Quite a few of those links don't actually look like they needed to be secured i.e. there is no event attached to that uri, orderview for example.
Regards Scott HotWax Media http://www.hotwaxmedia.com On 7/06/2010, at 7:02 PM, [hidden email] wrote: > Author: jleroux > Date: Mon Jun 7 07:02:02 2010 > New Revision: 952119 > > URL: http://svn.apache.org/viewvc?rev=952119&view=rev > Log: > Secure some targets. Note that they have been introduced since OFBIZ-2243 has been closed. > Please committers use only target with parameter attribute (not in URL) for link and hyperlink fields when there is an action (ie DB modification) > > Modified: > ofbiz/trunk/applications/accounting/widget/InvoiceForms.xml > ofbiz/trunk/applications/accounting/widget/PaymentGatewayConfigForms.xml > ofbiz/trunk/applications/order/widget/ordermgr/OrderEntryForms.xml > ofbiz/trunk/applications/party/widget/partymgr/CommunicationEventForms.xml > ofbiz/trunk/applications/product/widget/catalog/ProductForms.xml > ofbiz/trunk/applications/product/widget/facility/ShipmentGatewayConfigForms.xml > ofbiz/trunk/specialpurpose/projectmgr/widget/forms/ProjectForms.xml > > Modified: ofbiz/trunk/applications/accounting/widget/InvoiceForms.xml > URL: http://svn.apache.org/viewvc/ofbiz/trunk/applications/accounting/widget/InvoiceForms.xml?rev=952119&r1=952118&r2=952119&view=diff > ============================================================================== > --- ofbiz/trunk/applications/accounting/widget/InvoiceForms.xml (original) > +++ ofbiz/trunk/applications/accounting/widget/InvoiceForms.xml Mon Jun 7 07:02:02 2010 > @@ -215,7 +215,12 @@ under the License. > <field name="paymentId"><hyperlink target="paymentOverview?paymentId=${paymentId}" description="${paymentId}"/></field> > <field name="amount"><display type="currency" currency="${currencyUomId}"/></field> > <field name="origAmount"><display type="currency" currency="${origCurrencyUomId}"/></field> > - <field name="acctgTransId"><hyperlink description="${acctgTransId}" target="EditAcctgTrans?acctgTransId=${acctgTransId}&organizationPartyId=${organizationPartyId}"/></field> > + <field name="acctgTransId"> > + <hyperlink description="${acctgTransId}" target="EditAcctgTrans"> > + <parameter param-name="acctgTransId" from-field="acctgTransId"/> > + <parameter param-name="organizationPartyId" from-field="organizationPartyId"/> > + </hyperlink> > + </field> > <field name="acctgTransTypeId" title="${uiLabelMap.FormFieldTitle_acctgTransType}"><display-entity entity-name="AcctgTransType"/></field> > <field name="glJournalId" title="${uiLabelMap.FormFieldTitle_glJournal}"><display-entity entity-name="GlJournal" description="${glJournalName}"/></field> > <field name="glAccountTypeId" title="${uiLabelMap.FormFieldTitle_glAccountType}"><display-entity entity-name="GlAccountType"/></field> > > Modified: ofbiz/trunk/applications/accounting/widget/PaymentGatewayConfigForms.xml > URL: http://svn.apache.org/viewvc/ofbiz/trunk/applications/accounting/widget/PaymentGatewayConfigForms.xml?rev=952119&r1=952118&r2=952119&view=diff > ============================================================================== > --- ofbiz/trunk/applications/accounting/widget/PaymentGatewayConfigForms.xml (original) > +++ ofbiz/trunk/applications/accounting/widget/PaymentGatewayConfigForms.xml Mon Jun 7 07:02:02 2010 > @@ -50,7 +50,9 @@ under the License. > <auto-fields-entity entity-name="PaymentGatewayConfig" default-field-type="display"/> > <field name="paymentGatewayConfigId"><hidden/></field> > <field name="description" title="${uiLabelMap.AccountingPaymentGatewayConfigDescription}"> > - <hyperlink description="${description}" target="EditPaymentGatewayConfig?paymentGatewayConfigId=${paymentGatewayConfigId}"/> > + <hyperlink description="${description}" target="EditPaymentGatewayConfig"> > + <parameter param-name="paymentGatewayConfigId" from-field="paymentGatewayConfigId"/> > + </hyperlink> > </field> > <field name="paymentGatewayConfigTypeId" title="${uiLabelMap.AccountingPaymentGatewayConfigTypeId}"> > <display-entity entity-name="PaymentGatewayConfigType" key-field-name="paymentGatewayConfigTypeId" description="${description}"/> > @@ -385,7 +387,9 @@ under the License. > <auto-fields-entity entity-name="PaymentGatewayConfigType" default-field-type="display"/> > <field name="paymentGatewayConfigTypeId"><hidden/></field> > <field name="description" title="${uiLabelMap.AccountingPaymentGatewayConfigTypeDescription}"> > - <hyperlink description="${description}" target="EditPaymentGatewayConfigType?paymentGatewayConfigTypeId=${paymentGatewayConfigTypeId}"/> > + <hyperlink description="${description}" target="EditPaymentGatewayConfigType"> > + <parameter param-name="paymentGatewayConfigTypeId" from-field="paymentGatewayConfigTypeId"/> > + </hyperlink> > </field> > </form> > > > Modified: ofbiz/trunk/applications/order/widget/ordermgr/OrderEntryForms.xml > URL: http://svn.apache.org/viewvc/ofbiz/trunk/applications/order/widget/ordermgr/OrderEntryForms.xml?rev=952119&r1=952118&r2=952119&view=diff > ============================================================================== > --- ofbiz/trunk/applications/order/widget/ordermgr/OrderEntryForms.xml (original) > +++ ofbiz/trunk/applications/order/widget/ordermgr/OrderEntryForms.xml Mon Jun 7 07:02:02 2010 > @@ -199,7 +199,9 @@ under the License. > <form name="LookupAssociatedProducts" type="multi" use-row-submit="true" list-name="productList" title="" target="BulkAddProducts" > paginate-target="LookupAssociatedProducts" default-title-style="tableheadtext" default-widget-style="inputBox" default-tooltip-style="tabletext"> > <field name="productId" title="${uiLabelMap.ProductProductId}" widget-style="buttontext"> > - <hyperlink