2 10:33:59 2017
>> New Revision: 1781366
>>
>> URL: http://svn.apache.org/viewvc?rev=1781366&view=rev
>> Log:
>> Implemented:
>> Improved:
>> Documented:
>> Completed:
>> Reverted:
>> Fixed:
>> (OFBIZ-)
>> Explanation
>> Thanks:
>>
>> Added:
>>      ofbiz/trunk/applications/product/webapp/catalog/WEB-INF/Owasp.CsrfGuard.js
>>   (with props)
>>      ofbiz/trunk/applications/product/webapp/catalog/WEB-INF/Owasp.CsrfGuard.properties
>>   (with props)
>>      ofbiz/trunk/applications/product/webapp/catalog/WEB-INF/controller -
>> Copie.xml   (with props)
>>      ofbiz/trunk/applications/product/webapp/catalog/WEB-INF/web -
>> Copie.xml   (with props)
>>      ofbiz/trunk/framework/webapp/config/requestHandler -
>> Copie.properties   (with props)
>>      ofbiz/trunk/themes/tomahawk/template/Header - Copie.ftl   (with props)
>> Modified:
>>      ofbiz/trunk/applications/content/widget/compdoc/
>> CompDocTemplateTree.xml
>>      ofbiz/trunk/applications/content/widget/content/ContentForms.xml
>>      ofbiz/trunk/applications/product/template/Main.ftl
>>      ofbiz/trunk/applications/product/template/store/
>> EditProductStoreWebSites.ftl
>>      ofbiz/trunk/framework/base/src/main/java/org/apache/
>> ofbiz/base/util/template/FreeMarkerWorker.java
>>      ofbiz/trunk/framework/minilang/src/main/java/org/
>> apache/ofbiz/minilang/method/entityops/EntityOne.java
>>      ofbiz/trunk/framework/widget/dtd/widget-common.xsd
>>      ofbiz/trunk/framework/widget/src/main/java/org/apache/
>> ofbiz/widget/renderer/macro/MacroFormRenderer.java
>>
>> Modified: ofbiz/trunk/applications/content/widget/compdoc/
>> CompDocTemplateTree.xml
>> URL: http://svn.apache.org/viewvc/ofbiz/trunk/applications/
>> content/widget/compdoc/CompDocTemplateTree.xml?rev=
>> 1781366&r1=1781365&r2=1781366&view=diff
>> ============================================================
>> ==================
>> --- ofbiz/trunk/applications/content/widget/compdoc/CompDocTemplateTree.xml
>> (original)
>> +++ ofbiz/trunk/applications/content/widget/compdoc/CompDocTemplateTree.xml
>> Thu Feb  2 10:33:59 2017
>> @@ -22,7 +22,7 @@ under the License.
>>       <tree name="CompDocTemplateTree" entity-name="Content"
>> root-node-name="node-root"
>>           default-render-style="simple" default-wrap-style="treeWrapper">
>>           <node name="node-root" wrap-style="treeWrapper">
>> -            <entity-one entity-name="Content" use-cache="false">
>> +            <entity-one entity-name="Content" value-field="content"
>> use-cache="false">
>>                   <field-map field-name="contentId"
>> from-field="rootContentId"/>
>>               </entity-one>
>>               <include-screen name="rootTemplateLine"
>> location="component://content/widget/compdoc/CompDocScreens.xml"/>
>> @@ -54,7 +54,7 @@ under the License.
>>               </sub-node>
>>           </node>
>>           <node name="node-body" join-field-name="itemContentId"
>> entity-name="AssocRevisionItemView" wrap-style="treeWrapper">
>> -            <entity-one entity-name="Content" use-cache="false">
>> +            <entity-one entity-name="Content" value-field="content"
>> use-cache="false">
>>                   <field-map field-name="contentId"
>> from-field="itemContentId"/>
>>               </entity-one>
>>               <include-screen name="childTemplateLine"
>> location="component://content/widget/compdoc/CompDocScreens.xml"/>
>> @@ -90,7 +90,7 @@ under the License.
>>       <tree name="CompDocInstanceTree" entity-name="Content"
>> root-node-name="node-root"
>>           default-render-style="simple" default-wrap-style="treeWrapper">
>>           <node name="node-root">
>> -            <entity-one entity-name="Content" use-cache="false">
>> +            <entity-one entity-name="Content" value-field="content"
>> use-cache="false">
>>                   <field-map field-name="contentId"
>> from-field="instanceContent.instanceOfContentId"/>
>>               </entity-one>
>>               <include-screen name="rootInstanceLine"
>> location="component://content/widget/compdoc/CompDocScreens.xml"/>
>> @@ -122,7 +122,7 @@ under the License.
>>               </sub-node>
>>           </node>
>>           <node name="node-body" join-field-name="itemContentId"
>> entity-name="AssocRevisionItemView">
>> -            <entity-one entity-name="Content" use-cache="false">
>> +            <entity-one entity-name="Content" value-field="content"
>> use-cache="false">
>>                   <field-map field-name="contentId"
>> from-field="itemContentId"/>
>>               </entity-one>
>>               <include-screen name="childInstanceLine"
>> location="component://content/widget/compdoc/CompDocScreens.xml"/>
>>
>> Modified: ofbiz/trunk/applications/content/widget/content/ContentForms.xml
>> URL: http://svn.apache.org/viewvc/ofbiz/trunk/applications/
>> content/widget/content/ContentForms.xml?rev=1781366&
>> r1=1781365&r2=1781366&view=diff
>> ============================================================
>> ==================
>> --- ofbiz/trunk/applications/content/widget/content/ContentForms.xml
>> (original)
>> +++ ofbiz/trunk/applications/content/widget/content/ContentForms.xml Thu
>> Feb  2 10:33:59 2017
>> @@ -230,9 +230,9 @@ under the License.
>>       </form>
>>       <!-- ContentAssoc forms -->
>>       <form name="EditContentAssoc" target="updateContentAssoc" title=""
>> type="single"
>> -        header-row-style="header-row" default-table-style="basic-table">
>> +        header-row-style="header-row" default-table-style="basic-table"
>> default-entity-name="contentAssocX">
>>           <actions>
>> -            <entity-one entity-name="ContentAssoc" use-cache="true">
>> +            <entity-one entity-name="ContentAssoc" use-cache="true"
>> value-field="contentAssoc">
>>                   <field-map field-name="contentId" from-field="contentId"/>
>>                   <field-map field-name="contentIdTo"
>> from-field="contentIdTo"/>
>>                   <field-map field-name="contentAssocTypeId" from-field="
>> contentAssocTypeId"/>
>>
>> Modified: ofbiz/trunk/applications/product/template/Main.ftl
>> URL: http://svn.apache.org/viewvc/ofbiz/trunk/applications/
>> product/template/Main.ftl?rev=1781366&r1=1781365&r2=1781366&view=diff
>> ============================================================
>> ==================
>> --- ofbiz/trunk/applications/product/template/Main.ftl (original)
>> +++ ofbiz/trunk/applications/product/template/Main.ftl Thu Feb  2
>> 10:33:59 2017
>> @@ -29,6 +29,8 @@ under the License.
>>     </form>
>>     <div class="label">${uiLabelMap.CommonOr}: <a href="<@ofbizUrl>EditProdCatalog</@ofbizUrl>"
>> class="buttontext">${uiLabelMap.ProductCreateNewCatalog}</a></div>
>>     <br />
>> +<p>Output format: ${.output_format}
>> +<p>Auto-escaping: ${.auto_esc?c}
>>     <div class="label">${uiLabelMap.ProductEditCategoryWithCategor
>> yId}:</div>
>>     <form method="post" action="<@ofbizUrl>EditCategory</@ofbizUrl>"
>> style="margin: 0;" name="EditCategoryForm">
>>       <@htmlTemplate.lookupField name="productCategoryId"
>> id="productCategoryId" formName="EditCategoryForm" fieldFormName="
>> LookupProductCategory"/>
>>
>> Modified: ofbiz/trunk/applications/product/template/store/
>> EditProductStoreWebSites.ftl
>> URL: http://svn.apache.org/viewvc/ofbiz/trunk/applications/
>> product/template/store/EditProductStoreWebSites.ftl?
>> rev=1781366&r1=1781365&r2=1781366&view=diff
>> ============================================================
>> ==================
>> --- ofbiz/trunk/applications/product/template/store/EditProductStoreWebSites.ftl
>> (original)
>> +++ ofbiz/trunk/applications/product/template/store/EditProductStoreWebSites.ftl
>> Thu Feb  2 10:33:59 2017
>> @@ -37,12 +37,7 @@ under the License.
>>                     <td>${webSite.httpHost?default('&nbsp;')}</td>
>>                     <td>${webSite.httpPort?default('&nbsp;')}</td>
>>                     <td align="center">
>> -                    <a href="javascript:document.
>> storeUpdateWebSite_${webSite_index}.submit();" class="buttontext">${
>> uiLabelMap.CommonDelete}</a>
>> -                    <form name="storeUpdateWebSite_${webSite_index}"
>> method="post" action="<@ofbizUrl>storeUpdateWebSite</@ofbizUrl>">
>> -                        <input type="hidden" name="viewProductStoreId"
>> value="${productStoreId}"/>
>> -                        <input type="hidden" name="productStoreId"
>> value=""/>
>> -                        <input type="hidden" name="webSiteId"
>> value="${webSite.webSiteId}"/>
>> -                    </form>
>> +                    <a href="<@ofbizUrl>storeUpdateWebSite?
>> viewProductStoreId=${productStoreId}&productStoreId=&webSiteId=${
>> webSite.webSiteId}</@ofbizUrl>" class="buttontext">${
>> uiLabelMap.CommonDelete}</a>
>>                     </td>
>>                   </tr>
>>                   <#-- toggle the row color -->
>>
>> Added: ofbiz/trunk/applications/product/webapp/catalog/WEB-
>> INF/Owasp.CsrfGuard.js
>> URL: http://svn.apache.org/viewvc/ofbiz/trunk/applications/
>> product/webapp/catalog/WEB-INF/Owasp.CsrfGuard.js?rev=1781366&view=auto
>> ============================================================
>> ==================
>> --- ofbiz/trunk/applications/product/webapp/catalog/WEB-INF/Owasp.CsrfGuard.js
>> (added)
>> +++ ofbiz/trunk/applications/product/webapp/catalog/WEB-INF/Owasp.CsrfGuard.js
>> Thu Feb  2 10:33:59 2017
>> @@ -0,0 +1,447 @@
>> +/**
>> + * The OWASP CSRFGuard Project, BSD License
>> + * Eric Sheridan ([hidden email]), Copyright (c) 2011
>> + * All rights reserved.
>> + *
>> + * Redistribution and use in source and binary forms, with or without
>> + * modification, are permitted provided that the following conditions are
>> met:
>> + *
>> + *    1. Redistributions of source code must retain the above copyright
>> notice,
>> + *       this list of conditions and the following disclaimer.
>> + *    2. Redistributions in binary form must reproduce the above copyright
>> + *       notice, this list of conditions and the following disclaimer in
>> the
>> + *       documentation and/or other materials provided with the
>> distribution.
>> + *    3. Neither the name of OWASP nor the names of its contributors may
>> be used
>> + *       to endorse or promote products derived from this software
>> without specific
>> + *       prior written permission.
>> + *
>> + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
>> "AS IS"
>> + * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
>> THE
>> + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
>> PURPOSE
>> + * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS
>> BE LIABLE
>> + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
>> CONSEQUENTIAL DAMAGES
>> + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
>> SERVICES;
>> + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
>> CAUSED AND ON
>> + * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
>> + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
>> OF THIS
>> + * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
>> + */
>> +(function() {
>> +    /**
>> +     * Code to ensure our event always gets triggered when the DOM is
>> updated.
>> +     * @param obj
>> +     * @param type
>> +     * @param fn
>> +     * @source http://www.dustindiaz.com/rock-solid-addevent/
>> +     */
>> +    function addEvent( obj, type, fn ) {
>> +        if (obj.addEventListener) {
>> +            obj.addEventListener( type, fn, false );
>> +            EventCache.add(obj, type, fn);
>> +        }
>> +        else if (obj.attachEvent) {
>> +            obj["e"+type+fn] = fn;
>> +            obj[type+fn] = function() { obj["e"+type+fn]( window.event );
>> }
>> +            obj.attachEvent( "on"+type, obj[type+fn] );
>> +            EventCache.add(obj, type, fn);
>> +        }
>> +        else {
>> +            obj["on"+type] = obj["e"+type+fn];
>> +        }
>> +    }
>> +
>> +    var EventCache = function(){
>> +        var listEvents = [];
>> +        return {
>> +            listEvents : listEvents,
>> +            add : function(node, sEventName, fHandler){
>> +                listEvents.push(arguments);
>> +            },
>> +            flush : function(){
>> +                var i, item;
>> +                for(i = listEvents.length - 1; i >= 0; i = i - 1){
>> +                    item = listEvents[i];
>> +                    if(item[0].removeEventListener){
>> +                        item[0].removeEventListener(item[1], item[2],
>> item[3]);
>> +                    };
>> +                    if(item[1].substring(0, 2) != "on"){
>> +                        item[1] = "on" + item[1];
>> +                    };
>> +                    if(item[0].detachEvent){
>> +                        item[0].detachEvent(item[1], item[2]);
>> +                    };
>> +                };
>> +            }
>> +        };
>> +    }();
>> +
>> +    /** string utility functions **/
>> +    String.prototype.startsWith = function(prefix) {
>> +        return this.indexOf(prefix) === 0;
>> +    };
>> +
>> +    String.prototype.endsWith = function(suffix) {
>> +        return this.match(suffix+"$") == suffix;
>> +    };
>> +
>> +    /** hook using standards based prototype **/
>> +    function hijackStandard() {
>> +        XMLHttpRequest.prototype._open = XMLHttpRequest.prototype.open;
>> +        XMLHttpRequest.prototype.open = function(method, url, async,
>> user, pass) {
>> +            this.url = url;
>> +
>> +            this._open.apply(this, arguments);
>> +        };
>> +
>> +        XMLHttpRequest.prototype._send = XMLHttpRequest.prototype.send;
>> +        XMLHttpRequest.prototype.send = function(data) {
>> +            if(this.onsend != null) {
>> +                this.onsend.apply(this, arguments);
>> +            }
>> +
>> +            this._send.apply(this, arguments);
>> +        };
>> +    }
>> +
>> +    /** ie does not properly support prototype - wrap completely **/
>> +    function hijackExplorer() {
>> +        var _XMLHttpRequest = window.XMLHttpRequest;
>> +
>> +        function alloc_XMLHttpRequest() {
>> +            this.base = _XMLHttpRequest ? new _XMLHttpRequest : new
>> window.ActiveXObject("Microsoft.XMLHTTP");
>> +        }
>> +
>> +        function init_XMLHttpRequest() {
>> +            return new alloc_XMLHttpRequest;
>> +        }
>> +
>> +        init_XMLHttpRequest.prototype = alloc_XMLHttpRequest.prototype;
>> +
>> +        /** constants **/
>> +        init_XMLHttpRequest.UNSENT = 0;
>> +        init_XMLHttpRequest.OPENED = 1;
>> +        init_XMLHttpRequest.HEADERS_RECEIVED = 2;
>> +        init_XMLHttpRequest.LOADING = 3;
>> +        init_XMLHttpRequest.DONE = 4;
>> +
>> +        /** properties **/
>> +        init_XMLHttpRequest.prototype.status = 0;
>> +        init_XMLHttpRequest.prototype.statusText = "";
>> +        init_XMLHttpRequest.prototype.readyState =
>> init_XMLHttpRequest.UNSENT;
>> +        init_XMLHttpRequest.prototype.responseText = "";
>> +        init_XMLHttpRequest.prototype.responseXML = null;
>> +        init_XMLHttpRequest.prototype.onsend = null;
>> +
>> +        init_XMLHttpRequest.url = null;
>> +        init_XMLHttpRequest.onreadystatechange = null;
>> +
>> +        /** methods **/
>> +        init_XMLHttpRequest.prototype.open = function(method, url,
>> async, user, pass) {
>> +            var self = this;
>> +            this.url = url;
>> +
>> +            this.base.onreadystatechange = function() {
>> +                try { self.status = self.base.status; } catch (e) { }
>> +                try { self.statusText = self.base.statusText; } catch (e)
>> { }
>> +                try { self.readyState = self.base.readyState; } catch (e)
>> { }
>> +                try { self.responseText = self.base.responseText; }
>> catch(e) { }
>> +                try { self.responseXML = self.base.responseXML; }
>> catch(e) { }
>> +
>> +                if(self.onreadystatechange != null) {
>> +                    self.onreadystatechange.apply(this, arguments);
>> +                }
>> +            }
>> +
>> +            this.base.open(method, url, async, user, pass);
>> +        };
>> +
>> +        init_XMLHttpRequest.prototype.send = function(data) {
>> +            if(this.onsend != null) {
>> +                this.onsend.apply(this, arguments);
>> +            }
>> +
>> +            this.base.send(data);
>> +        };
>> +
>> +        init_XMLHttpRequest.prototype.abort = function() {
>> +            this.base.abort();
>> +        };
>> +
>> +        init_XMLHttpRequest.prototype.getAllResponseHeaders = function()
>> {
>> +            return this.base.getAllResponseHeaders();
>> +        };
>> +
>> +        init_XMLHttpRequest.prototype.getResponseHeader = function(name)
>> {
>> +            return this.base.getResponseHeader(name);
>> +        };
>> +
>> +        init_XMLHttpRequest.prototype.setRequestHeader = function(name,
>> value) {
>> +            return this.base.setRequestHeader(name, value);
>> +        };
>> +
>> +        /** hook **/
>> +        window.XMLHttpRequest = init_XMLHttpRequest;
>> +    }
>> +
>> +    /** check if valid domain based on domainStrict **/
>> +    function isValidDomain(current, target) {
>> +        var result = false;
>> +
>> +        /** check exact or subdomain match **/
>> +        if(current == target) {
>> +            result = true;
>> +        } else if(%DOMAIN_STRICT% == false) {
>> +            if(target.charAt(0) == '.') {
>> +                result = current.endsWith(target);
>> +            } else {
>> +                result = current.endsWith('.' + target);
>> +            }
>> +        }
>> +
>> +        return result;
>> +    }
>> +
>> +    /** determine if uri/url points to valid domain **/
>> +    function isValidUrl(src) {
>> +        var result = false;
>> +
>> +        /** parse out domain to make sure it points to our own **/
>> +        if(src.substring(0, 7) == "http://" || src.substring(0, 8) ==
>> "https://") {
>> +            var token = "://";
>> +            var index = src.indexOf(token);
>> +            var part = src.substring(index + token.length);
>> +            var domain = "";
>> +
>> +            /** parse up to end, first slash, or anchor **/
>> +            for(var i=0; i<part.length; i++) {
>> +                var character = part.charAt(i);
>> +
>> +                if(character == '/' || character == ':' || character ==
>> '#') {
>> +                    break;
>> +                } else {
>> +                    domain += character;
>> +                }
>> +            }
>> +
>> +            result = isValidDomain(document.domain, domain);
>> +            /** explicitly skip anchors **/
>> +        } else if(src.charAt(0) == '#') {
>> +            result = false;
>> +            /** ensure it is a local resource without a protocol **/
>> +        } else if(!src.startsWith("//") && (src.charAt(0) == '/' ||
>> src.indexOf(':') == -1)) {
>> +            result = true;
>> +        }
>> +
>> +        return result;
>> +    }
>> +
>> +    /** parse uri from url **/
>> +    function parseUri(url) {
>> +        var uri = "";
>> +        var token = "://";
>> +        var index = url.indexOf(token);
>> +        var part = "";
>> +
>> +        /**
>> +         * ensure to skip protocol and prepend context path for
>> non-qualified
>> +         * resources (ex: "protect.html" vs
>> +         * "/Owasp.CsrfGuard.Test/protect.html").
>> +         */
>> +        if(index > 0) {
>> +            part = url.substring(index + token.length);
>> +        } else if(url.charAt(0) != '/') {
>> +            part = "%CONTEXT_PATH%/" + url;
>> +        } else {
>> +            part = url;
>> +        }
>> +
>> +        /** parse up to end or query string **/
>> +        var uriContext = (index == -1);
>> +
>> +        for(var i=0; i<part.length; i++) {
>> +            var character = part.charAt(i);
>> +
>> +            if(character == '/') {
>> +                uriContext = true;
>> +            } else if(uriContext == true && (character == '?' ||
>> character == '#')) {
>> +                uriContext = false;
>> +                break;
>> +            }
>> +
>> +            if(uriContext == true) {
>> +                uri += character;
>> +            }
>> +        }
>> +
>> +        return uri;
>> +    }
>> +
>> +    /** inject tokens as hidden fields into forms **/
>> +    function injectTokenForm(form, tokenName, tokenValue,
>> pageTokens,injectGetForms) {
>> +
>> +        if (!injectGetForms) {
>> +            var method = form.getAttribute("method");
>> +
>> +            if ((typeof method != 'undefined') && method != null &&
>> method.toLowerCase() == "get") {
>> +                return;
>> +            }
>> +        }
>> +
>> +        var value = tokenValue;
>> +        var action = form.getAttribute("action");
>> +
>> +        if(action != null && isValidUrl(action)) {
>> +            var uri = parseUri(action);
>> +            value = pageTokens[uri] != null ? pageTokens[uri] :
>> tokenValue;
>> +        }
>> +
>> +        var hidden = document.createElement("input");
>> +
>> +        hidden.setAttribute("type", "hidden");
>> +        hidden.setAttribute("name", tokenName);
>> +        hidden.setAttribute("value", value);
>> +
>> +        form.appendChild(hidden);
>> +    }
>> +
>> +    /** inject tokens as query string parameters into url **/
>> +    function injectTokenAttribute(element, attr, tokenName, tokenValue,
>> pageTokens) {
>> +        var location = element.getAttribute(attr);
>> +
>> +        if(location != null && isValidUrl(location)) {
>> +            var uri = parseUri(location);
>> +            var value = (pageTokens[uri] != null ? pageTokens[uri] :
>> tokenValue);
>> +
>> +            if(location.indexOf('?') != -1) {
>> +                location = location + '&' + tokenName + '=' + value;
>> +            } else {
>> +                location = location + '?' + tokenName + '=' + value;
>> +            }
>> +
>> +            try {
>> +                element.setAttribute(attr, location);
>> +            } catch (e) {
>> +                // attempted to set/update unsupported attribute
>> +            }
>> +        }
>> +    }
>> +
>> +    /** inject csrf prevention tokens throughout dom **/
>> +    function injectTokens(tokenName, tokenValue) {
>> +        /** obtain reference to page tokens if enabled **/
>> +        var pageTokens = {};
>> +
>> +        if(%TOKENS_PER_PAGE% == true) {
>> +            pageTokens = requestPageTokens();
>> +        }
>> +
>> +        /** iterate over all elements and injection token **/
>> +        var all = document.all ? document.all :
>> document.getElementsByTagName('*');
>> +        var len = all.length;
>> +
>> +        //these are read from the csrf guard config file(s)
>> +        var injectForms = %INJECT_FORMS%;
>> +        var injectGetForms = %INJECT_GET_FORMS%;
>> +        var injectFormAttributes = %INJECT_FORM_ATTRIBUTES%;
>> +        var injectAttributes = %INJECT_ATTRIBUTES%;
>> +
>> +        for(var i=0; i<len; i++) {
>> +            var element = all[i];
>> +
>> +            /** inject into form **/
>> +            if(element.tagName.toLowerCase() == "form") {
>> +                if(injectForms) {
>> +                    injectTokenForm(element, tokenName, tokenValue,
>> pageTokens,injectGetForms);
>> +                }
>> +                if (injectFormAttributes) {
>> +                    injectTokenAttribute(element, "action", tokenName,
>> tokenValue, pageTokens);
>> +                }
>> +                /** inject into attribute **/
>> +            } else if(injectAttributes) {
>> +                injectTokenAttribute(element, "src", tokenName,
>> tokenValue, pageTokens);
>> +                injectTokenAttribute(element, "href", tokenName,
>> tokenValue, pageTokens);
>> +            }
>> +        }
>> +    }
>> +
>> +    /** obtain array of page specific tokens **/
>> +    function requestPageTokens() {
>> +        var xhr = window.XMLHttpRequest ? new window.XMLHttpRequest : new
>> window.ActiveXObject("Microsoft.XMLHTTP");
>> +        var pageTokens = {};
>> +
>> +        xhr.open("POST", "%SERVLET_PATH%", false);
>> +        xhr.send(null);
>> +
>> +        var text = xhr.responseText;
>> +        var name = "";
>> +        var value = "";
>> +        var nameContext = true;
>> +
>> +        for(var i=0; i<text.length; i++) {
>> +            var character = text.charAt(i);
>> +
>> +            if(character == ':') {
>> +                nameContext = false;
>> +            } else if(character != ',') {
>> +                if(nameContext == true) {
>> +                    name += character;
>> +                } else {
>> +                    value += character;
>> +                }
>> +            }
>> +
>> +            if(character == ',' || (i + 1) >= text.length) {
>> +                pageTokens[name] = value;
>> +                name = "";
>> +                value = "";
>> +                nameContext = true;
>> +            }
>> +        }
>> +
>> +        return pageTokens;
>> +    }
>> +
>> +    /**
>> +     * Only inject the tokens if the JavaScript was referenced from HTML
>> that
>> +     * was served by us. Otherwise, the code was referenced from
>> malicious HTML
>> +     * which may be trying to steal tokens using JavaScript hijacking
>> techniques.
>> +     * The token is now removed and fetched using another POST request to
>> solve,
>> +     * the token hijacking problem.
>> +     */
>> +    if(isValidDomain(document.domain, "%DOMAIN_ORIGIN%")) {
>> +        /** optionally include Ajax support **/
>> +        if(%INJECT_XHR% == true) {
>> +            if(navigator.appName == "Microsoft Internet Explorer") {
>> +                hijackExplorer();
>> +            } else {
>> +                hijackStandard();
>> +            }
>> +
>> +        var xhr = window.XMLHttpRequest ? new window.XMLHttpRequest : new
>> window.ActiveXObject("Microsoft.XMLHTTP");
>> +        var csrfToken = {};
>> +        xhr.open("POST", "%SERVLET_PATH%", false);
>> +        xhr.setRequestHeader("FETCH-CSRF-TOKEN", "1");
>> +        xhr.send(null);
>> +
>> +        var token_pair = xhr.responseText;
>> +        token_pair = token_pair.split(":");
>> +        var token_name = token_pair[0];
>> +        var token_value = token_pair[1];
>> +
>> +            XMLHttpRequest.prototype.onsend = function(data) {
>> +                if(isValidUrl(this.url)) {
>> +                    this.setRequestHeader("X-Requested-With",
>> "XMLHttpRequest")
>> +                    this.setRequestHeader(token_name, token_value);
>> +                }
>> +            };
>> +        }
>> +
>> +        /** update nodes in DOM after load **/
>> +        addEvent(window,'unload',EventCache.flush);
>> +        addEvent(window,'DOMContentLoaded', function() {
>> +            injectTokens(token_name, token_value);
>> +        });
>> +    } else {
>> +        alert("OWASP CSRFGuard JavaScript was included from within an
>> unauthorized domain!");
>> +    }
>> +})();
>>
>> Propchange: ofbiz/trunk/applications/product/webapp/catalog/WEB-
>> INF/Owasp.CsrfGuard.js
>> ------------------------------------------------------------
>> ------------------
>>      svn:eol-style = native
>>
>> Propchange: ofbiz/trunk/applications/product/webapp/catalog/WEB-
>> INF/Owasp.CsrfGuard.js
>> ------------------------------------------------------------
>> ------------------
>>      svn:keywords = Date Rev Author URL Id
>>
>> Propchange: ofbiz/trunk/applications/product/webapp/catalog/WEB-
>> INF/Owasp.CsrfGuard.js
>> ------------------------------------------------------------
>> ------------------
>>      svn:mime-type = text/plain
>>
>> Added: ofbiz/trunk/applications/product/webapp/catalog/WEB-
>> INF/Owasp.CsrfGuard.properties
>> URL: http://svn.apache.org/viewvc/ofbiz/trunk/applications/
>> product/webapp/catalog/WEB-INF/Owasp.CsrfGuard.
>> properties?rev=1781366&view=auto
>> ============================================================
>> ==================
>> --- ofbiz/trunk/applications/product/webapp/catalog/WEB-INF/Owasp.CsrfGuard.properties
>> (added)
>> +++ ofbiz/trunk/applications/product/webapp/catalog/WEB-INF/Owasp.CsrfGuard.properties
>> Thu Feb  2 10:33:59 2017
>> @@ -0,0 +1,417 @@
>> +# The OWASP CSRFGuard Project, BSD License
>> +# Eric Sheridan ([hidden email]), Copyright (c) 2011
>> +# All rights reserved.
>> +#
>> +# Redistribution and use in source and binary forms, with or without
>> +# modification, are permitted provided that the following conditions are
>> met:
>> +#
>> +# 1. Redistributions of source code must retain the above copyright
>> notice,
>> +#    this list of conditions and the following disclaimer.
>> +# 2. Redistributions in binary form must reproduce the above copyright
>> +#    notice, this list of conditions and the following disclaimer in the
>> +#    documentation and/or other materials provided with the distribution.
>> +# 3. Neither the name of OWASP nor the names of its contributors may be
>> used
>> +#    to endorse or promote products derived from this software without
>> specific
>> +#    prior written permission.
>> +#
>> +# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS
>> IS"
>> +# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
>> THE
>> +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
>> PURPOSE
>> +# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS
>> BE LIABLE
>> +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
>> CONSEQUENTIAL DAMAGES
>> +# (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
>> SERVICES;
>> +# LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED
>> AND ON
>> +# ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
>> +# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
>> OF THIS
>> +# SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
>> +
>> +# From: https://github.com/esheri3/OWASP-CSRFGuard/blob/master/
>> csrfguard-test/src/main/webapp/WEB-INF/csrfguard.properties
>> +
>> +# Common substitutions
>> +# %servletContext%  is the servlet context (e.g. the configured app
>> prefix or war file name, or blank.