description="${productId}" target="/catalog/control/EditProductInventoryItems?productId=${productId}" target-type="inter-app"/> > + <hyperlink description="${productId}" target="/catalog/control/EditProductInventoryItems" target-type="inter-app"> > + <parameter param-name="productId" from-field="productId"/> > + </hyperlink> > </field> > <field name="brandName" title="${uiLabelMap.ProductBrandName}"><display/></field> > <field name="internalName"><display/></field> > > Modified: ofbiz/trunk/applications/party/widget/partymgr/CommunicationEventForms.xml > URL: http://svn.apache.org/viewvc/ofbiz/trunk/applications/party/widget/partymgr/CommunicationEventForms.xml?rev=952119&r1=952118&r2=952119&view=diff > ============================================================================== > --- ofbiz/trunk/applications/party/widget/partymgr/CommunicationEventForms.xml (original) > +++ ofbiz/trunk/applications/party/widget/partymgr/CommunicationEventForms.xml Mon Jun 7 07:02:02 2010 > @@ -287,7 +287,9 @@ under the License. > <field name="communicationEventId"><display/></field> > <field name="contactListId" use-when="contactListId!=null"> > <display-entity entity-name="ContactList" description="${contactListName}"> > - <sub-hyperlink target="/marketing/control/EditContactList?contactListId=${communicationEvent.contactListId}" description="[${communicationEvent.contactListId}]" target-type="inter-app"/> > + <sub-hyperlink target="/marketing/control/EditContactList" description="[${communicationEvent.contactListId}]" target-type="inter-app"> > + <parameter param-name="contactListId" from-field="communicationEvent.contactListId"/> > + </sub-hyperlink> > </display-entity> > </field> > <field name="partyIdFrom" use-when=""my"==void" title="${uiLabelMap.PartyPartyFrom}"> > @@ -470,7 +472,9 @@ under the License. > </service> > </actions> > <field name="orderId" title="${uiLabelMap.FormFieldTitle_orderId}"> > - <hyperlink target="/ordermgr/control/orderview?orderId=${orderId}" description="${orderId}" target-type="inter-app"/> > + <hyperlink target="/ordermgr/control/orderview" description="${orderId}" target-type="inter-app"> > + <parameter param-name="orderId" from-field="orderId"/> > + </hyperlink> > </field> > <field name="communicationEventId"> > <hyperlink description="${communicationEventId}" target="ViewCommunicationEvent"> > @@ -1022,7 +1026,9 @@ under the License. > <set field="orderTypeId" from-field="orderHeader.orderTypeId"/> > </row-actions> > <field name="orderId" title="${uiLabelMap.FormFieldTitle_orderId}" widget-style="buttontext"> > - <hyperlink target="/ordermgr/control/orderview?orderId=${orderId}" description="${orderId}" target-type="inter-app"/> > + <hyperlink target="/ordermgr/control/orderview" description="${orderId}" target-type="inter-app"> > + <parameter param-name="orderId" from-field="orderId"/> > + </hyperlink> > </field> > <field name="communicationEventId"><hidden/></field> > <field name="orderTypeId" title="${uiLabelMap.OrderOrderType}"> > > Modified: ofbiz/trunk/applications/product/widget/catalog/ProductForms.xml > URL: http://svn.apache.org/viewvc/ofbiz/trunk/applications/product/widget/catalog/ProductForms.xml?rev=952119&r1=952118&r2=952119&view=diff > ============================================================================== > --- ofbiz/trunk/applications/product/widget/catalog/ProductForms.xml (original) > +++ ofbiz/trunk/applications/product/widget/catalog/ProductForms.xml Mon Jun 7 07:02:02 2010 > @@ -1997,7 +1997,9 @@ under the License. > > <form name="ListCommEvents" list-name="communicationEvents" type="list" header-row-style="header-row" default-table-style="basic-table"> > <field name="communicationEventId" widget-style="buttontext"> > - <hyperlink description="${communicationEventId}" target="/partymgr/control/EditCommunicationEvent?communicationEventId=${communicationEventId}" target-type="inter-app"/> > + <hyperlink description="${communicationEventId}" target="/partymgr/control/EditCommunicationEvent" target-type="inter-app"> > + <parameter param-name="communicationEventId" from-field="communicationEventId"/> > + </hyperlink> > </field> > <field name="subject"><display/></field> > <field name="communicationEventTypeId"><display-entity description="${description}" entity-name="CommunicationEventType" key-field-name="communicationEventTypeId"/></field> > > Modified: ofbiz/trunk/applications/product/widget/facility/ShipmentGatewayConfigForms.xml > URL: http://svn.apache.org/viewvc/ofbiz/trunk/applications/product/widget/facility/ShipmentGatewayConfigForms.xml?rev=952119&r1=952118&r2=952119&view=diff > ============================================================================== > --- ofbiz/trunk/applications/product/widget/facility/ShipmentGatewayConfigForms.xml (original) > +++ ofbiz/trunk/applications/product/widget/facility/ShipmentGatewayConfigForms.xml Mon Jun 7 07:02:02 2010 > @@ -50,7 +50,9 @@ under the License. > <auto-fields-entity entity-name="ShipmentGatewayConfig" default-field-type="display"/> > <field name="shipmentGatewayConfigId"><hidden/></field> > <field name="description" title="${uiLabelMap.FacilityShipmentGatewayConfigDescription}"> > - <hyperlink description="${description}" target="EditShipmentGatewayConfig?shipmentGatewayConfigId=${shipmentGatewayConfigId}"/> > + <hyperlink description="${description}" target="EditShipmentGatewayConfig"> > + <parameter param-name="shipmentGatewayConfigId" from-field="shipmentGatewayConfigId"/> > + </hyperlink> > </field> > <field name="shipmentGatewayConfTypeId" title="${uiLabelMap.FacilityShipmentGatewayConfigTypeId}"> > <display-entity entity-name="ShipmentGatewayConfigType" key-field-name="shipmentGatewayConfTypeId" description="${description}"/> > @@ -313,7 +315,9 @@ under the License. > <auto-fields-entity entity-name="ShipmentGatewayConfigType" default-field-type="display"/> > <field name="shipmentGatewayConfTypeId"><hidden/></field> > <field name="description" title="${uiLabelMap.FacilityShipmentGatewayConfigTypeDescription}"> > - <hyperlink description="${description}" target="EditShipmentGatewayConfigType?shipmentGatewayConfTypeId=${shipmentGatewayConfTypeId}"/> > + <hyperlink description="${description}" target="EditShipmentGatewayConfigType"> > + <parameter param-name="shipmentGatewayConfTypeId" from-field="shipmentGatewayConfTypeId"/> > + </hyperlink> > </field> > </form> > > > Modified: ofbiz/trunk/specialpurpose/projectmgr/widget/forms/ProjectForms.xml > URL: http://svn.apache.org/viewvc/ofbiz/trunk/specialpurpose/projectmgr/widget/forms/ProjectForms.xml?rev=952119&r1=952118&r2=952119&view=diff > ============================================================================== > --- ofbiz/trunk/specialpurpose/projectmgr/widget/forms/ProjectForms.xml (original) > +++ ofbiz/trunk/specialpurpose/projectmgr/widget/forms/ProjectForms.xml Mon Jun 7 07:02:02 2010 > @@ -340,7 +340,9 @@ > <field name="estimatedStartDate" title="${uiLabelMap.WorkEffortEstimatedStartDate}"><date-time type="date"/></field> > <field name="estimatedCompletionDate" title="${uiLabelMap.WorkEffortEstimatedCompletionDate}"><date-time type="date"/></field> > <field name="edit" title=" "> > - <hyperlink target="EditTask?workEffortId=${workEffortId}" description="${uiLabelMap.CommonEdit}"/> > + <hyperlink target="EditTask" description="${uiLabelMap.CommonEdit"}> > + <parameter param-name="workEffortId" from-field="workEffortId}"/> > + </hyperlink> > </field> > <field name="submitButton" title="${uiLabelMap.CommonUpdate}"><submit button-type="button"/></field> > </form> > > smime.p7s (3K) Download Attachment |
On second look there were no targets in this commit that needed to be secured.
Regards Scott On 7/06/2010, at 7:18 PM, Scott Gray wrote: > Quite a few of those links don't actually look like they needed to be secured i.e. there is no event attached to that uri, orderview for example. > > Regards > Scott > > HotWax Media > http://www.hotwaxmedia.com > > On 7/06/2010, at 7:02 PM, [hidden email] wrote: > >> Author: jleroux >> Date: Mon Jun 7 07:02:02 2010 >> New Revision: 952119 >> >> URL: http://svn.apache.org/viewvc?rev=952119&view=rev >> Log: >> Secure some targets. Note that they have been introduced since OFBIZ-2243 has been closed. >> Please committers use only target with parameter attribute (not in URL) for link and hyperlink fields when there is an action (ie DB modification) >> >> Modified: >> ofbiz/trunk/applications/accounting/widget/InvoiceForms.xml >> ofbiz/trunk/applications/accounting/widget/PaymentGatewayConfigForms.xml >> ofbiz/trunk/applications/order/widget/ordermgr/OrderEntryForms.xml >> ofbiz/trunk/applications/party/widget/partymgr/CommunicationEventForms.xml >> ofbiz/trunk/applications/product/widget/catalog/ProductForms.xml >> ofbiz/trunk/applications/product/widget/facility/ShipmentGatewayConfigForms.xml >> ofbiz/trunk/specialpurpose/projectmgr/widget/forms/ProjectForms.xml >> >> Modified: ofbiz/trunk/applications/accounting/widget/InvoiceForms.xml >> URL: http://svn.apache.org/viewvc/ofbiz/trunk/applications/accounting/widget/InvoiceForms.xml?rev=952119&r1=952118&r2=952119&view=diff >> ============================================================================== >> --- ofbiz/trunk/applications/accounting/widget/InvoiceForms.xml (original) >> +++ ofbiz/trunk/applications/accounting/widget/InvoiceForms.xml Mon Jun 7 07:02:02 2010 >> @@ -215,7 +215,12 @@ under the License. >> <field name="paymentId"><hyperlink target="paymentOverview?paymentId=${paymentId}" description="${paymentId}"/></field> >> <field name="amount"><display type="currency" currency="${currencyUomId}"/></field> >> <field name="origAmount"><display type="currency" currency="${origCurrencyUomId}"/></field> >> - <field name="acctgTransId"><hyperlink description="${acctgTransId}" target="EditAcctgTrans?acctgTransId=${acctgTransId}&organizationPartyId=${organizationPartyId}"/></field> >> + <field name="acctgTransId"> >> + <hyperlink description="${acctgTransId}" target="EditAcctgTrans"> >> + <parameter param-name="acctgTransId" from-field="acctgTransId"/> >> + <parameter param-name="organizationPartyId" from-field="organizationPartyId"/> >> + </hyperlink> >> + </field> >> <field name="acctgTransTypeId" title="${uiLabelMap.FormFieldTitle_acctgTransType}"><display-entity entity-name="AcctgTransType"/></field> >> <field name="glJournalId" title="${uiLabelMap.FormFieldTitle_glJournal}"><display-entity entity-name="GlJournal" description="${glJournalName}"/></field> >> <field name="glAccountTypeId" title="${uiLabelMap.FormFieldTitle_glAccountType}"><display-entity entity-name="GlAccountType"/></field> >> >> Modified: ofbiz/trunk/applications/accounting/widget/PaymentGatewayConfigForms.xml >> URL: http://svn.apache.org/viewvc/ofbiz/trunk/applications/accounting/widget/PaymentGatewayConfigForms.xml?rev=952119&r1=952118&r2=952119&view=diff >> ============================================================================== >> --- ofbiz/trunk/applications/accounting/widget/PaymentGatewayConfigForms.xml (original) >> +++ ofbiz/trunk/applications/accounting/widget/PaymentGatewayConfigForms.xml Mon Jun 7 07:02:02 2010 >> @@ -50,7 +50,9 @@ under the License. >> <auto-fields-entity entity-name="PaymentGatewayConfig" default-field-type="display"/> >> <field name="paymentGatewayConfigId"><hidden/></field> >> <field name="description" title="${uiLabelMap.AccountingPaymentGatewayConfigDescription}"> >> - <hyperlink