>> +# e.g. if you deploy a default warfile as someApp.war, then
>> %servletContext% will be /someApp
>> +# if there isnt a context it will be the empty string.  So to use this in
>> the configuration, use e.g. %servletContext%/something.html
>> +# which will translate to e.g. /someApp/something.html
>> +
>> +# Logger
>> +#
>> +# The logger property (org.owasp.csrfguard.Logger) defines the qualified
>> class name of
>> +# the object responsible for processing all log messages produced by
>> CSRFGuard. The default
>> +# CSRFGuard logger is org.owasp.csrfguard.log.ConsoleLogger. This class
>> logs all messages
>> +# to System.out which JavaEE application servers redirect to a vendor
>> specific log file.
>> +# Developers can customize the logging behavior of CSRFGuard by
>> implementing the
>> +# org.owasp.csrfguard.log.ILogger interface and setting the logger
>> property to the new
>> +# logger's qualified class name. The following configuration snippet
>> instructs OWASP CSRFGuard
>> +# to capture all log messages to the console:
>> +#
>> +# org.owasp.csrfguard.Logger=org.owasp.csrfguard.log.ConsoleLogger
>> +org.owasp.csrfguard.Logger=org.owasp.csrfguard.log.JavaLogger
>> +
>> +# Which configuration provider factory you want to use.  The default is
>> org.owasp.csrfguard.config.PropertiesConfigurationProviderFactory
>> +# Another configuration provider has more features including config
>> overlays: org.owasp.csrfguard.config.overlay.
>> ConfigurationOverlayProviderFactory
>> +# The default configuration provider is: org.owasp.csrfguard.config.
>> overlay.ConfigurationAutodetectProviderFactory
>> +# which will look for an overlay file, it is there, and the factory
>> inside that file is set it will use it, otherwise will be
>> PropertiesConfigurationProviderFactory
>> +# it needs to implement org.owasp.csrfguard.config.
>> ConfigurationProviderFactory
>> +org.owasp.csrfguard.configuration.provider.factory =
>> org.owasp.csrfguard.config.overlay.ConfigurationAutodetectProviderFactory
>> +
>> +
>> +# If csrfguard filter is enabled
>> +org.owasp.csrfguard.Enabled = false
>> +
>> +# If csrf guard filter should check even if there is no session for the
>> user
>> +# Note: this changed around 2014/04, the default behavior used to be to
>> +# not check if there is no session.  If you want the legacy behavior (if
>> your app
>> +# is not susceptible to CSRF if the user has no session), set this to
>> false
>> +org.owasp.csrfguard.ValidateWhenNoSessionExists = true
>> +
>> +# New Token Landing Page
>> +#
>> +# The new token landing page property (org.owasp.csrfguard.NewTokenLandingPage)
>> defines where
>> +# to send a user if the token is being generated for the first time, and
>> the use new token landing
>> +# page boolean property (org.owasp.csrfguard.UseNewTokenLandingPage)
>> determines if any redirect happens.
>> +# UseNewTokenLandingPage defaults to false if NewTokenLandingPage is not
>> specified, and to true
>> +# if it is specified.. If UseNewTokenLandingPage is set true then this
>> request is generated
>> +# using auto-posting forms and will only contain the CSRF prevention
>> token parameter, if
>> +# applicable. All query-string or form parameters sent with the original
>> request will be
>> +# discarded. If this property is not defined, CSRFGuard will instead
>> auto-post the user to the
>> +# original context and servlet path. The following configuration snippet
>> instructs OWASP CSRFGuard to
>> +# redirect the user to %servletContext%/index.html when the user visits a
>> protected resource
>> +# without having a corresponding CSRF token present in the HttpSession
>> object:
>> +#
>> +org.owasp.csrfguard.NewTokenLandingPage=%servletContext%/control/login/*
>> +
>> +# Protected Methods
>> +#
>> +# The protected methods property (org.owasp.csrfguard.ProtectedMethods)
>> defines a comma
>> +# separated list of HTTP request methods that should be protected by
>> CSRFGuard. The default
>> +# list is an empty list which will cause all HTTP methods to be
>> protected, thus preserving
>> +# legacy behavior. This setting allows the user to inform CSRFGuard that
>> only requests of the
>> +# given types should be considered for protection. All HTTP methods not
>> in the list will be
>> +# considered safe (i.e. view only / unable to modify data). This should
>> be used only when the
>> +# user has concrete knowledge that all requests made via methods not in
>> the list
>> +# are safe (i.e. do not apply an action to any data) since it can
>> actually introduce new
>> +# security vulnerabilities. For example: the user thinks that all
>> actionable requests are
>> +# only available by POST requests when in fact some are available via GET
>> requests. If the
>> +# user has excluded GET requests from the list then they have introduced
>> a vulnerability.
>> +# The following configuration snippet instructs OWASP CSRFGuard to
>> protect only the POST,
>> +# PUT, and DELETE HTTP methods.
>> +#
>> +# org.owasp.csrfguard.ProtectedMethods=POST,PUT,DELETE
>> +
>> +# or you can configure all to be protected, and specify which is
>> unprotected.  This is the preferred approach
>> +
>> +# org.owasp.csrfguard.UnprotectedMethods=GET
>> +
>> +# Unique Per-Page Tokens
>> +#
>> +# The unique token per-page property (org.owasp.csrfguard.TokenPerPage)
>> is a boolean value that
>> +# determines if CSRFGuard should make use of unique per-page (i.e. URI)
>> prevention tokens as
>> +# opposed to unique per-session prevention tokens. When a user requests a
>> protected resource,
>> +# CSRFGuard will determine if a page specific token has been previously
>> generated. If a page
>> +# specific token has not yet been previously generated, CSRFGuard will
>> verify the request was
>> +# submitted with the per-session token intact. After verifying the
>> presence of the per-session token,
>> +# CSRFGuard will create a page specific token that is required for all
>> subsequent requests to the
>> +# associated resource. The per-session CSRF token can only be used when
>> requesting a resource for
>> +# the first time. All subsequent requests must have the per-page token
>> intact or the request will
>> +# be treated as a CSRF attack. This behavior can be changed with the
>> org.owasp.csrfguard.TokenPerPagePrecreate
>> +# property. Enabling this property will make CSRFGuard calculate the per
>> page token prior to a first
>> +# visit. This option only works with JSTL token injection and is useful
>> for preserving the validity of
>> +# links if the user pushes the back button. There may be a performance
>> impact when enabling this option
>> +# if the .jsp has a large number of proctected links that need tokens to
>> be calculated.
>> +# Use of the unique token per page property is currently experimental
>> +# but provides a significant amount of improved security. Consider the
>> exposure of a CSRF token using
>> +# the legacy unique per-session model. Exposure of this token facilitates
>> the attacker's ability to
>> +# carry out a CSRF attack against the victim's active session for any
>> resource exposed by the web
>> +# application. Now consider the exposure of a CSRF token using the
>> experimental unique token per-page
>> +# model. Exposure of this token would only allow the attacker to carry
>> out a CSRF attack against the
>> +# victim's active session for a small subset of resources exposed by the
>> web application. Use of the
>> +# unique token per-page property is a strong defense in depth strategy
>> significantly reducing the
>> +# impact of exposed CSRF prevention tokens. The following configuration
>> snippet instructs OWASP
>> +# CSRFGuard to utilize the unique token per-page model:
>> +#
>> +# org.owasp.csrfguard.TokenPerPage=true
>> +# org.owasp.csrfguard.TokenPerPagePrecreate=false
>> +org.owasp.csrfguard.TokenPerPage=true
>> +org.owasp.csrfguard.TokenPerPagePrecreate=false
>> +
>> +# Token Rotation
>> +#
>> +# The rotate token property (org.owasp.csrfguard.Rotate) is a boolean
>> value that determines if
>> +# CSRFGuard should generate and utilize a new token after verifying the
>> previous token. Rotation
>> +# helps minimize the window of opportunity an attacker has to leverage
>> the victim's stolen token
>> +# in a targeted CSRF attack. However, this functionality generally causes
>> navigation problems in
>> +# most applications. Specifically, the 'Back' button in the browser will
>> often cease to function
>> +# properly. When a user hits the 'Back' button and interacts with the
>> HTML, the browser may submit
>> +# an old token causing CSRFGuard to incorrectly believe this request is a
>> CSRF attack in progress
>> +# (i.e. a 'false positive'). Users can prevent this scenario by
>> preventing the caching of HTML pages
>> +# containing FORM submissions using the cache-control header. However,
>> this may also introduce
>> +# performance problems as the browser will have to request HTML on a more
>> frequent basis. The following
>> +# configuration snippet enables token rotation:
>> +#
>> +# org.owasp.csrfguard.Rotate=true
>> +
>> +# Ajax and XMLHttpRequest Support
>> +#
>> +# The Ajax property (org.owasp.csrfguard.Ajax) is a boolean value that
>> indicates whether or not OWASP
>> +# CSRFGuard should support the injection and verification of unique
>> per-session prevention tokens for
>> +# XMLHttpRequests. To leverage Ajax support, the user must not only set
>> this property to true but must
>> +# also reference the JavaScript DOM Manipulation code using a script
>> element. This dynamic script will
>> +# override the send method of the XMLHttpRequest object to ensure the
>> submission of an X-Requested-With
>> +# header name value pair coupled with the submission of a custom header
>> name value pair for each request.
>> +# The name of the custom header is the value of the token name property
>> and the value of the header is
>> +# always the unique per-session token value. This custom header is
>> analogous to the HTTP parameter name
>> +# value pairs submitted via traditional GET and POST requests. If the
>> X-Requested-With header was sent
>> +# in the HTTP request, then CSRFGuard will look for the presence and
>> ensure the validity of the unique
>> +# per-session token in the custom header name value pair. Note that
>> verification of these headers takes
>> +# precedence over verification of the CSRF token supplied as an HTTP
>> parameter. More specifically,
>> +# CSRFGuard does not verify the presence of the CSRF token if the Ajax
>> support property is enabled and
>> +# the corresponding X-Requested-With and custom headers are embedded
>> within the request. The following
>> +# configuration snippet instructs OWASP CSRFGuard to support Ajax
>> requests by verifying the presence and
>> +# correctness of the X-Requested-With and custom headers:
>> +#
>> +# org.owasp.csrfguard.Ajax=true
>> +org.owasp.csrfguard.Ajax=true
>> +
>> +# The default behavior of CSRFGuard is to protect all pages. Pages marked
>> as unprotected will not be protected.
>> +# If the Protect property is enabled, this behavior is reversed. Pages
>> must be marked as protected to be protected.
>> +# All other pages will not be protected. This is useful when the
>> CsrfGuardFilter is aggressively mapped (ex: /*),
>> +# but you only want to protect a few pages.
>> +#
>> +# org.owasp.csrfguard.Protect=true
>> +
>> +# Unprotected Pages:
>> +#
>> +# The unprotected pages property (org.owasp.csrfguard.unprotected.*)
>> defines a series of pages that
>> +# should not be protected by CSRFGuard. Such configurations are useful
>> when the CsrfGuardFilter is
>> +# aggressively mapped (ex: /*). The syntax of the property name is
>> org.owasp.csrfguard.unprotected.[PageName],
>> +# where PageName is some arbitrary identifier that can be used to
>> reference a resource. The syntax of
>> +# defining the uri of unprotected pages is the same as the syntax used by
>> the JavaEE container for uri mapping.
>> +# Specifically, CSRFGuard will identify the first match (if any) between
>> the requested uri and an unprotected
>> +# page in order of declaration. Match criteria is as follows:
>> +#
>> +# Case 1: exact match between request uri and unprotected page
>> +# Case 2: longest path prefix match, beginning / and ending /*
>> +# Case 3: extension match, beginning *.
>> +# Case 4: if the value starts with ^ and ends with $, it will be
>> evaulated as a regex.  Note that before the
>> +#   regex is compiled, any common variables will be substituted (e.g.
>> %servletContext%)
>> +# Default: requested resource must be validated by CSRFGuard
>> +#
>> +# The following code snippet illustrates the four use cases over four
>> examples. The first two examples
>> +# (Tag and JavaScriptServlet) look for direct URI matches. The third
>> example (Html) looks for all resources
>> +# ending in a .html extension. The next example (Public) looks for all
>> resources prefixed with the URI path /MySite/Public/*.
>> +# The last example looks for resources that end in Public.do
>> +#
>> +# org.owasp.csrfguard.unprotected.Tag=%servletContext%/tag.jsp
>> +# org.owasp.csrfguard.unprotected.JavaScriptServlet=%servletContext%/
>> JavaScriptServlet
>> +# org.owasp.csrfguard.unprotected.Html=*.html
>> +# org.owasp.csrfguard.unprotected.Public=%servletContext%/Public/*
>> +# regex example starts with ^ and ends with $, and the %servletContext%
>> is evaluated before the regex
>> +# org.owasp.csrfguard.unprotected.PublicServlet=^%
>> servletContext%/.*Public\.do$
>> +
>> +#org.owasp.csrfguard.unprotected.Default=%servletContext%/
>> +#org.owasp.csrfguard.unprotected.Upload=%servletContext%/upload.html
>> +org.owasp.csrfguard.unprotected.JavaScriptServlet=
>> %servletContext%/control/JavaScriptServlet
>> +#org.owasp.csrfguard.unprotected.Ajax=%servletContext%/ajax.html
>> +#org.owasp.csrfguard.unprotected.Error=%servletContext%/error.html
>> +#org.owasp.csrfguard.unprotected.Error=%servletContext%/error.jsp
>> +#org.owasp.csrfguard.unprotected.Index=%servletContext%/index.html
>> +#org.owasp.csrfguard.unprotected.JavaScript=%servletContext%/javascript.
>> html
>> +#org.owasp.csrfguard.unprotected.Tag=%servletContext%/tag.jsp
>> +#org.owasp.csrfguard.unprotected.Redirect=%servletContext%/redirect.jsp
>> +#org.owasp.csrfguard.unprotected.Forward=%servletContext%/forward.jsp
>> +#org.owasp.csrfguard.unprotected.Session=%servletContext%/session.jsp
>> +org.owasp.csrfguard.unprotected.Session=%servletContext%/favicon.ico
>> +org.owasp.csrfguard.unprotected.Session=%servletContext%/control/login/*
>> +org.owasp.csrfguard.unprotected.Index=%servletContext%/index.jsp
>> +
>> +# Actions: Responding to Attacks
>> +#
>> +# The actions directive (org.owasp.csrfguard.action.*) gives the user the
>> ability to specify one or more
>> +# actions that should be invoked when a CSRF attack is detected. Every
>> action must implement the
>> +# org.owasp.csrfguard.action.IAction interface either directly or
>> indirectly through the
>> +# org.owasp.csrfguard.action.AbstractAction helper class. Many actions
>> accept parameters that can be specified
>> +# along with the action class declaration. These parameters are consumed
>> at runtime and impact the behavior of
>> +# the associated action.
>> +#
>> +# The syntax for defining and configuring CSRFGuard actions is relatively
>> straight forward. Let us assume we wish
>> +# to redirect the user to a default page when a CSRF attack is detected.
>> A redirect action already exists within
>> +# the CSRFGuard bundle and is available via the class name
>> org.owasp.csrfguard.actions.Redirect. In order to enable
>> +# this action, we capture the following declaration in the
>> Owasp.CsrfGuard.properties file:
>> +#
>> +# syntax: org.owasp.csrfguard.action.[actionName]=[className]
>> +# example: org.owasp.csrfguard.action.class.Redirect=org.owasp.
>> csrfguard.actions.Redirect
>> +#
>> +# The aforementioned directive declares an action called "Redirect" (i.e.
>> [actionName]) referencing the Java class
>> +# "org.owasp.csrfguard.actions.Redirect" (i.e. [className]). Anytime a
>> CSRF attack is detected, the Redirect action
>> +# will be executed. You may be asking yourself, "but how do I specify
>> where the user is redirected?"; this is where
>> +# action parameters come into play. In order to specify the redirect
>> location, we capture the following declaration
>> +# in the Owasp.CsrfGuard.properties file:
>> +#
>> +# syntax: org.owasp.csrfguard.action.[actionName].[parameterName]=[
>> parameterValue]
>> +# example: org.owasp.csrfguard.action.Redirect.ErrorPage=%
>> servletContext%/error.html
>> +#
>> +# The aforementioned directive declares an action parameter called
>> "ErrorPage" (i.e. [parameterName]) with the value
>> +# of "%servletContext%/error.html" (i.e. [parameterValue]) for the action
>> "Redirect" (i.e. [actionName]). The
>> +# Redirect action expects the "ErrorPage" parameter to be defined and
>> will redirect the user to this location when
>> +# an attack is detected.
>> +#
>> +#org.owasp.csrfguard.action.Empty=org.owasp.csrfguard.action.Empty
>> +org.owasp.csrfguard.action.Log=org.owasp.csrfguard.action.Log
>> +org.owasp.csrfguard.action.Log.Message=potential cross-site request
>> forgery (CSRF) attack thwarted (user:%user%, ip:%remote_ip%,
>> method:%request_method%, uri:%request_uri%, error:%exception_message%)
>> +#org.owasp.csrfguard.action.Invalidate=org.owasp.
>> csrfguard.action.Invalidate
>> +#org.owasp.csrfguard.action.Redirect=org.owasp.csrfguard.action.Redirect
>> +#org.owasp.csrfguard.action.Redirect.Page=%servletContext%/error.html
>> +#org.owasp.csrfguard.action.RequestAttribute=org.owasp.csrfguard.action.
>> RequestAttribute
>> +#org.owasp.csrfguard.action.RequestAttribute.
>> AttributeName=Owasp_CsrfGuard_Exception_Key
>> +#org.owasp.csrfguard.action.Rotate=org.owasp.csrfguard.action.Rotate
>> +org.owasp.csrfguard.action.SessionAttribute=org.owasp.csrfguard.action.
>> SessionAttribute
>> +org.owasp.csrfguard.action.SessionAttribute.
>> AttributeName=Owasp_CsrfGuard_Exception_Key
>> +#org.owasp.csrfguard.action.Error=org.owasp.csrfguard.action.Error
>> +#org.owasp.csrfguard.action.Error.Code=403
>> +#org.owasp.csrfguard.action.Error.Message=Security violation.
>> +
>> +# Token Name
>> +#
>> +# The token name property (org.owasp.csrfguard.TokenName) defines the
>> name of the HTTP parameter
>> +# to contain the value of the OWASP CSRFGuard token for each request. The
>> following configuration
>> +# snippet sets the CSRFGuard token parameter name to the value
>> OWASP_CSRFTOKEN:
>> +#
>> +# org.owasp.csrfguard.TokenName=OWASP_CSRFTOKEN
>> +org.owasp.csrfguard.TokenName=OWASP_CSRFTOKEN
>> +
>> +# Session Key
>> +#
>> +# The session key property (org.owasp.csrfguard.SessionKey) defines the
>> string literal used to save
>> +# and lookup the CSRFGuard token from the session. This value is used by
>> the filter and the tag
>> +# libraries to retrieve and set the token value in the session.
>> Developers can use this key to
>> +# programmatically lookup the token within their own code. The following
>> configuration snippet sets
>> +# the session key to the value OWASP_CSRFTOKEN:
>> +#
>> +# org.owasp.csrfguard.SessionKey=OWASP_CSRFTOKEN
>> +org.owasp.csrfguard.SessionKey=OWASP_CSRFTOKEN
>> +
>> +# Token Length
>> +#
>> +# The token length property (org.owasp.csrfguard.TokenLength) defines
>> the number of characters that
>> +# should be found within the CSRFGuard token. Note that characters are
>> delimited by dashes (-) in groups
>> +# of four. For cosmetic reasons, users are encourage to ensure the token
>> length is divisible by four.
>> +# The following configuration snippet sets the token length property to
>> 32 characters:
>> +#
>> +# org.owasp.csrfguard.TokenLength=32
>> +org.owasp.csrfguard.TokenLength=32
>> +
>> +# Pseudo-random Number Generator
>> +#
>> +# The pseudo-random number generator property (org.owasp.csrfguard.PRNG)
>> defines what PRNG should be used
>> +# to generate the OWASP CSRFGuard token. Always ensure this value
>> references a cryptographically strong
>> +# pseudo-random number generator algorithm. The following configuration
>> snippet sets the pseudo-random number
>> +# generator to SHA1PRNG:
>> +#
>> +# org.owasp.csrfguard.PRNG=SHA1PRNG
>> +org.owasp.csrfguard.PRNG=SHA1PRNG
>> +
>> +# Pseudo-random Number Generator Provider
>> +
>> +# The pseudo-random number generator provider property
>> (org.owasp.csrfguard.PRNG.Provider) defines which
>> +# provider's implementation of org.owasp.csrfguard.PRNG we should
>> utilize. The following configuration
>> +# snippet instructs the JVM to leverage SUN's implementation of the
>> algorithm denoted by the
>> +# org.owasp.csrfguard.PRNG property:
>> +
>> +# org.owasp.csrfguard.PRNG.Provider=SUN
>> +org.owasp.csrfguard.PRNG.Provider=SUN
>> +
>> +# If not specifying the print config option in the web.xml, you can
>> specify it here, to print the config
>> +# on startup
>> +org.owasp.csrfguard.Config.Print = true
>> +
>> +###########################
>> +## Javascript servlet settings if not set in web.xml
>> +## https://www.owasp.org/index.php/CSRFGuard_3_Token_Injection
>> +###########################
>> +
>> +# leave this blank and blank in web.xml and it will read from
>> META-INF/csrfguard.js from the jarfile
>> +# Denotes the location of the JavaScript template file that should be
>> consumed and dynamically
>> +# augmented by the JavaScriptServlet class. The default value is
>> WEB-INF/Owasp.CsrfGuard.js.
>> +# Use of this property and the existence of the specified template file
>> is required.
>> +#org.owasp.csrfguard.JavascriptServlet.sourceFile =
>> WEB-INF/Owasp.CsrfGuard.js
>> +org.owasp.csrfguard.JavascriptServlet.sourceFile =
>> WEB-INF/Owasp.CsrfGuard.js
>> +
>> +# Boolean value that determines whether or not the dynamic JavaScript
>> code should be strict
>> +# with regards to what links it should inject the CSRF prevention token.
>> With a value of true,
>> +# the JavaScript code will only place the token in links that point to
>> the same exact domain
>> +# from which the HTML originated. With a value of false, the JavaScript
>> code will place the
>> +# token in links that not only point to the same exact domain from which
>> the HTML originated,
>> +# but sub-domains as well.
>> +org.owasp.csrfguard.JavascriptServlet.domainStrict = true
>> +
>> +# Allows the developer to specify the value of the Cache-Control header
>> in the HTTP response
>> +# when serving the dynamic JavaScript file. The default value is private,
>> maxage=28800.
>> +# Caching of the dynamic JavaScript file is intended to minimize traffic
>> and improve performance.
>> +# Note that the Cache-Control header is always set to "no-store" when
>> either the "Rotate"
>> +# "TokenPerPage" options is set to true in Owasp.CsrfGuard.properties.
>> +org.owasp.csrfguard.JavascriptServlet.cacheControl = private,
>> maxage=28800
>> +
>> +# Allows the developer to specify a regular expression describing the
>> required value of the
>> +# Referer header. Any attempts to access the servlet with a Referer
>> header that does not
>> +# match the captured expression is discarded. Inclusion of referer header
>> checking is to
>> +# help minimize the risk of JavaScript Hijacking attacks that attempt to
>> steal tokens from
>> +# the dynamically generated JavaScript. While the primary defenses
>> against JavaScript
>> +# Hijacking attacks are implemented within the dynamic JavaScript itself,
>> referer header
>> +# checking is implemented to achieve defense in depth.
>> +org.owasp.csrfguard.JavascriptServlet.refererPattern = .*
>> +
>> +# Similar to javascript servlet referer pattern, but this will make sure
>> the referer of the
>> +# javascript servlet matches the domain of the request.  If there is no
>> referer (proxy strips it?)
>> +# then it will not fail.  Generally this is a good idea to be true.
>> +org.owasp.csrfguard.JavascriptServlet.refererMatchDomain = true
>> +
>> +# Boolean value that determines whether or not the dynamic JavaScript
>> code should
>> +# inject the CSRF prevention token as a hidden field into HTML forms. The
>> default
>> +# value is true. Developers are strongly discouraged from disabling this
>> property
>> +# as most server-side state changing actions are triggered via a POST
>> request.
>> +org.owasp.csrfguard.JavascriptServlet.injectIntoForms = true
>> +
>> +# if the token should be injected in GET forms (which will be on the URL)
>> +# if the HTTP method GET is unprotected, then this should likely be false
>> +org.owasp.csrfguard.JavascriptServlet.injectGetForms = true
>> +
>> +# if the token should be injected in the action in forms
>> +# note, if injectIntoForms is true, then this might not need to be true
>> +org.owasp.csrfguard.JavascriptServlet.injectFormAttributes = true
>> +
>> +
>> +# Boolean value that determines whether or not the dynamic JavaScript
>> code should
>> +# inject the CSRF prevention token in the query string of src and href
>> attributes.
>> +# Injecting the CSRF prevention token in a URL resource increases its
>> general risk
>> +# of exposure to unauthorized parties. However, most JavaEE web
>> applications respond
>> +# in the exact same manner to HTTP requests and their associated
>> parameters regardless
>> +# of the HTTP method. The risk associated with not protecting GET
>> requests in this
>> +# situation is perceived greater than the risk of exposing the token in
>> protected GET
>> +# requests. As a result, the default value of this attribute is set to
>> true. Developers
>> +# that are confident their server-side state changing controllers will
>> only respond to
>> +# POST requests (i.e. discarding GET requests) are strongly encouraged to
>> disable this property.
>> +org.owasp.csrfguard.JavascriptServlet.injectIntoAttributes = true
>> +
>> +
>> +org.owasp.csrfguard.JavascriptServlet.xRequestedWith = OWASP CSRFGuard
>> Project
>> +
>> +###########################
>> +## Config overlay settings if you have the provider above set to
>> ConfigurationOverlayProvider
>> +## This CSRF config provider uses Internet2 Configuration Overlays
>> (documented on Internet2 wiki)
>> +## By default the configuration is read from the
>> Owasp.CsrfGuard.properties
>> +## (which should not be edited), and the Owasp.CsrfGuard.overlay.properties
>> overlays
>> +## the base settings.  See the Owasp.CsrfGuard.properties for the possible
>> +## settings that can be applied to the Owasp.CsrfGuard.overlay.properties
>> +###########################
>> +
>> +# comma separated config files that override each other (files on the
>> right override the left)
>> +# each should start with file: or classpath:
>> +# e.g. classpath:Owasp.CsrfGuard.properties,
>> file:c:/temp/myFile.properties
>> +org.owasp.csrfguard.configOverlay.hierarchy = classpath:Owasp.CsrfGuard.properties,
>> classpath:Owasp.CsrfGuard.overlay.properties
>> +
>> +# seconds between checking to see if the config files are updated
>> +org.owasp.csrfguard.configOverlay.secondsBetweenUpdateChecks = 60
>> +
>> +
>> +###########################
>> +
>>
>> Propchange: ofbiz/trunk/applications/product/webapp/catalog/WEB-
>> INF/Owasp.CsrfGuard.properties
>> ------------------------------------------------------------
>> ------------------
>>      svn:eol-style = native
>>
>> Propchange: ofbiz/trunk/applications/product/webapp/catalog/WEB-
>> INF/Owasp.CsrfGuard.properties
>> ------------------------------------------------------------
>> ------------------
>>      svn:keywords = Date Rev Author URL Id
>>
>> Propchange: ofbiz/trunk/applications/product/webapp/catalog/WEB-
>> INF/Owasp.CsrfGuard.properties
>> ------------------------------------------------------------
>> ------------------
>>      svn:mime-type = text/plain
>>
>>
>>

Reply | Threaded
Open this post in threaded view
|

Re: svn commit: r1781366 [1/3] - in /ofbiz/trunk: applications/content/widget/compdoc/ applications/content/widget/content/ applications/product/template/ applications/product/template/store/ applications/product/webapp/catalog/WEB-INF/ framework/base/src/...

Pranay Pandey-3
Thanks Gil.

Best regards,

Pranay Pandey
HotWax Systems
http://www.hotwaxsystems.com/

On Thu, Feb 2, 2017 at 6:28 PM, gil portenseigne <
[hidden email]> wrote:

> Hello Pranay,
>
> Jacques reverted it just after, he did not commited it on purpose.
>
> Regards,
>
> Gil
>
>
>
> Le 02/02/2017 à 13:52, Pranay Pandey a écrit :
>
>> ??
>>
>> Log:
>> Implemented:
>> Improved:
>> Documented:
>> Completed:
>> Reverted:
>> Fixed:
>> (OFBIZ-)
>> Explanation
>> Thanks:
>>
>> Best regards,
>>
>> Pranay Pandey
>> HotWax Systems
>> http://www.hotwaxsystems.com/
>>
>> On Thu, Feb 2, 2017 at 4:03 PM, <[hidden email]> wrote:
>>
>> Author: jleroux
>>> Date: Thu Feb  2 10:33:59 2017
>>> New Revision: 1781366
>>>
>>> URL: http://svn.apache.org/viewvc?rev=1781366&view=rev
>>> Log:
>>> Implemented:
>>> Improved:
>>> Documented:
>>> Completed:
>>> Reverted:
>>> Fixed:
>>> (OFBIZ-)
>>> Explanation
>>> Thanks:
>>>
>>> Added:
>>>      ofbiz/trunk/applications/product/webapp/catalog/WEB-INF/
>>> Owasp.CsrfGuard.js
>>>   (with props)
>>>      ofbiz/trunk/applications/product/webapp/catalog/WEB-INF/
>>> Owasp.CsrfGuard.properties
>>>   (with props)
>>>      ofbiz/trunk/applications/product/webapp/catalog/WEB-INF/controller
>>> -
>>> Copie.xml   (with props)
>>>      ofbiz/trunk/applications/product/webapp/catalog/WEB-INF/web -
>>> Copie.xml   (with props)
>>>      ofbiz/trunk/framework/webapp/config/requestHandler -
>>> Copie.properties   (with props)
>>>      ofbiz/trunk/themes/tomahawk/template/Header - Copie.ftl   (with
>>> props)
>>> Modified:
>>>      ofbiz/trunk/applications/content/widget/compdoc/
>>> CompDocTemplateTree.xml
>>>      ofbiz/trunk/applications/content/widget/content/ContentForms.xml
>>>      ofbiz/trunk/applications/product/template/Main.ftl
>>>      ofbiz/trunk/applications/product/template/store/
>>> EditProductStoreWebSites.ftl
>>>      ofbiz/trunk/framework/base/src/main/java/org/apache/
>>> ofbiz/base/util/template/FreeMarkerWorker.java
>>>      ofbiz/trunk/framework/minilang/src/main/java/org/
>>> apache/ofbiz/minilang/method/entityops/EntityOne.java
>>>      ofbiz/trunk/framework/widget/dtd/widget-common.xsd
>>>      ofbiz/trunk/framework/widget/src/main/java/org/apache/
>>> ofbiz/widget/renderer/macro/MacroFormRenderer.java
>>>
>>> Modified: ofbiz/trunk/applications/content/widget/compdoc/
>>> CompDocTemplateTree.xml
>>> URL: http://svn.apache.org/viewvc/ofbiz/trunk/applications/
>>> content/widget/compdoc/CompDocTemplateTree.xml?rev=
>>> 1781366&r1=1781365&r2=1781366&view=diff
>>> ============================================================
>>> ==================
>>> --- ofbiz/trunk/applications/content/widget/compdoc/CompDocTempl
>>> ateTree.xml
>>> (original)
>>> +++ ofbiz/trunk/applications/content/widget/compdoc/CompDocTempl
>>> ateTree.xml
>>> Thu Feb  2 10:33:59 2017
>>> @@ -22,7 +22,7 @@ under the License.