description="${description}" target="EditPaymentGatewayConfig?paymentGatewayConfigId=${paymentGatewayConfigId}"/> >> + <hyperlink description="${description}" target="EditPaymentGatewayConfig"> >> + <parameter param-name="paymentGatewayConfigId" from-field="paymentGatewayConfigId"/> >> + </hyperlink> >> </field> >> <field name="paymentGatewayConfigTypeId" title="${uiLabelMap.AccountingPaymentGatewayConfigTypeId}"> >> <display-entity entity-name="PaymentGatewayConfigType" key-field-name="paymentGatewayConfigTypeId" description="${description}"/> >> @@ -385,7 +387,9 @@ under the License. >> <auto-fields-entity entity-name="PaymentGatewayConfigType" default-field-type="display"/> >> <field name="paymentGatewayConfigTypeId"><hidden/></field> >> <field name="description" title="${uiLabelMap.AccountingPaymentGatewayConfigTypeDescription}"> >> - <hyperlink description="${description}" target="EditPaymentGatewayConfigType?paymentGatewayConfigTypeId=${paymentGatewayConfigTypeId}"/> >> + <hyperlink description="${description}" target="EditPaymentGatewayConfigType"> >> + <parameter param-name="paymentGatewayConfigTypeId" from-field="paymentGatewayConfigTypeId"/> >> + </hyperlink> >> </field> >> </form> >> >> >> Modified: ofbiz/trunk/applications/order/widget/ordermgr/OrderEntryForms.xml >> URL: http://svn.apache.org/viewvc/ofbiz/trunk/applications/order/widget/ordermgr/OrderEntryForms.xml?rev=952119&r1=952118&r2=952119&view=diff >> ============================================================================== >> --- ofbiz/trunk/applications/order/widget/ordermgr/OrderEntryForms.xml (original) >> +++ ofbiz/trunk/applications/order/widget/ordermgr/OrderEntryForms.xml Mon Jun 7 07:02:02 2010 >> @@ -199,7 +199,9 @@ under the License. >> <form name="LookupAssociatedProducts" type="multi" use-row-submit="true" list-name="productList" title="" target="BulkAddProducts" >> paginate-target="LookupAssociatedProducts" default-title-style="tableheadtext" default-widget-style="inputBox" default-tooltip-style="tabletext"> >> <field name="productId" title="${uiLabelMap.ProductProductId}" widget-style="buttontext"> >> - <hyperlink description="${productId}" target="/catalog/control/EditProductInventoryItems?productId=${productId}" target-type="inter-app"/> >> + <hyperlink description="${productId}" target="/catalog/control/EditProductInventoryItems" target-type="inter-app"> >> + <parameter param-name="productId" from-field="productId"/> >> + </hyperlink> >> </field> >> <field name="brandName" title="${uiLabelMap.ProductBrandName}"><display/></field> >> <field name="internalName"><display/></field> >> >> Modified: ofbiz/trunk/applications/party/widget/partymgr/CommunicationEventForms.xml >> URL: http://svn.apache.org/viewvc/ofbiz/trunk/applications/party/widget/partymgr/CommunicationEventForms.xml?rev=952119&r1=952118&r2=952119&view=diff >> ============================================================================== >> --- ofbiz/trunk/applications/party/widget/partymgr/CommunicationEventForms.xml (original) >> +++ ofbiz/trunk/applications/party/widget/partymgr/CommunicationEventForms.xml Mon Jun 7 07:02:02 2010 >> @@ -287,7 +287,9 @@ under the License. >> <field name="communicationEventId"><display/></field> >> <field name="contactListId" use-when="contactListId!=null"> >> <display-entity entity-name="ContactList" description="${contactListName}"> >> - <sub-hyperlink target="/marketing/control/EditContactList?contactListId=${communicationEvent.contactListId}" description="[${communicationEvent.contactListId}]" target-type="inter-app"/> >> + <sub-hyperlink target="/marketing/control/EditContactList" description="[${communicationEvent.contactListId}]" target-type="inter-app"> >> + <parameter param-name="contactListId" from-field="communicationEvent.contactListId"/> >> + </sub-hyperlink> >> </display-entity> >> </field> >> <field name="partyIdFrom" use-when=""my"==void" title="${uiLabelMap.PartyPartyFrom}"> >> @@ -470,7 +472,9 @@ under the License. >> </service> >> </actions> >> <field name="orderId" title="${uiLabelMap.FormFieldTitle_orderId}"> >> - <hyperlink target="/ordermgr/control/orderview?orderId=${orderId}" description="${orderId}" target-type="inter-app"/> >> + <hyperlink target="/ordermgr/control/orderview" description="${orderId}" target-type="inter-app"> >> + <parameter param-name="orderId" from-field="orderId"/> >> + </hyperlink> >> </field> >> <field name="communicationEventId"> >> <hyperlink description="${communicationEventId}" target="ViewCommunicationEvent"> >> @@ -1022,7 +1026,9 @@ under the License. >> <set field="orderTypeId" from-field="orderHeader.orderTypeId"/> >> </row-actions> >> <field name="orderId" title="${uiLabelMap.FormFieldTitle_orderId}" widget-style="buttontext"> >> - <hyperlink target="/ordermgr/control/orderview?orderId=${orderId}" description="${orderId}" target-type="inter-app"/> >> + <hyperlink target="/ordermgr/control/orderview" description="${orderId}" target-type="inter-app"> >> + <parameter param-name="orderId" from-field="orderId"/> >> + </hyperlink> >> </field> >> <field name="communicationEventId"><hidden/></field> >> <field name="orderTypeId" title="${uiLabelMap.OrderOrderType}"> >> >> Modified: ofbiz/trunk/applications/product/widget/catalog/ProductForms.xml >> URL: http://svn.apache.org/viewvc/ofbiz/trunk/applications/product/widget/catalog/ProductForms.xml?rev=952119&r1=952118&r2=952119&view=diff >> ============================================================================== >> --- ofbiz/trunk/applications/product/widget/catalog/ProductForms.xml (original) >> +++ ofbiz/trunk/applications/product/widget/catalog/ProductForms.xml Mon Jun 7 07:02:02 2010 >> @@ -1997,7 +1997,9 @@ under the License. >> >> <form