>>>       <tree name="CompDocTemplateTree" entity-name="Content"
>>> root-node-name="node-root"
>>>           default-render-style="simple" default-wrap-style="treeWrappe
>>> r">
>>>           <node name="node-root" wrap-style="treeWrapper">
>>> -            <entity-one entity-name="Content" use-cache="false">
>>> +            <entity-one entity-name="Content" value-field="content"
>>> use-cache="false">
>>>                   <field-map field-name="contentId"
>>> from-field="rootContentId"/>
>>>               </entity-one>
>>>               <include-screen name="rootTemplateLine"
>>> location="component://content/widget/compdoc/CompDocScreens.xml"/>
>>> @@ -54,7 +54,7 @@ under the License.
>>>               </sub-node>
>>>           </node>
>>>           <node name="node-body" join-field-name="itemContentId"
>>> entity-name="AssocRevisionItemView" wrap-style="treeWrapper">
>>> -            <entity-one entity-name="Content" use-cache="false">
>>> +            <entity-one entity-name="Content" value-field="content"
>>> use-cache="false">
>>>                   <field-map field-name="contentId"
>>> from-field="itemContentId"/>
>>>               </entity-one>
>>>               <include-screen name="childTemplateLine"
>>> location="component://content/widget/compdoc/CompDocScreens.xml"/>
>>> @@ -90,7 +90,7 @@ under the License.
>>>       <tree name="CompDocInstanceTree" entity-name="Content"
>>> root-node-name="node-root"
>>>           default-render-style="simple" default-wrap-style="treeWrappe
>>> r">
>>>           <node name="node-root">
>>> -            <entity-one entity-name="Content" use-cache="false">
>>> +            <entity-one entity-name="Content" value-field="content"
>>> use-cache="false">
>>>                   <field-map field-name="contentId"
>>> from-field="instanceContent.instanceOfContentId"/>
>>>               </entity-one>
>>>               <include-screen name="rootInstanceLine"
>>> location="component://content/widget/compdoc/CompDocScreens.xml"/>
>>> @@ -122,7 +122,7 @@ under the License.
>>>               </sub-node>
>>>           </node>
>>>           <node name="node-body" join-field-name="itemContentId"
>>> entity-name="AssocRevisionItemView">
>>> -            <entity-one entity-name="Content" use-cache="false">
>>> +            <entity-one entity-name="Content" value-field="content"
>>> use-cache="false">
>>>                   <field-map field-name="contentId"
>>> from-field="itemContentId"/>
>>>               </entity-one>
>>>               <include-screen name="childInstanceLine"
>>> location="component://content/widget/compdoc/CompDocScreens.xml"/>
>>>
>>> Modified: ofbiz/trunk/applications/content/widget/content/ContentForms
>>> .xml
>>> URL: http://svn.apache.org/viewvc/ofbiz/trunk/applications/
>>> content/widget/content/ContentForms.xml?rev=1781366&
>>> r1=1781365&r2=1781366&view=diff
>>> ============================================================
>>> ==================
>>> --- ofbiz/trunk/applications/content/widget/content/ContentForms.xml
>>> (original)
>>> +++ ofbiz/trunk/applications/content/widget/content/ContentForms.xml Thu
>>> Feb  2 10:33:59 2017
>>> @@ -230,9 +230,9 @@ under the License.
>>>       </form>
>>>       <!-- ContentAssoc forms -->
>>>       <form name="EditContentAssoc" target="updateContentAssoc" title=""
>>> type="single"
>>> -        header-row-style="header-row" default-table-style="basic-tab
>>> le">
>>> +        header-row-style="header-row" default-table-style="basic-table"
>>> default-entity-name="contentAssocX">
>>>           <actions>
>>> -            <entity-one entity-name="ContentAssoc" use-cache="true">
>>> +            <entity-one entity-name="ContentAssoc" use-cache="true"
>>> value-field="contentAssoc">
>>>                   <field-map field-name="contentId"
>>> from-field="contentId"/>
>>>                   <field-map field-name="contentIdTo"
>>> from-field="contentIdTo"/>
>>>                   <field-map field-name="contentAssocTypeId"
>>> from-field="
>>> contentAssocTypeId"/>
>>>
>>> Modified: ofbiz/trunk/applications/product/template/Main.ftl
>>> URL: http://svn.apache.org/viewvc/ofbiz/trunk/applications/
>>> product/template/Main.ftl?rev=1781366&r1=1781365&r2=1781366&view=diff
>>> ============================================================
>>> ==================
>>> --- ofbiz/trunk/applications/product/template/Main.ftl (original)
>>> +++ ofbiz/trunk/applications/product/template/Main.ftl Thu Feb  2
>>> 10:33:59 2017
>>> @@ -29,6 +29,8 @@ under the License.
>>>     </form>
>>>     <div class="label">${uiLabelMap.CommonOr}: <a
>>> href="<@ofbizUrl>EditProdCatalog</@ofbizUrl>"
>>> class="buttontext">${uiLabelMap.ProductCreateNewCatalog}</a></div>
>>>     <br />
>>> +<p>Output format: ${.output_format}
>>> +<p>Auto-escaping: ${.auto_esc?c}
>>>     <div class="label">${uiLabelMap.ProductEditCategoryWithCategor
>>> yId}:</div>
>>>     <form method="post" action="<@ofbizUrl>EditCategory</@ofbizUrl>"
>>> style="margin: 0;" name="EditCategoryForm">
>>>       <@htmlTemplate.lookupField name="productCategoryId"
>>> id="productCategoryId" formName="EditCategoryForm" fieldFormName="
>>> LookupProductCategory"/>
>>>
>>> Modified: ofbiz/trunk/applications/product/template/store/
>>> EditProductStoreWebSites.ftl
>>> URL: http://svn.apache.org/viewvc/ofbiz/trunk/applications/
>>> product/template/store/EditProductStoreWebSites.ftl?
>>> rev=1781366&r1=1781365&r2=1781366&view=diff
>>> ============================================================
>>> ==================
>>> --- ofbiz/trunk/applications/product/template/store/EditProductS
>>> toreWebSites.ftl
>>> (original)
>>> +++ ofbiz/trunk/applications/product/template/store/EditProductS
>>> toreWebSites.ftl
>>> Thu Feb  2 10:33:59 2017
>>> @@ -37,12 +37,7 @@ under the License.
>>>                     <td>${webSite.httpHost?default('&nbsp;')}</td>
>>>                     <td>${webSite.httpPort?default('&nbsp;')}</td>
>>>                     <td align="center">
>>> -                    <a href="javascript:document.
>>> storeUpdateWebSite_${webSite_index}.submit();" class="buttontext">${
>>> uiLabelMap.CommonDelete}</a>
>>> -                    <form name="storeUpdateWebSite_${webSite_index}"
>>> method="post" action="<@ofbizUrl>storeUpdateWebSite</@ofbizUrl>">
>>> -                        <input type="hidden" name="viewProductStoreId"
>>> value="${productStoreId}"/>
>>> -                        <input type="hidden" name="productStoreId"
>>> value=""/>
>>> -                        <input type="hidden" name="webSiteId"
>>> value="${webSite.webSiteId}"/>
>>> -                    </form>
>>> +                    <a href="<@ofbizUrl>storeUpdateWebSite?
>>> viewProductStoreId=${productStoreId}&productStoreId=&webSiteId=${
>>> webSite.webSiteId}</@ofbizUrl>" class="buttontext">${
>>> uiLabelMap.CommonDelete}</a>
>>>                     </td>
>>>                   </tr>
>>>                   <#-- toggle the row color -->
>>>
>>> Added: ofbiz/trunk/applications/product/webapp/catalog/WEB-
>>> INF/Owasp.CsrfGuard.js
>>> URL: http://svn.apache.org/viewvc/ofbiz/trunk/applications/
>>> product/webapp/catalog/WEB-INF/Owasp.CsrfGuard.js?rev=1781366&view=auto
>>> ============================================================
>>> ==================
>>> --- ofbiz/trunk/applications/product/webapp/catalog/WEB-INF/
>>> Owasp.CsrfGuard.js
>>> (added)
>>> +++ ofbiz/trunk/applications/product/webapp/catalog/WEB-INF/
>>> Owasp.CsrfGuard.js
>>> Thu Feb  2 10:33:59 2017
>>> @@ -0,0 +1,447 @@
>>> +/**
>>> + * The OWASP CSRFGuard Project, BSD License
>>> + * Eric Sheridan ([hidden email]), Copyright (c) 2011
>>> + * All rights reserved.
>>> + *
>>> + * Redistribution and use in source and binary forms, with or without
>>> + * modification, are permitted provided that the following conditions
>>> are
>>> met:
>>> + *
>>> + *    1. Redistributions of source code must retain the above copyright
>>> notice,
>>> + *       this list of conditions and the following disclaimer.
>>> + *    2. Redistributions in binary form must reproduce the above
>>> copyright
>>> + *       notice, this list of conditions and the following disclaimer in
>>> the
>>> + *       documentation and/or other materials provided with the
>>> distribution.
>>> + *    3. Neither the name of OWASP nor the names of its contributors may
>>> be used
>>> + *       to endorse or promote products derived from this software
>>> without specific
>>> + *       prior written permission.
>>> + *
>>> + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
>>> "AS IS"
>>> + * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
>>> THE
>>> + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
>>> PURPOSE
>>> + * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR
>>> CONTRIBUTORS
>>> BE LIABLE
>>> + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
>>> CONSEQUENTIAL DAMAGES
>>> + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
>>> SERVICES;
>>> + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
>>> CAUSED AND ON
>>> + * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR
>>> TORT
>>> + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
>>> OF THIS
>>> + * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
>>> + */
>>> +(function() {
>>> +    /**
>>> +     * Code to ensure our event always gets triggered when the DOM is
>>> updated.
>>> +     * @param obj
>>> +     * @param type
>>> +     * @param fn
>>> +     * @source http://www.dustindiaz.com/rock-solid-addevent/
>>> +     */
>>> +    function addEvent( obj, type, fn ) {
>>> +        if (obj.addEventListener) {
>>> +            obj.addEventListener( type, fn, false );
>>> +            EventCache.add(obj, type, fn);
>>> +        }
>>> +        else if (obj.attachEvent) {
>>> +            obj["e"+type+fn] = fn;
>>> +            obj[type+fn] = function() { obj["e"+type+fn]( window.event
>>> );
>>> }
>>> +            obj.attachEvent( "on"+type, obj[type+fn] );
>>> +            EventCache.add(obj, type, fn);
>>> +        }
>>> +        else {
>>> +            obj["on"+type] = obj["e"+type+fn];
>>> +        }
>>> +    }
>>> +
>>> +    var EventCache = function(){
>>> +        var listEvents = [];
>>> +        return {
>>> +            listEvents : listEvents,
>>> +            add : function(node, sEventName, fHandler){
>>> +                listEvents.push(arguments);
>>> +            },
>>> +            flush : function(){
>>> +                var i, item;
>>> +                for(i = listEvents.length - 1; i >= 0; i = i - 1){
>>> +                    item = listEvents[i];
>>> +                    if(item[0].removeEventListener){
>>> +                        item[0].removeEventListener(item[1], item[2],
>>> item[3]);
>>> +                    };
>>> +                    if(item[1].substring(0, 2) != "on"){
>>> +                        item[1] = "on" + item[1];
>>> +                    };
>>> +                    if(item[0].detachEvent){
>>> +                        item[0].detachEvent(item[1], item[2]);
>>> +                    };
>>> +                };
>>> +            }
>>> +        };
>>> +    }();
>>> +
>>> +    /** string utility functions **/
>>> +    String.prototype.startsWith = function(prefix) {
>>> +        return this.indexOf(prefix) === 0;
>>> +    };
>>> +
>>> +    String.prototype.endsWith = function(suffix) {
>>> +        return this.match(suffix+"$") == suffix;
>>> +    };
>>> +
>>> +    /** hook using standards based prototype **/
>>> +    function hijackStandard() {
>>> +        XMLHttpRequest.prototype._open = XMLHttpRequest.prototype.open;
>>> +        XMLHttpRequest.prototype.open = function(method, url, async,
>>> user, pass) {
>>> +            this.url = url;
>>> +
>>> +            this._open.apply(this, arguments);
>>> +        };
>>> +
>>> +        XMLHttpRequest.prototype._send = XMLHttpRequest.prototype.send;
>>> +        XMLHttpRequest.prototype.send = function(data) {
>>> +            if(this.onsend != null) {
>>> +                this.onsend.apply(this, arguments);
>>> +            }
>>> +
>>> +            this._send.apply(this, arguments);
>>> +        };
>>> +    }
>>> +
>>> +    /** ie does not properly support prototype - wrap completely **/
>>> +    function hijackExplorer() {
>>> +        var _XMLHttpRequest = window.XMLHttpRequest;
>>> +
>>> +        function alloc_XMLHttpRequest() {
>>> +            this.base = _XMLHttpRequest ? new _XMLHttpRequest : new
>>> window.ActiveXObject("Microsoft.XMLHTTP");
>>> +        }
>>> +
>>> +        function init_XMLHttpRequest() {
>>> +            return new alloc_XMLHttpRequest;
>>> +        }
>>> +
>>> +        init_XMLHttpRequest.prototype = alloc_XMLHttpRequest.prototype;
>>> +
>>> +        /** constants **/
>>> +        init_XMLHttpRequest.UNSENT = 0;
>>> +        init_XMLHttpRequest.OPENED = 1;
>>> +        init_XMLHttpRequest.HEADERS_RECEIVED = 2;
>>> +        init_XMLHttpRequest.LOADING = 3;
>>> +        init_XMLHttpRequest.DONE = 4;
>>> +
>>> +        /** properties **/
>>> +        init_XMLHttpRequest.prototype.status = 0;
>>> +        init_XMLHttpRequest.prototype.statusText = "";
>>> +        init_XMLHttpRequest.prototype.readyState =
>>> init_XMLHttpRequest.UNSENT;
>>> +        init_XMLHttpRequest.prototype.responseText = "";
>>> +        init_XMLHttpRequest.prototype.responseXML = null;
>>> +        init_XMLHttpRequest.prototype.onsend = null;
>>> +
>>> +        init_XMLHttpRequest.url = null;
>>> +        init_XMLHttpRequest.onreadystatechange = null;
>>> +
>>> +        /** methods **/
>>> +        init_XMLHttpRequest.prototype.open = function(method, url,
>>> async, user, pass) {
>>> +            var self = this;
>>> +            this.url = url;
>>> +
>>> +            this.base.onreadystatechange = function() {
>>> +                try { self.status = self.base.status; } catch (e) { }
>>> +                try { self.statusText = self.base.statusText; } catch
>>> (e)
>>> { }
>>> +                try { self.readyState = self.base.readyState; } catch
>>> (e)
>>> { }
>>> +                try { self.responseText = self.base.responseText; }
>>> catch(e) { }
>>> +                try { self.responseXML = self.base.responseXML; }
>>> catch(e) { }
>>> +
>>> +                if(self.onreadystatechange != null) {
>>> +                    self.onreadystatechange.apply(this, arguments);
>>> +                }
>>> +            }
>>> +
>>> +            this.base.open(method, url, async, user, pass);
>>> +        };
>>> +
>>> +        init_XMLHttpRequest.prototype.send = function(data) {
>>> +            if(this.onsend != null) {
>>> +                this.onsend.apply(this, arguments);
>>> +            }
>>> +
>>> +            this.base.send(data);
>>> +        };
>>> +
>>> +        init_XMLHttpRequest.prototype.abort = function() {
>>> +            this.base.abort();
>>> +        };
>>> +
>>> +        init_XMLHttpRequest.prototype.getAllResponseHeaders =
>>> function()
>>> {
>>> +            return this.base.getAllResponseHeaders();
>>> +        };
>>> +
>>> +        init_XMLHttpRequest.prototype.getResponseHeader =
>>> function(name)
>>> {
>>> +            return this.base.getResponseHeader(name);
>>> +        };
>>> +
>>> +        init_XMLHttpRequest.prototype.setRequestHeader = function(name,
>>> value) {
>>> +            return this.base.setRequestHeader(name, value);
>>> +        };
>>> +
>>> +        /** hook **/
>>> +        window.XMLHttpRequest = init_XMLHttpRequest;
>>> +    }
>>> +
>>> +    /** check if valid domain based on domainStrict **/
>>> +    function isValidDomain(current, target) {
>>> +        var result = false;
>>> +
>>> +        /** check exact or subdomain match **/
>>> +        if(current == target) {
>>> +            result = true;
>>> +        } else if(%DOMAIN_STRICT% == false) {
>>> +            if(target.charAt(0) == '.') {
>>> +                result = current.endsWith(target);
>>> +            } else {
>>> +                result = current.endsWith('.' + target);
>>> +            }
>>> +        }
>>> +
>>> +        return result;
>>> +    }
>>> +
>>> +    /** determine if uri/url points to valid domain **/
>>> +    function isValidUrl(src) {
>>> +        var result = false;
>>> +
>>> +        /** parse out domain to make sure it points to our own **/
>>> +        if(src.substring(0, 7) == "http://" || src.substring(0, 8) ==
>>> "https://") {
>>> +            var token = "://";
>>> +            var index = src.indexOf(token);
>>> +            var part = src.substring(index + token.length);
>>> +            var domain = "";
>>> +
>>> +            /** parse up to end, first slash, or anchor **/
>>> +            for(var i=0; i<part.length; i++) {
>>> +                var character = part.charAt(i);
>>> +
>>> +                if(character == '/' || character == ':' || character ==
>>> '#') {
>>> +                    break;
>>> +                } else {
>>> +                    domain += character;
>>> +                }
>>> +            }
>>> +
>>> +            result = isValidDomain(document.domain, domain);
>>> +            /** explicitly skip anchors **/
>>> +        } else if(src.charAt(0) == '#') {
>>> +            result = false;
>>> +            /** ensure it is a local resource without a protocol **/
>>> +        } else if(!src.startsWith("//") && (src.charAt(0) == '/' ||
>>> src.indexOf(':') == -1)) {
>>> +            result = true;
>>> +        }
>>> +
>>> +        return result;
>>> +    }
>>> +
>>> +    /** parse uri from url **/
>>> +    function parseUri(url) {
>>> +        var uri = "";
>>> +        var token = "://";
>>> +        var index = url.indexOf(token);
>>> +        var part = "";
>>> +
>>> +        /**
>>> +         * ensure to skip protocol and prepend context path for
>>> non-qualified
>>> +         * resources (ex: "protect.html" vs
>>> +         * "/Owasp.CsrfGuard.Test/protect.html").
>>> +         */
>>> +        if(index > 0) {
>>> +            part = url.substring(index + token.length);
>>> +        } else if(url.charAt(0) != '/') {
>>> +            part = "%CONTEXT_PATH%/" + url;
>>> +        } else {
>>> +            part = url;
>>> +        }
>>> +
>>> +        /** parse up to end or query string **/
>>> +        var uriContext = (index == -1);
>>> +
>>> +        for(var i=0; i<part.length; i++) {
>>> +            var character = part.charAt(i);
>>> +
>>> +            if(character == '/') {
>>> +                uriContext = true;
>>> +            } else if(uriContext == true && (character == '?' ||
>>> character == '#')) {
>>> +                uriContext = false;
>>> +                break;
>>> +            }
>>> +
>>> +            if(uriContext == true) {
>>> +                uri += character;
>>> +            }
>>> +        }
>>> +
>>> +        return uri;
>>> +    }
>>> +
>>> +    /** inject tokens as hidden fields into forms **/
>>> +    function injectTokenForm(form, tokenName, tokenValue,
>>> pageTokens,injectGetForms) {
>>> +
>>> +        if (!injectGetForms) {
>>> +            var method = form.getAttribute("method");
>>> +
>>> +            if ((typeof method != 'undefined') && method != null &&
>>> method.toLowerCase() == "get") {
>>> +                return;
>>> +            }
>>> +        }
>>> +
>>> +        var value = tokenValue;
>>> +        var action = form.getAttribute("action");
>>> +
>>> +        if(action != null && isValidUrl(action)) {
>>> +            var uri = parseUri(action);
>>> +            value = pageTokens[uri] != null ? pageTokens[uri] :
>>> tokenValue;
>>> +        }
>>> +
>>> +        var hidden = document.createElement("input");
>>> +
>>> +        hidden.setAttribute("type", "hidden");
>>> +        hidden.setAttribute("name", tokenName);
>>> +        hidden.setAttribute("value", value);
>>> +
>>> +        form.appendChild(hidden);
>>> +    }
>>> +
>>> +    /** inject tokens as query string parameters into url **/
>>> +    function injectTokenAttribute(element, attr, tokenName, tokenValue,
>>> pageTokens) {
>>> +        var location = element.getAttribute(attr);
>>> +
>>> +        if(location != null && isValidUrl(location)) {
>>> +            var uri = parseUri(location);
>>> +            var value = (pageTokens[uri] != null ? pageTokens[uri] :
>>> tokenValue);
>>> +
>>> +            if(location.indexOf('?') != -1) {
>>> +                location = location + '&' + tokenName + '=' + value;
>>> +            } else {
>>> +                location = location + '?' + tokenName + '=' + value;
>>> +            }
>>> +
>>> +            try {
>>> +                element.setAttribute(attr, location);
>>> +            } catch (e) {
>>> +                // attempted to set/update unsupported attribute
>>> +            }
>>> +        }
>>> +    }
>>> +
>>> +    /** inject csrf prevention tokens throughout dom **/
>>> +    function injectTokens(tokenName, tokenValue) {
>>> +        /** obtain reference to page tokens if enabled **/
>>> +        var pageTokens = {};
>>> +
>>> +        if(%TOKENS_PER_PAGE% == true) {
>>> +            pageTokens = requestPageTokens();
>>> +        }
>>> +
>>> +        /** iterate over all elements and injection token **/
>>> +        var all = document.all ? document.all :
>>> document.getElementsByTagName('*');
>>> +        var len = all.length;
>>> +
>>> +        //these are read from the csrf guard config file(s)
>>> +        var injectForms = %INJECT_FORMS%;
>>> +        var injectGetForms = %INJECT_GET_FORMS%;
>>> +        var injectFormAttributes = %INJECT_FORM_ATTRIBUTES%;
>>> +        var injectAttributes = %INJECT_ATTRIBUTES%;
>>> +
>>> +        for(var i=0; i<len; i++) {
>>> +            var element = all[i];
>>> +
>>> +            /** inject into form **/
>>> +            if(element.tagName.toLowerCase() == "form") {
>>> +                if(injectForms) {
>>> +                    injectTokenForm(element, tokenName, tokenValue,
>>> pageTokens,injectGetForms);
>>> +                }
>>> +                if (injectFormAttributes) {
>>> +                    injectTokenAttribute(element, "action", tokenName,
>>> tokenValue, pageTokens);
>>> +                }
>>> +                /** inject into attribute **/
>>> +            } else if(injectAttributes) {
>>> +                injectTokenAttribute(element, "src", tokenName,
>>> tokenValue, pageTokens);
>>> +                injectTokenAttribute(element, "href", tokenName,
>>> tokenValue, pageTokens);
>>> +            }
>>> +        }
>>> +    }
>>> +
>>> +    /** obtain array of page specific tokens **/
>>> +    function requestPageTokens() {
>>> +        var xhr = window.XMLHttpRequest ? new window.XMLHttpRequest :
>>> new
>>> window.ActiveXObject("Microsoft.XMLHTTP");
>>> +        var pageTokens = {};
>>> +
>>> +        xhr.open("POST", "%SERVLET_PATH%", false);
>>> +        xhr.send(null);
>>> +
>>> +        var text = xhr.responseText;
>>> +        var name = "";
>>> +        var value = "";
>>> +        var nameContext = true;
>>> +
>>> +        for(var i=0; i<text.length; i++) {
>>> +            var character = text.charAt(i);
>>> +
>>> +            if(character == ':') {
>>> +                nameContext = false;
>>> +            } else if(character != ',') {
>>> +                if(nameContext == true) {
>>> +                    name += character;
>>> +                } else {
>>> +                    value += character;
>>> +                }
>>> +            }
>>> +
>>> +            if(character == ',' || (i + 1) >= text.length) {
>>> +                pageTokens[name] = value;
>>> +                name = "";
>>> +                value = "";
>>> +                nameContext = true;
>>> +            }
>>> +        }
>>> +
>>> +        return pageTokens;
>>> +    }
>>> +
>>> +    /**
>>> +     * Only inject the tokens if the JavaScript was referenced from HTML
>>> that
>>> +     * was served by us. Otherwise, the code was referenced from
>>> malicious HTML
>>> +     * which may be trying to steal tokens using JavaScript hijacking
>>> techniques.
>>> +     * The token is now removed and fetched using another POST request
>>> to
>>> solve,
>>> +     * the token hijacking problem.
>>> +     */
>>> +    if(isValidDomain(document.domain, "%DOMAIN_ORIGIN%")) {
>>> +        /** optionally include Ajax support **/
>>> +        if(%INJECT_XHR% == true) {
>>> +            if(navigator.appName == "Microsoft Internet Explorer") {
>>> +                hijackExplorer();
>>> +            } else {
>>> +                hijackStandard();
>>> +            }
>>> +
>>> +        var xhr = window.XMLHttpRequest ? new window.XMLHttpRequest :
>>> new
>>> window.ActiveXObject("Microsoft.XMLHTTP");
>>> +        var csrfToken = {};
>>> +        xhr.open("POST", "%SERVLET_PATH%", false);
>>> +        xhr.setRequestHeader("FETCH-CSRF-TOKEN", "1");
>>> +        xhr.send(null);
>>> +
>>> +        var token_pair = xhr.responseText;
>>> +        token_pair = token_pair.split(":");
>>> +        var token_name = token_pair[0];
>>> +        var token_value = token_pair[1];
>>> +
>>> +            XMLHttpRequest.prototype.onsend = function(data) {
>>> +                if(isValidUrl(this.url)) {
>>> +                    this.setRequestHeader("X-Requested-With",
>>> "XMLHttpRequest")
>>> +                    this.setRequestHeader(token_name, token_value);
>>> +                }
>>> +            };
>>> +        }
>>> +
>>> +        /** update nodes in DOM after load **/
>>> +        addEvent(window,'unload',EventCache.flush);
>>> +        addEvent(window,'DOMContentLoaded', function() {
>>> +            injectTokens(token_name, token_value);
>>> +        });
>>> +    } else {
>>> +        alert("OWASP CSRFGuard JavaScript was included from within an
>>> unauthorized domain!");
>>> +    }
>>> +})();
>>>
>>> Propchange: ofbiz/trunk/applications/product/webapp/catalog/WEB-
>>> INF/Owasp.CsrfGuard.js
>>> ------------------------------------------------------------
>>> ------------------
>>>      svn:eol-style = native
>>>
>>> Propchange: ofbiz/trunk/applications/product/webapp/catalog/WEB-
>>> INF/Owasp.CsrfGuard.js
>>> ------------------------------------------------------------
>>> ------------------
>>>      svn:keywords = Date Rev Author URL Id
>>>
>>> Propchange: ofbiz/trunk/applications/product/webapp/catalog/WEB-
>>> INF/Owasp.CsrfGuard.js
>>> ------------------------------------------------------------
>>> ------------------
>>>      svn:mime-type = text/plain
>>>
>>> Added: ofbiz/trunk/applications/product/webapp/catalog/WEB-
>>> INF/Owasp.CsrfGuard.properties
>>> URL: http://svn.apache.org/viewvc/ofbiz/trunk/applications/
>>> product/webapp/catalog/WEB-INF/Owasp.CsrfGuard.
>>> properties?rev=1781366&view=auto
>>> ============================================================
>>> ==================
>>> --- ofbiz/trunk/applications/product/webapp/catalog/WEB-INF/
>>> Owasp.CsrfGuard.properties
>>> (added)
>>> +++ ofbiz/trunk/applications/product/webapp/catalog/WEB-INF/
>>> Owasp.CsrfGuard.properties
>>> Thu Feb  2 10:33:59 2017
>>> @@ -0,0 +1,417 @@
>>> +# The OWASP CSRFGuard Project, BSD License
>>> +# Eric Sheridan ([hidden email]), Copyright (c) 2011
>>> +# All rights reserved.
>>> +#
>>> +# Redistribution and use in source and binary forms, with or without
>>> +# modification, are permitted provided that the following conditions are
>>> met:
>>> +#
>>> +# 1. Redistributions of source code must retain the above copyright
>>> notice,
>>> +#    this list of conditions and the following disclaimer.
>>> +# 2. Redistributions in binary form must reproduce the above copyright
>>> +#    notice, this list of conditions and the following disclaimer in the
>>> +#    documentation and/or other materials provided with the
>>> distribution.
>>> +# 3. Neither the name of OWASP nor the names of its contributors may be
>>> used
>>> +#    to endorse or promote products derived from this software without
>>> specific
>>> +#    prior written permission.