name="ListCommEvents" list-name="communicationEvents" type="list" header-row-style="header-row" default-table-style="basic-table"> >> <field name="communicationEventId" widget-style="buttontext"> >> - <hyperlink description="${communicationEventId}" target="/partymgr/control/EditCommunicationEvent?communicationEventId=${communicationEventId}" target-type="inter-app"/> >> + <hyperlink description="${communicationEventId}" target="/partymgr/control/EditCommunicationEvent" target-type="inter-app"> >> + <parameter param-name="communicationEventId" from-field="communicationEventId"/> >> + </hyperlink> >> </field> >> <field name="subject"><display/></field> >> <field name="communicationEventTypeId"><display-entity description="${description}" entity-name="CommunicationEventType" key-field-name="communicationEventTypeId"/></field> >> >> Modified: ofbiz/trunk/applications/product/widget/facility/ShipmentGatewayConfigForms.xml >> URL: http://svn.apache.org/viewvc/ofbiz/trunk/applications/product/widget/facility/ShipmentGatewayConfigForms.xml?rev=952119&r1=952118&r2=952119&view=diff >> ============================================================================== >> --- ofbiz/trunk/applications/product/widget/facility/ShipmentGatewayConfigForms.xml (original) >> +++ ofbiz/trunk/applications/product/widget/facility/ShipmentGatewayConfigForms.xml Mon Jun 7 07:02:02 2010 >> @@ -50,7 +50,9 @@ under the License. >> <auto-fields-entity entity-name="ShipmentGatewayConfig" default-field-type="display"/> >> <field name="shipmentGatewayConfigId"><hidden/></field> >> <field name="description" title="${uiLabelMap.FacilityShipmentGatewayConfigDescription}"> >> - <hyperlink description="${description}" target="EditShipmentGatewayConfig?shipmentGatewayConfigId=${shipmentGatewayConfigId}"/> >> + <hyperlink description="${description}" target="EditShipmentGatewayConfig"> >> + <parameter param-name="shipmentGatewayConfigId" from-field="shipmentGatewayConfigId"/> >> + </hyperlink> >> </field> >> <field name="shipmentGatewayConfTypeId" title="${uiLabelMap.FacilityShipmentGatewayConfigTypeId}"> >> <display-entity entity-name="ShipmentGatewayConfigType" key-field-name="shipmentGatewayConfTypeId" description="${description}"/> >> @@ -313,7 +315,9 @@ under the License. >> <auto-fields-entity entity-name="ShipmentGatewayConfigType" default-field-type="display"/> >> <field name="shipmentGatewayConfTypeId"><hidden/></field> >> <field name="description" title="${uiLabelMap.FacilityShipmentGatewayConfigTypeDescription}"> >> - <hyperlink description="${description}" target="EditShipmentGatewayConfigType?shipmentGatewayConfTypeId=${shipmentGatewayConfTypeId}"/> >> + <hyperlink description="${description}" target="EditShipmentGatewayConfigType"> >> + <parameter param-name="shipmentGatewayConfTypeId" from-field="shipmentGatewayConfTypeId"/> >> + </hyperlink> >> </field> >> </form> >> >> >> Modified: ofbiz/trunk/specialpurpose/projectmgr/widget/forms/ProjectForms.xml >> URL: http://svn.apache.org/viewvc/ofbiz/trunk/specialpurpose/projectmgr/widget/forms/ProjectForms.xml?rev=952119&r1=952118&r2=952119&view=diff >> ============================================================================== >> --- ofbiz/trunk/specialpurpose/projectmgr/widget/forms/ProjectForms.xml (original) >> +++ ofbiz/trunk/specialpurpose/projectmgr/widget/forms/ProjectForms.xml Mon Jun 7 07:02:02 2010 >> @@ -340,7 +340,9 @@ >> <field name="estimatedStartDate" title="${uiLabelMap.WorkEffortEstimatedStartDate}"><date-time type="date"/></field> >> <field name="estimatedCompletionDate" title="${uiLabelMap.WorkEffortEstimatedCompletionDate}"><date-time type="date"/></field> >> <field name="edit" title=" "> >> - <hyperlink target="EditTask?workEffortId=${workEffortId}" description="${uiLabelMap.CommonEdit}"/> >> + <hyperlink target="EditTask" description="${uiLabelMap.CommonEdit"}> >> + <parameter param-name="workEffortId" from-field="workEffortId}"/> >> + </hyperlink> >> </field> >> <field name="submitButton" title="${uiLabelMap.CommonUpdate}"><submit button-type="button"/></field> >> </form> >> >> > smime.p7s (3K) Download Attachment |
Administrator
|
I quickly used regex S/R. I wrongly put the 2 orderview (I removed a lot more) but thought the other were real actions as they have
Edit as prefix in their names. Actually I did not check if they were calling an event. I just did and you are right. Anyway it does not hurt, and it's finally a good thing that I did not find any real issues :o). I think I should not care anymore. Because if we let some get through they will be detected and signaled as to be reported as a child of OFBIZ-2330 (even if they don't use FTL, but I did not check that either, I suppose it's right since for one year now we got any new issue) One worry less, great! Jacques Scott Gray wrote: > On second look there were no targets in this commit that needed to be secured. > > Regards > Scott > > On 7/06/2010, at 7:18 PM, Scott Gray wrote: > >> Quite a few of those links don't actually look like they needed to be secured i.e. there is no event attached to that uri, >> orderview for example. >> >> Regards >> Scott >> >> HotWax Media >> http://www.hotwaxmedia.com >> >> On 7/06/2010, at 7:02 PM, [hidden email] wrote: >> >>> Author: jleroux >>> Date: Mon Jun 7 07:02:02 2010 >>> New Revision: 952119 >>> >>> URL: http://svn.apache.org/viewvc?rev=952119&view=rev >>> Log: >>> Secure some targets. Note that they have been introduced since OFBIZ-2243 has been closed. >>> Please committers use only target with parameter attribute (not in URL) for link and hyperlink fields when there is an action >>> (ie DB modification) >>> >>> Modified: >>> ofbiz/trunk/applications/accounting/widget/InvoiceForms.xml >>> ofbiz/trunk/applications/accounting/widget/PaymentGatewayConfigForms.xml >>> ofbiz/trunk/applications/order/widget/ordermgr/OrderEntryForms.xml >>> ofbiz/trunk/applications/party/widget/partymgr/CommunicationEventForms.xml >>> ofbiz/trunk/applications/product/widget/catalog/ProductForms.xml >>> ofbiz/trunk/applications/product/widget/facility/ShipmentGatewayConfigForms.xml >>> ofbiz/trunk/specialpurpose/projectmgr/widget/forms/ProjectForms.xml >>> >>> Modified: ofbiz/trunk/applications/accounting/widget/InvoiceForms.xml >>> URL: >>> http://svn.apache.org/viewvc/ofbiz/trunk/applications/accounting/widget/InvoiceForms.xml?rev=952119&r1=952118&r2=952119&view=diff >>> ============================================================================== --- >>> ofbiz/trunk/applications/accounting/widget/InvoiceForms.xml (original) +++ >>> ofbiz/trunk/applications/accounting/widget/InvoiceForms.xml Mon Jun 7 07:02:02 2010 @@ -215,7 +215,12 @@ under the License. >>> <field name="paymentId"><hyperlink target="paymentOverview?paymentId=${paymentId}" description="${paymentId}"/></field> >>> <field name="amount"><display type="currency" currency="${currencyUomId}"/></field> >>> <field name="origAmount"><display type="currency" currency="${origCurrencyUomId}"/></field> >>> - <field name="acctgTransId"><hyperlink description="${acctgTransId}" >>> target="EditAcctgTrans?acctgTransId=${acctgTransId}&organizationPartyId=${organizationPartyId}"/></field> + <field >>> name="acctgTransId"> + <hyperlink description="${acctgTransId}" target="EditAcctgTrans"> >>> + <parameter param-name="acctgTransId" from-field="acctgTransId"/> >>> + <parameter param-name="organizationPartyId" from-field="organizationPartyId"/> >>> + </hyperlink> >>> + </field> >>> <field name="acctgTransTypeId" title="${uiLabelMap.FormFieldTitle_acctgTransType}"><display-entity >>> entity-name="AcctgTransType"/></field> <field name="glJournalId" >>> title="${uiLabelMap.FormFieldTitle_glJournal}"><display-entity entity-name="GlJournal" >>> description="${glJournalName}"/></field> <field name="glAccountTypeId" >>> title="${uiLabelMap.FormFieldTitle_glAccountType}"><display-entity entity-name="GlAccountType"/></field> >>> >>> Modified: ofbiz/trunk/applications/accounting/widget/PaymentGatewayConfigForms.xml >>> URL: >>> http://svn.apache.org/viewvc/ofbiz/trunk/applications/accounting/widget/PaymentGatewayConfigForms.xml?rev=952119&r1=952118&r2=952119&view=diff >>> ============================================================================== --- >>> ofbiz/trunk/applications/accounting/widget/PaymentGatewayConfigForms.xml (original) +++ >>> ofbiz/trunk/applications/accounting/widget/PaymentGatewayConfigForms.xml Mon Jun 7 07:02:02 2010 @@ -50,7 +50,9 @@ under the >>> License. <auto-fields-entity entity-name="PaymentGatewayConfig" default-field-type="display"/> >>> <field name="paymentGatewayConfigId"><hidden/></field> >>> <field name="description" title="${uiLabelMap.AccountingPaymentGatewayConfigDescription}"> >>> - <hyperlink description="${description}" >>> target="EditPaymentGatewayConfig?paymentGatewayConfigId=${paymentGatewayConfigId}"/> + <hyperlink >>> description="${description}" target="EditPaymentGatewayConfig"> + <parameter param-name="paymentGatewayConfigId" >>> from-field="paymentGatewayConfigId"/> + </hyperlink> >>> </field> >>> <field name="paymentGatewayConfigTypeId" title="${uiLabelMap.AccountingPaymentGatewayConfigTypeId}"> >>> <display-entity entity-name="PaymentGatewayConfigType" key-field-name="paymentGatewayConfigTypeId" >>> description="${description}"/> @@ -385,7 +387,9 @@ under the License. >>> <auto-fields-entity entity-name="PaymentGatewayConfigType" default-field-type="display"/> >>> <field name="paymentGatewayConfigTypeId"><hidden/></field> >>> <field name="description" title="${uiLabelMap.AccountingPaymentGatewayConfigTypeDescription}"> >>> - <hyperlink description="${description}" >>> target="EditPaymentGatewayConfigType?paymentGatewayConfigTypeId=${paymentGatewayConfigTypeId}"/> + <hyperlink >>> description="${description}" target="EditPaymentGatewayConfigType"> + <parameter param-name="paymentGatewayConfigTypeId" >>> from-field="paymentGatewayConfigTypeId"/> + </hyperlink> >>> </field> >>> </form> >>> >>> >>> Modified: ofbiz/trunk/applications/order/widget/ordermgr/OrderEntryForms.xml >>> URL: >>> http://svn.apache.org/viewvc/ofbiz/trunk/applications/order/widget/ordermgr/OrderEntryForms.xml?rev=952119&r1=952118&r2=952119&view=diff >>> ============================================================================== --- >>> ofbiz/trunk/applications/order/widget/ordermgr/OrderEntryForms.xml (original) +++ >>> ofbiz/trunk/applications/order/widget/ordermgr/OrderEntryForms.xml Mon Jun 7 07:02:02 2010 @@ -199,7 +199,9 @@ under the >>> License. <form name="LookupAssociatedProducts" type="multi" use-row-submit="true" list-name="productList" title="" >>> target="BulkAddProducts" paginate-target="LookupAssociatedProducts" default-title-style="tableheadtext" >>> default-widget-style="inputBox" default-tooltip-style="tabletext"> <field name="productId" >>> title="${uiLabelMap.ProductProductId}" widget-style="buttontext"> - <hyperlink description="${productId}" >>> target="/catalog/control/EditProductInventoryItems?productId=${productId}" target-type="inter-app"/> + <hyperlink >>> description="${productId}" target="/catalog/control/EditProductInventoryItems" target-type="inter-app"> + <parameter >>> param-name="productId" from-field="productId"/> + </hyperlink> >>> </field> >>> <field name="brandName" title="${uiLabelMap.ProductBrandName}"><display/></field> >>> <field name="internalName"><display/></field> >>> >>> Modified: ofbiz/trunk/applications/party/widget/partymgr/CommunicationEventForms.xml >>> URL: >>> http://svn.apache.org/viewvc/ofbiz/trunk/applications/party/widget/partymgr/CommunicationEventForms.xml?rev=952119&r1=952118&r2=952119&view=diff >>> ============================================================================== --- >>> ofbiz/trunk/applications/party/widget/partymgr/CommunicationEventForms.xml (original) +++ >>> ofbiz/trunk/applications/party/widget/partymgr/CommunicationEventForms.xml Mon Jun 7 07:02:02 2010 @@ -287,7 +287,9 @@ under >>> the License. <field name="communicationEventId"><display/></field> >>> <field name="contactListId" use-when="contactListId!