>>> +#
>>> +# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
>>> "AS
>>> IS"
>>> +# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
>>> THE
>>> +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
>>> PURPOSE
>>> +# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS
>>> BE LIABLE
>>> +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
>>> CONSEQUENTIAL DAMAGES
>>> +# (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
>>> SERVICES;
>>> +# LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
>>> CAUSED
>>> AND ON
>>> +# ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR
>>> TORT
>>> +# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
>>> OF THIS
>>> +# SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
>>> +
>>> +# From: https://github.com/esheri3/OWASP-CSRFGuard/blob/master/
>>> csrfguard-test/src/main/webapp/WEB-INF/csrfguard.properties
>>> +
>>> +# Common substitutions
>>> +# %servletContext%  is the servlet context (e.g. the configured app
>>> prefix or war file name, or blank.
>>> +# e.g. if you deploy a default warfile as someApp.war, then
>>> %servletContext% will be /someApp
>>> +# if there isnt a context it will be the empty string.  So to use this
>>> in
>>> the configuration, use e.g. %servletContext%/something.html
>>> +# which will translate to e.g. /someApp/something.html
>>> +
>>> +# Logger
>>> +#
>>> +# The logger property (org.owasp.csrfguard.Logger) defines the qualified
>>> class name of
>>> +# the object responsible for processing all log messages produced by
>>> CSRFGuard. The default
>>> +# CSRFGuard logger is org.owasp.csrfguard.log.ConsoleLogger. This class
>>> logs all messages
>>> +# to System.out which JavaEE application servers redirect to a vendor
>>> specific log file.
>>> +# Developers can customize the logging behavior of CSRFGuard by
>>> implementing the
>>> +# org.owasp.csrfguard.log.ILogger interface and setting the logger
>>> property to the new
>>> +# logger's qualified class name. The following configuration snippet
>>> instructs OWASP CSRFGuard
>>> +# to capture all log messages to the console:
>>> +#
>>> +# org.owasp.csrfguard.Logger=org.owasp.csrfguard.log.ConsoleLogger
>>> +org.owasp.csrfguard.Logger=org.owasp.csrfguard.log.JavaLogger
>>> +
>>> +# Which configuration provider factory you want to use.  The default is
>>> org.owasp.csrfguard.config.PropertiesConfigurationProviderFactory
>>> +# Another configuration provider has more features including config
>>> overlays: org.owasp.csrfguard.config.overlay.
>>> ConfigurationOverlayProviderFactory
>>> +# The default configuration provider is: org.owasp.csrfguard.config.
>>> overlay.ConfigurationAutodetectProviderFactory
>>> +# which will look for an overlay file, it is there, and the factory
>>> inside that file is set it will use it, otherwise will be
>>> PropertiesConfigurationProviderFactory
>>> +# it needs to implement org.owasp.csrfguard.config.
>>> ConfigurationProviderFactory
>>> +org.owasp.csrfguard.configuration.provider.factory =
>>> org.owasp.csrfguard.config.overlay.ConfigurationAutodetectPr
>>> oviderFactory
>>> +
>>> +
>>> +# If csrfguard filter is enabled
>>> +org.owasp.csrfguard.Enabled = false
>>> +
>>> +# If csrf guard filter should check even if there is no session for the
>>> user
>>> +# Note: this changed around 2014/04, the default behavior used to be to
>>> +# not check if there is no session.  If you want the legacy behavior (if
>>> your app
>>> +# is not susceptible to CSRF if the user has no session), set this to
>>> false
>>> +org.owasp.csrfguard.ValidateWhenNoSessionExists = true
>>> +
>>> +# New Token Landing Page
>>> +#
>>> +# The new token landing page property (org.owasp.csrfguard.NewTokenL
>>> andingPage)
>>> defines where
>>> +# to send a user if the token is being generated for the first time, and
>>> the use new token landing
>>> +# page boolean property (org.owasp.csrfguard.UseNewTokenLandingPage)
>>> determines if any redirect happens.
>>> +# UseNewTokenLandingPage defaults to false if NewTokenLandingPage is not
>>> specified, and to true
>>> +# if it is specified.. If UseNewTokenLandingPage is set true then this
>>> request is generated
>>> +# using auto-posting forms and will only contain the CSRF prevention
>>> token parameter, if
>>> +# applicable. All query-string or form parameters sent with the original
>>> request will be
>>> +# discarded. If this property is not defined, CSRFGuard will instead
>>> auto-post the user to the
>>> +# original context and servlet path. The following configuration snippet
>>> instructs OWASP CSRFGuard to
>>> +# redirect the user to %servletContext%/index.html when the user visits
>>> a
>>> protected resource
>>> +# without having a corresponding CSRF token present in the HttpSession
>>> object:
>>> +#
>>> +org.owasp.csrfguard.NewTokenLandingPage=%servletContext%/
>>> control/login/*
>>> +
>>> +# Protected Methods
>>> +#
>>> +# The protected methods property (org.owasp.csrfguard.ProtectedMethods)
>>> defines a comma
>>> +# separated list of HTTP request methods that should be protected by
>>> CSRFGuard. The default
>>> +# list is an empty list which will cause all HTTP methods to be
>>> protected, thus preserving
>>> +# legacy behavior. This setting allows the user to inform CSRFGuard that
>>> only requests of the
>>> +# given types should be considered for protection. All HTTP methods not
>>> in the list will be
>>> +# considered safe (i.e. view only / unable to modify data). This should
>>> be used only when the
>>> +# user has concrete knowledge that all requests made via methods not in
>>> the list
>>> +# are safe (i.e. do not apply an action to any data) since it can
>>> actually introduce new
>>> +# security vulnerabilities. For example: the user thinks that all
>>> actionable requests are
>>> +# only available by POST requests when in fact some are available via
>>> GET
>>> requests. If the
>>> +# user has excluded GET requests from the list then they have introduced
>>> a vulnerability.
>>> +# The following configuration snippet instructs OWASP CSRFGuard to
>>> protect only the POST,
>>> +# PUT, and DELETE HTTP methods.
>>> +#
>>> +# org.owasp.csrfguard.ProtectedMethods=POST,PUT,DELETE
>>> +
>>> +# or you can configure all to be protected, and specify which is
>>> unprotected.  This is the preferred approach
>>> +
>>> +# org.owasp.csrfguard.UnprotectedMethods=GET
>>> +
>>> +# Unique Per-Page Tokens
>>> +#
>>> +# The unique token per-page property (org.owasp.csrfguard.TokenPerPage)
>>> is a boolean value that
>>> +# determines if CSRFGuard should make use of unique per-page (i.e. URI)
>>> prevention tokens as
>>> +# opposed to unique per-session prevention tokens. When a user requests
>>> a
>>> protected resource,
>>> +# CSRFGuard will determine if a page specific token has been previously
>>> generated. If a page
>>> +# specific token has not yet been previously generated, CSRFGuard will
>>> verify the request was
>>> +# submitted with the per-session token intact. After verifying the
>>> presence of the per-session token,
>>> +# CSRFGuard will create a page specific token that is required for all
>>> subsequent requests to the
>>> +# associated resource. The per-session CSRF token can only be used when
>>> requesting a resource for
>>> +# the first time. All subsequent requests must have the per-page token
>>> intact or the request will
>>> +# be treated as a CSRF attack. This behavior can be changed with the
>>> org.owasp.csrfguard.TokenPerPagePrecreate
>>> +# property. Enabling this property will make CSRFGuard calculate the per
>>> page token prior to a first
>>> +# visit. This option only works with JSTL token injection and is useful
>>> for preserving the validity of
>>> +# links if the user pushes the back button. There may be a performance
>>> impact when enabling this option
>>> +# if the .jsp has a large number of proctected links that need tokens to
>>> be calculated.
>>> +# Use of the unique token per page property is currently experimental
>>> +# but provides a significant amount of improved security. Consider the
>>> exposure of a CSRF token using
>>> +# the legacy unique per-session model. Exposure of this token
>>> facilitates
>>> the attacker's ability to
>>> +# carry out a CSRF attack against the victim's active session for any
>>> resource exposed by the web
>>> +# application. Now consider the exposure of a CSRF token using the
>>> experimental unique token per-page
>>> +# model. Exposure of this token would only allow the attacker to carry
>>> out a CSRF attack against the
>>> +# victim's active session for a small subset of resources exposed by the
>>> web application. Use of the
>>> +# unique token per-page property is a strong defense in depth strategy
>>> significantly reducing the
>>> +# impact of exposed CSRF prevention tokens. The following configuration
>>> snippet instructs OWASP
>>> +# CSRFGuard to utilize the unique token per-page model:
>>> +#
>>> +# org.owasp.csrfguard.TokenPerPage=true
>>> +# org.owasp.csrfguard.TokenPerPagePrecreate=false
>>> +org.owasp.csrfguard.TokenPerPage=true
>>> +org.owasp.csrfguard.TokenPerPagePrecreate=false
>>> +
>>> +# Token Rotation
>>> +#
>>> +# The rotate token property (org.owasp.csrfguard.Rotate) is a boolean
>>> value that determines if
>>> +# CSRFGuard should generate and utilize a new token after verifying the
>>> previous token. Rotation
>>> +# helps minimize the window of opportunity an attacker has to leverage
>>> the victim's stolen token
>>> +# in a targeted CSRF attack. However, this functionality generally
>>> causes
>>> navigation problems in
>>> +# most applications. Specifically, the 'Back' button in the browser will
>>> often cease to function
>>> +# properly. When a user hits the 'Back' button and interacts with the
>>> HTML, the browser may submit
>>> +# an old token causing CSRFGuard to incorrectly believe this request is
>>> a
>>> CSRF attack in progress
>>> +# (i.e. a 'false positive'). Users can prevent this scenario by
>>> preventing the caching of HTML pages
>>> +# containing FORM submissions using the cache-control header. However,
>>> this may also introduce
>>> +# performance problems as the browser will have to request HTML on a
>>> more
>>> frequent basis. The following
>>> +# configuration snippet enables token rotation:
>>> +#
>>> +# org.owasp.csrfguard.Rotate=true
>>> +
>>> +# Ajax and XMLHttpRequest Support
>>> +#
>>> +# The Ajax property (org.owasp.csrfguard.Ajax) is a boolean value that
>>> indicates whether or not OWASP
>>> +# CSRFGuard should support the injection and verification of unique
>>> per-session prevention tokens for
>>> +# XMLHttpRequests. To leverage Ajax support, the user must not only set
>>> this property to true but must
>>> +# also reference the JavaScript DOM Manipulation code using a script
>>> element. This dynamic script will
>>> +# override the send method of the XMLHttpRequest object to ensure the
>>> submission of an X-Requested-With
>>> +# header name value pair coupled with the submission of a custom header
>>> name value pair for each request.
>>> +# The name of the custom header is the value of the token name property
>>> and the value of the header is
>>> +# always the unique per-session token value. This custom header is
>>> analogous to the HTTP parameter name
>>> +# value pairs submitted via traditional GET and POST requests. If the
>>> X-Requested-With header was sent
>>> +# in the HTTP request, then CSRFGuard will look for the presence and
>>> ensure the validity of the unique
>>> +# per-session token in the custom header name value pair. Note that
>>> verification of these headers takes
>>> +# precedence over verification of the CSRF token supplied as an HTTP
>>> parameter. More specifically,
>>> +# CSRFGuard does not verify the presence of the CSRF token if the Ajax
>>> support property is enabled and
>>> +# the corresponding X-Requested-With and custom headers are embedded
>>> within the request. The following
>>> +# configuration snippet instructs OWASP CSRFGuard to support Ajax
>>> requests by verifying the presence and
>>> +# correctness of the X-Requested-With and custom headers:
>>> +#
>>> +# org.owasp.csrfguard.Ajax=true
>>> +org.owasp.csrfguard.Ajax=true
>>> +
>>> +# The default behavior of CSRFGuard is to protect all pages. Pages
>>> marked
>>> as unprotected will not be protected.
>>> +# If the Protect property is enabled, this behavior is reversed. Pages
>>> must be marked as protected to be protected.
>>> +# All other pages will not be protected. This is useful when the
>>> CsrfGuardFilter is aggressively mapped (ex: /*),
>>> +# but you only want to protect a few pages.
>>> +#
>>> +# org.owasp.csrfguard.Protect=true
>>> +
>>> +# Unprotected Pages:
>>> +#
>>> +# The unprotected pages property (org.owasp.csrfguard.unprotected.*)
>>> defines a series of pages that
>>> +# should not be protected by CSRFGuard. Such configurations are useful
>>> when the CsrfGuardFilter is
>>> +# aggressively mapped (ex: /*). The syntax of the property name is
>>> org.owasp.csrfguard.unprotected.[PageName],
>>> +# where PageName is some arbitrary identifier that can be used to
>>> reference a resource. The syntax of
>>> +# defining the uri of unprotected pages is the same as the syntax used
>>> by
>>> the JavaEE container for uri mapping.
>>> +# Specifically, CSRFGuard will identify the first match (if any) between
>>> the requested uri and an unprotected
>>> +# page in order of declaration. Match criteria is as follows:
>>> +#
>>> +# Case 1: exact match between request uri and unprotected page
>>> +# Case 2: longest path prefix match, beginning / and ending /*
>>> +# Case 3: extension match, beginning *.
>>> +# Case 4: if the value starts with ^ and ends with $, it will be
>>> evaulated as a regex.  Note that before the
>>> +#   regex is compiled, any common variables will be substituted (e.g.
>>> %servletContext%)
>>> +# Default: requested resource must be validated by CSRFGuard
>>> +#
>>> +# The following code snippet illustrates the four use cases over four
>>> examples. The first two examples
>>> +# (Tag and JavaScriptServlet) look for direct URI matches. The third
>>> example (Html) looks for all resources
>>> +# ending in a .html extension. The next example (Public) looks for all
>>> resources prefixed with the URI path /MySite/Public/*.
>>> +# The last example looks for resources that end in Public.do
>>> +#
>>> +# org.owasp.csrfguard.unprotected.Tag=%servletContext%/tag.jsp
>>> +# org.owasp.csrfguard.unprotected.JavaScriptServlet=%servletContext%/
>>> JavaScriptServlet
>>> +# org.owasp.csrfguard.unprotected.Html=*.html
>>> +# org.owasp.csrfguard.unprotected.Public=%servletContext%/Public/*
>>> +# regex example starts with ^ and ends with $, and the %servletContext%
>>> is evaluated before the regex
>>> +# org.owasp.csrfguard.unprotected.PublicServlet=^%
>>> servletContext%/.*Public\.do$
>>> +
>>> +#org.owasp.csrfguard.unprotected.Default=%servletContext%/
>>> +#org.owasp.csrfguard.unprotected.Upload=%servletContext%/upload.html
>>> +org.owasp.csrfguard.unprotected.JavaScriptServlet=
>>> %servletContext%/control/JavaScriptServlet
>>> +#org.owasp.csrfguard.unprotected.Ajax=%servletContext%/ajax.html
>>> +#org.owasp.csrfguard.unprotected.Error=%servletContext%/error.html
>>> +#org.owasp.csrfguard.unprotected.Error=%servletContext%/error.jsp
>>> +#org.owasp.csrfguard.unprotected.Index=%servletContext%/index.html
>>> +#org.owasp.csrfguard.unprotected.JavaScript=%servletContext
>>> %/javascript.
>>> html
>>> +#org.owasp.csrfguard.unprotected.Tag=%servletContext%/tag.jsp
>>> +#org.owasp.csrfguard.unprotected.Redirect=%servletContext%/redirect.jsp
>>> +#org.owasp.csrfguard.unprotected.Forward=%servletContext%/forward.jsp
>>> +#org.owasp.csrfguard.unprotected.Session=%servletContext%/session.jsp
>>> +org.owasp.csrfguard.unprotected.Session=%servletContext%/favicon.ico
>>> +org.owasp.csrfguard.unprotected.Session=%servletContext%/
>>> control/login/*
>>> +org.owasp.csrfguard.unprotected.Index=%servletContext%/index.jsp
>>> +
>>> +# Actions: Responding to Attacks
>>> +#
>>> +# The actions directive (org.owasp.csrfguard.action.*) gives the user
>>> the
>>> ability to specify one or more
>>> +# actions that should be invoked when a CSRF attack is detected. Every
>>> action must implement the
>>> +# org.owasp.csrfguard.action.IAction interface either directly or
>>> indirectly through the
>>> +# org.owasp.csrfguard.action.AbstractAction helper class. Many actions
>>> accept parameters that can be specified
>>> +# along with the action class declaration. These parameters are consumed
>>> at runtime and impact the behavior of
>>> +# the associated action.
>>> +#
>>> +# The syntax for defining and configuring CSRFGuard actions is
>>> relatively
>>> straight forward. Let us assume we wish
>>> +# to redirect the user to a default page when a CSRF attack is detected.
>>> A redirect action already exists within
>>> +# the CSRFGuard bundle and is available via the class name
>>> org.owasp.csrfguard.actions.Redirect. In order to enable
>>> +# this action, we capture the following declaration in the
>>> Owasp.CsrfGuard.properties file:
>>> +#
>>> +# syntax: org.owasp.csrfguard.action.[actionName]=[className]
>>> +# example: org.owasp.csrfguard.action.class.Redirect=org.owasp.
>>> csrfguard.actions.Redirect
>>> +#
>>> +# The aforementioned directive declares an action called "Redirect"
>>> (i.e.
>>> [actionName]) referencing the Java class
>>> +# "org.owasp.csrfguard.actions.Redirect" (i.e. [className]). Anytime a
>>> CSRF attack is detected, the Redirect action
>>> +# will be executed. You may be asking yourself, "but how do I specify
>>> where the user is redirected?"; this is where
>>> +# action parameters come into play. In order to specify the redirect
>>> location, we capture the following declaration
>>> +# in the Owasp.CsrfGuard.properties file:
>>> +#
>>> +# syntax: org.owasp.csrfguard.action.[actionName].[parameterName]=[
>>> parameterValue]
>>> +# example: org.owasp.csrfguard.action.Redirect.ErrorPage=%
>>> servletContext%/error.html
>>> +#
>>> +# The aforementioned directive declares an action parameter called
>>> "ErrorPage" (i.e. [parameterName]) with the value
>>> +# of "%servletContext%/error.html" (i.e. [parameterValue]) for the
>>> action
>>> "Redirect" (i.e. [actionName]). The
>>> +# Redirect action expects the "ErrorPage" parameter to be defined and
>>> will redirect the user to this location when
>>> +# an attack is detected.
>>> +#
>>> +#org.owasp.csrfguard.action.Empty=org.owasp.csrfguard.action.Empty
>>> +org.owasp.csrfguard.action.Log=org.owasp.csrfguard.action.Log
>>> +org.owasp.csrfguard.action.Log.Message=potential cross-site request
>>> forgery (CSRF) attack thwarted (user:%user%, ip:%remote_ip%,
>>> method:%request_method%, uri:%request_uri%, error:%exception_message%)
>>> +#org.owasp.csrfguard.action.Invalidate=org.owasp.
>>> csrfguard.action.Invalidate
>>> +#org.owasp.csrfguard.action.Redirect=org.owasp.csrfguard.ac
>>> tion.Redirect
>>> +#org.owasp.csrfguard.action.Redirect.Page=%servletContext%/error.html
>>> +#org.owasp.csrfguard.action.RequestAttribute=org.owasp.csrf
>>> guard.action.
>>> RequestAttribute
>>> +#org.owasp.csrfguard.action.RequestAttribute.
>>> AttributeName=Owasp_CsrfGuard_Exception_Key
>>> +#org.owasp.csrfguard.action.Rotate=org.owasp.csrfguard.action.Rotate
>>> +org.owasp.csrfguard.action.SessionAttribute=org.owasp.csrfguard.action.
>>> SessionAttribute
>>> +org.owasp.csrfguard.action.SessionAttribute.
>>> AttributeName=Owasp_CsrfGuard_Exception_Key
>>> +#org.owasp.csrfguard.action.Error=org.owasp.csrfguard.action.Error
>>> +#org.owasp.csrfguard.action.Error.Code=403
>>> +#org.owasp.csrfguard.action.Error.Message=Security violation.
>>> +
>>> +# Token Name
>>> +#
>>> +# The token name property (org.owasp.csrfguard.TokenName) defines the
>>> name of the HTTP parameter
>>> +# to contain the value of the OWASP CSRFGuard token for each request.
>>> The
>>> following configuration
>>> +# snippet sets the CSRFGuard token parameter name to the value
>>> OWASP_CSRFTOKEN:
>>> +#
>>> +# org.owasp.csrfguard.TokenName=OWASP_CSRFTOKEN
>>> +org.owasp.csrfguard.TokenName=OWASP_CSRFTOKEN
>>> +
>>> +# Session Key
>>> +#
>>> +# The session key property (org.owasp.csrfguard.SessionKey) defines the
>>> string literal used to save
>>> +# and lookup the CSRFGuard token from the session. This value is used by
>>> the filter and the tag
>>> +# libraries to retrieve and set the token value in the session.
>>> Developers can use this key to
>>> +# programmatically lookup the token within their own code. The following
>>> configuration snippet sets
>>> +# the session key to the value OWASP_CSRFTOKEN:
>>> +#
>>> +# org.owasp.csrfguard.SessionKey=OWASP_CSRFTOKEN
>>> +org.owasp.csrfguard.SessionKey=OWASP_CSRFTOKEN
>>> +
>>> +# Token Length
>>> +#
>>> +# The token length property (org.owasp.csrfguard.TokenLength) defines
>>> the number of characters that
>>> +# should be found within the CSRFGuard token. Note that characters are
>>> delimited by dashes (-) in groups
>>> +# of four. For cosmetic reasons, users are encourage to ensure the token
>>> length is divisible by four.
>>> +# The following configuration snippet sets the token length property to
>>> 32 characters:
>>> +#
>>> +# org.owasp.csrfguard.TokenLength=32
>>> +org.owasp.csrfguard.TokenLength=32
>>> +
>>> +# Pseudo-random Number Generator
>>> +#
>>> +# The pseudo-random number generator property (org.owasp.csrfguard.PRNG)
>>> defines what PRNG should be used
>>> +# to generate the OWASP CSRFGuard token. Always ensure this value
>>> references a cryptographically strong
>>> +# pseudo-random number generator algorithm. The following configuration
>>> snippet sets the pseudo-random number
>>> +# generator to SHA1PRNG:
>>> +#
>>> +# org.owasp.csrfguard.PRNG=SHA1PRNG
>>> +org.owasp.csrfguard.PRNG=SHA1PRNG
>>> +
>>> +# Pseudo-random Number Generator Provider
>>> +
>>> +# The pseudo-random number generator provider property
>>> (org.owasp.csrfguard.PRNG.Provider) defines which
>>> +# provider's implementation of org.owasp.csrfguard.PRNG we should
>>> utilize. The following configuration
>>> +# snippet instructs the JVM to leverage SUN's implementation of the
>>> algorithm denoted by the
>>> +# org.owasp.csrfguard.PRNG property:
>>> +
>>> +# org.owasp.csrfguard.PRNG.Provider=SUN
>>> +org.owasp.csrfguard.PRNG.Provider=SUN
>>> +
>>> +# If not specifying the print config option in the web.xml, you can
>>> specify it here, to print the config
>>> +# on startup
>>> +org.owasp.csrfguard.Config.Print = true
>>> +
>>> +###########################
>>> +## Javascript servlet settings if not set in web.xml
>>> +## https://www.owasp.org/index.php/CSRFGuard_3_Token_Injection
>>> +###########################
>>> +
>>> +# leave this blank and blank in web.xml and it will read from
>>> META-INF/csrfguard.js from the jarfile
>>> +# Denotes the location of the JavaScript template file that should be
>>> consumed and dynamically
>>> +# augmented by the JavaScriptServlet class. The default value is
>>> WEB-INF/Owasp.CsrfGuard.js.
>>> +# Use of this property and the existence of the specified template file
>>> is required.
>>> +#org.owasp.csrfguard.JavascriptServlet.sourceFile =
>>> WEB-INF/Owasp.CsrfGuard.js
>>> +org.owasp.csrfguard.JavascriptServlet.sourceFile =
>>> WEB-INF/Owasp.CsrfGuard.js
>>> +
>>> +# Boolean value that determines whether or not the dynamic JavaScript
>>> code should be strict
>>> +# with regards to what links it should inject the CSRF prevention token.
>>> With a value of true,
>>> +# the JavaScript code will only place the token in links that point to
>>> the same exact domain
>>> +# from which the HTML originated. With a value of false, the JavaScript
>>> code will place the
>>> +# token in links that not only point to the same exact domain from which
>>> the HTML originated,
>>> +# but sub-domains as well.
>>> +org.owasp.csrfguard.JavascriptServlet.domainStrict = true
>>> +
>>> +# Allows the developer to specify the value of the Cache-Control header
>>> in the HTTP response
>>> +# when serving the dynamic JavaScript file. The default value is
>>> private,
>>> maxage=28800.
>>> +# Caching of the dynamic JavaScript file is intended to minimize traffic
>>> and improve performance.
>>> +# Note that the Cache-Control header is always set to "no-store" when
>>> either the "Rotate"
>>> +# "TokenPerPage" options is set to true in Owasp.CsrfGuard.properties.
>>> +org.owasp.csrfguard.JavascriptServlet.cacheControl = private,
>>> maxage=28800
>>> +
>>> +# Allows the developer to specify a regular expression describing the
>>> required value of the
>>> +# Referer header. Any attempts to access the servlet with a Referer
>>> header that does not
>>> +# match the captured expression is discarded. Inclusion of referer
>>> header
>>> checking is to
>>> +# help minimize the risk of JavaScript Hijacking attacks that attempt to
>>> steal tokens from
>>> +# the dynamically generated JavaScript. While the primary defenses
>>> against JavaScript
>>> +# Hijacking attacks are implemented within the dynamic JavaScript
>>> itself,
>>> referer header
>>> +# checking is implemented to achieve defense in depth.
>>> +org.owasp.csrfguard.JavascriptServlet.refererPattern = .*
>>> +
>>> +# Similar to javascript servlet referer pattern, but this will make sure
>>> the referer of the
>>> +# javascript servlet matches the domain of the request.  If there is no
>>> referer (proxy strips it?)
>>> +# then it will not fail.  Generally this is a good idea to be true.
>>> +org.owasp.csrfguard.JavascriptServlet.refererMatchDomain = true
>>> +
>>> +# Boolean value that determines whether or not the dynamic JavaScript
>>> code should
>>> +# inject the CSRF prevention token as a hidden field into HTML forms.
>>> The
>>> default
>>> +# value is true. Developers are strongly discouraged from disabling this
>>> property
>>> +# as most server-side state changing actions are triggered via a POST
>>> request.
>>> +org.owasp.csrfguard.JavascriptServlet.injectIntoForms = true
>>> +
>>> +# if the token should be injected in GET forms (which will be on the
>>> URL)
>>> +# if the HTTP method GET is unprotected, then this should likely be
>>> false
>>> +org.owasp.csrfguard.JavascriptServlet.injectGetForms = true
>>> +
>>> +# if the token should be injected in the action in forms
>>> +# note, if injectIntoForms is true, then this might not need to be true
>>> +org.owasp.csrfguard.JavascriptServlet.injectFormAttributes = true
>>> +
>>> +
>>> +# Boolean value that determines whether or not the dynamic JavaScript
>>> code should
>>> +# inject the CSRF prevention token in the query string of src and href
>>> attributes.
>>> +# Injecting the CSRF prevention token in a URL resource increases its
>>> general risk
>>> +# of exposure to unauthorized parties. However, most JavaEE web
>>> applications respond
>>> +# in the exact same manner to HTTP requests and their associated
>>> parameters regardless
>>> +# of the HTTP method. The risk associated with not protecting GET
>>> requests in this
>>> +# situation is perceived greater than the risk of exposing the token in
>>> protected GET
>>> +# requests. As a result, the default value of this attribute is set to
>>> true. Developers
>>> +# that are confident their server-side state changing controllers will
>>> only respond to
>>> +# POST requests (i.e. discarding GET requests) are strongly encouraged
>>> to
>>> disable this property.
>>> +org.owasp.csrfguard.JavascriptServlet.injectIntoAttributes = true
>>> +
>>> +
>>> +org.owasp.csrfguard.JavascriptServlet.xRequestedWith = OWASP CSRFGuard
>>> Project
>>> +
>>> +###########################
>>> +## Config overlay settings if you have the provider above set to
>>> ConfigurationOverlayProvider
>>> +## This CSRF config provider uses Internet2 Configuration Overlays
>>> (documented on Internet2 wiki)
>>> +## By default the configuration is read from the
>>> Owasp.CsrfGuard.properties
>>> +## (which should not be edited), and the Owasp.CsrfGuard.overlay.proper
>>> ties
>>> overlays
>>> +## the base settings.  See the Owasp.CsrfGuard.properties for the
>>> possible
>>> +## settings that can be applied to the Owasp.CsrfGuard.overlay.proper
>>> ties
>>> +###########################
>>> +
>>> +# comma separated config files that override each other (files on the
>>> right override the left)
>>> +# each should start with file: or classpath:
>>> +# e.g. classpath:Owasp.CsrfGuard.properties,
>>> file:c:/temp/myFile.properties
>>> +org.owasp.csrfguard.configOverlay.hierarchy =
>>> classpath:Owasp.CsrfGuard.properties,
>>> classpath:Owasp.CsrfGuard.overlay.properties
>>> +
>>> +# seconds between checking to see if the config files are updated
>>> +org.owasp.csrfguard.configOverlay.secondsBetweenUpdateChecks = 60
>>> +
>>> +
>>> +###########################
>>> +
>>>
>>> Propchange: ofbiz/trunk/applications/product/webapp/catalog/WEB-
>>> INF/Owasp.CsrfGuard.properties
>>> ------------------------------------------------------------
>>> ------------------
>>>      svn:eol-style = native
>>>
>>> Propchange: ofbiz/trunk/applications/product/webapp/catalog/WEB-
>>> INF/Owasp.CsrfGuard.properties
>>> ------------------------------------------------------------
>>> ------------------
>>>      svn:keywords = Date Rev Author URL Id
>>>
>>> Propchange: ofbiz/trunk/applications/product/webapp/catalog/WEB-
>>> INF/Owasp.CsrfGuard.properties
>>> ------------------------------------------------------------
>>> ------------------
>>>      svn:mime-type = text/plain
>>>
>>>
>>>
>>>
>