=null"> >>> <display-entity entity-name="ContactList" description="${contactListName}"> >>> - <sub-hyperlink target="/marketing/control/EditContactList?contactListId=${communicationEvent.contactListId}" >>> description="[${communicationEvent.contactListId}]" target-type="inter-app"/> + <sub-hyperlink >>> target="/marketing/control/EditContactList" description="[${communicationEvent.contactListId}]" target-type="inter-app"> + >>> <parameter param-name="contactListId" from-field="communicationEvent.contactListId"/> + </sub-hyperlink> >>> </display-entity> >>> </field> >>> <field name="partyIdFrom" use-when=""my"==void" title="${uiLabelMap.PartyPartyFrom}"> >>> @@ -470,7 +472,9 @@ under the License. >>> </service> >>> </actions> >>> <field name="orderId" title="${uiLabelMap.FormFieldTitle_orderId}"> >>> - <hyperlink target="/ordermgr/control/orderview?orderId=${orderId}" description="${orderId}" >>> target-type="inter-app"/> + <hyperlink target="/ordermgr/control/orderview" description="${orderId}" >>> target-type="inter-app"> + <parameter param-name="orderId" from-field="orderId"/> >>> + </hyperlink> >>> </field> >>> <field name="communicationEventId"> >>> <hyperlink description="${communicationEventId}" target="ViewCommunicationEvent"> >>> @@ -1022,7 +1026,9 @@ under the License. >>> <set field="orderTypeId" from-field="orderHeader.orderTypeId"/> >>> </row-actions> >>> <field name="orderId" title="${uiLabelMap.FormFieldTitle_orderId}" widget-style="buttontext"> >>> - <hyperlink target="/ordermgr/control/orderview?orderId=${orderId}" description="${orderId}" >>> target-type="inter-app"/> + <hyperlink target="/ordermgr/control/orderview" description="${orderId}" >>> target-type="inter-app"> + <parameter param-name="orderId" from-field="orderId"/> >>> + </hyperlink> >>> </field> >>> <field name="communicationEventId"><hidden/></field> >>> <field name="orderTypeId" title="${uiLabelMap.OrderOrderType}"> >>> >>> Modified: ofbiz/trunk/applications/product/widget/catalog/ProductForms.xml >>> URL: >>> http://svn.apache.org/viewvc/ofbiz/trunk/applications/product/widget/catalog/ProductForms.xml?rev=952119&r1=952118&r2=952119&view=diff >>> ============================================================================== --- >>> ofbiz/trunk/applications/product/widget/catalog/ProductForms.xml (original) +++ >>> ofbiz/trunk/applications/product/widget/catalog/ProductForms.xml Mon Jun 7 07:02:02 2010 @@ -1997,7 +1997,9 @@ under the >>> License. >>> >>> <form name="ListCommEvents" list-name="communicationEvents" type="list" header-row-style="header-row" >>> default-table-style="basic-table"> <field name="communicationEventId" widget-style="buttontext"> >>> - <hyperlink description="${communicationEventId}" >>> target="/partymgr/control/EditCommunicationEvent?communicationEventId=${communicationEventId}" target-type="inter-app"/> + >>> <hyperlink description="${communicationEventId}" target="/partymgr/control/EditCommunicationEvent" target-type="inter-app"> + >>> <parameter param-name="communicationEventId" from-field="communicationEventId"/> + </hyperlink> >>> </field> >>> <field name="subject"><display/></field> >>> <field name="communicationEventTypeId"><display-entity description="${description}" entity-name="CommunicationEventType" >>> key-field-name="communicationEventTypeId"/></field> >>> >>> Modified: ofbiz/trunk/applications/product/widget/facility/ShipmentGatewayConfigForms.xml >>> URL: >>> http://svn.apache.org/viewvc/ofbiz/trunk/applications/product/widget/facility/ShipmentGatewayConfigForms.xml?rev=952119&r1=952118&r2=952119&view=diff >>> ============================================================================== --- >>> ofbiz/trunk/applications/product/widget/facility/ShipmentGatewayConfigForms.xml (original) +++ >>> ofbiz/trunk/applications/product/widget/facility/ShipmentGatewayConfigForms.xml Mon Jun 7 07:02:02 2010 @@ -50,7 +50,9 @@ >>> under the License. <auto-fields-entity entity-name="ShipmentGatewayConfig" default-field-type="display"/> >>> <field name="shipmentGatewayConfigId"><hidden/></field> >>> <field name="description" title="${uiLabelMap.FacilityShipmentGatewayConfigDescription}"> >>> - <hyperlink description="${description}" >>> target="EditShipmentGatewayConfig?shipmentGatewayConfigId=${shipmentGatewayConfigId}"/> + <hyperlink >>> description="${description}" target="EditShipmentGatewayConfig"> + <parameter >>> param-name="shipmentGatewayConfigId" from-field="shipmentGatewayConfigId"/> + </hyperlink> >>> </field> >>> <field name="shipmentGatewayConfTypeId" title="${uiLabelMap.FacilityShipmentGatewayConfigTypeId}"> >>> <display-entity entity-name="ShipmentGatewayConfigType" key-field-name="shipmentGatewayConfTypeId" >>> description="${description}"/> @@ -313,7 +315,9 @@ under the License. >>> <auto-fields-entity entity-name="ShipmentGatewayConfigType" default-field-type="display"/> >>> <field name="shipmentGatewayConfTypeId"><hidden/></field> >>> <field name="description" title="${uiLabelMap.FacilityShipmentGatewayConfigTypeDescription}"> >>> - <hyperlink description="${description}" >>> target="EditShipmentGatewayConfigType?shipmentGatewayConfTypeId=${shipmentGatewayConfTypeId}"/> + <hyperlink >>> description="${description}" target="EditShipmentGatewayConfigType"> + <parameter >>> param-name="shipmentGatewayConfTypeId" from-field="shipmentGatewayConfTypeId"/> + </hyperlink> >>> </field> >>> </form> >>> >>> >>> Modified: ofbiz/trunk/specialpurpose/projectmgr/widget/forms/ProjectForms.xml >>> URL: >>> http://svn.apache.org/viewvc/ofbiz/trunk/specialpurpose/projectmgr/widget/forms/ProjectForms.xml?rev=952119&r1=952118&r2=952119&view=diff >>> ============================================================================== --- >>> ofbiz/trunk/specialpurpose/projectmgr/widget/forms/ProjectForms.xml (original) +++ >>> ofbiz/trunk/specialpurpose/projectmgr/widget/forms/ProjectForms.xml Mon Jun 7 07:02:02 2010 @@ -340,7 +340,9 @@ >>> <field name="estimatedStartDate" title="${uiLabelMap.WorkEffortEstimatedStartDate}"><date-time type="date"/></field> >>> <field name="estimatedCompletionDate" title="${uiLabelMap.WorkEffortEstimatedCompletionDate}"><date-time >>> type="date"/></field> <field name="edit" title=" "> >>> - <hyperlink target="EditTask?workEffortId=${workEffortId}" description="${uiLabelMap.CommonEdit}"/> >>> + <hyperlink target="EditTask" description="${uiLabelMap.CommonEdit"}> >>> + <parameter param-name="workEffortId" from-field="workEffortId}"/> >>> + </hyperlink> >>> </field> >>> <field name="submitButton" title="${uiLabelMap.CommonUpdate}"><submit button-type="button"/></field> >>> </form> |
Hi Jacques,
In a small way it does hurt because whenever we use "post" instead of "get" the user will be prompted "do you want to submit the form again?" when they click the back button on the browser to go back to one of those screens. But yeah I wouldn't rely on searching alone unless you are willing to check each target before altering it. Regards Scott On 7/06/2010, at 7:44 PM, Jacques Le Roux wrote: > I quickly used regex S/R. I wrongly put the 2 orderview (I removed a lot more) but thought the other were real actions as they have Edit as prefix in their names. Actually I did not check if they were calling an event. I just did and you are right. > > Anyway it does not hurt, and it's finally a good thing that I did not find any real issues :o). I think I should not care anymore. Because if we let some get through they will be detected and signaled as to be reported as a child of OFBIZ-2330 (even if they don't use FTL, but I did not check that either, I suppose it's right since for one year now we got any new issue) > > One worry less, great! > > Jacques > > Scott Gray wrote: >> On second look there were no targets in this commit that needed to be secured. >> >> Regards >> Scott >> >> On 7/06/2010, at 7:18 PM, Scott Gray wrote: >> >>> Quite a few of those links don't actually look like they needed to be secured i.e. there is no event attached to that uri, >>> orderview for example. >>> >>> Regards >>> Scott >>> >>> HotWax Media >>> http://www.hotwaxmedia.com >>> >>> On 7/06/2010, at 7:02 PM, [hidden email] wrote: >>> >>>> Author: jleroux >>>> Date: Mon Jun 7 07:02:02 2010 >>>> New Revision: 952119 >>>> >>>> URL: http://svn.apache.org/viewvc?rev=952119&view=rev >>>> Log: >>>> Secure some targets. Note that they have been introduced since OFBIZ-2243 has been closed. >>>> Please committers use only target with parameter attribute (not in URL) for link and hyperlink fields when there is an action >>>> (ie DB modification) >>>> >>>> Modified: >>>> ofbiz/trunk/applications/accounting/widget/InvoiceForms.xml >>>> ofbiz/trunk/applications/accounting/widget/PaymentGatewayConfigForms.xml >>>> ofbiz/trunk/applications/order/widget/ordermgr/OrderEntryForms.xml >>>> ofbiz/trunk/applications/party/widget/partymgr/CommunicationEventForms.xml >>>> ofbiz/trunk/applications/product/widget/catalog/ProductForms.xml >>>> ofbiz/trunk/applications/product/widget/facility/ShipmentGatewayConfigForms.xml >>>> ofbiz/trunk/specialpurpose/projectmgr/widget/forms/ProjectForms.xml >>>> >>>> Modified: ofbiz/trunk/applications/accounting/widget/InvoiceForms.xml >>>> URL: >>>> http://svn.apache.org/viewvc/ofbiz/trunk/applications/accounting/widget/InvoiceForms.xml?rev=952119&r1=952118&r2=952119&view=diff >>>> ============================================================================== --- >>>> ofbiz/trunk/applications/accounting/widget/InvoiceForms.xml (original) +++ >>>> ofbiz/trunk/applications/accounting/widget/InvoiceForms.xml Mon Jun 7 07:02:02 2010 @@ -215,7 +215,12 @@ under the License. >>>> <field name="paymentId"><hyperlink target="paymentOverview?paymentId=${paymentId}" description="${paymentId}"/></field> >>>> <field name="amount"><display type="currency" currency="${currencyUomId}"/></field> >>>> <field name="origAmount"><display type="currency" currency="${origCurrencyUomId}"/></field> >>>> - <field name="acctgTransId"><hyperlink description="${acctgTransId}" >>>> target="EditAcctgTrans?acctgTransId=${acctgTransId}&organizationPartyId=${organizationPartyId}"/></field> + <field >>>> name="acctgTransId"> + <hyperlink description="${acctgTransId}" target="EditAcctgTrans"> >>>> + <parameter param-name="acctgTransId" from-field="acctgTransId"/> >>>> + <parameter param-name="organizationPartyId" from-field="organizationPartyId"/> >>>> + </hyperlink> >>>> + </field> >>>> <field name="acctgTransTypeId" title="${uiLabelMap.FormFieldTitle_acctgTransType}"><display-entity >>>> entity-name="AcctgTransType"/></field> <field name="glJournalId" >>>> title="${uiLabelMap.FormFieldTitle_glJournal}"><display-entity entity-name="GlJournal" >>>> description="${glJournalName}"/></field> <field name="glAccountTypeId" >>>> title="${uiLabelMap.FormFieldTitle_glAccountType}"><display-entity entity-name="GlAccountType"/></field> >>>> >>>> Modified: ofbiz/trunk/applications/accounting/widget/PaymentGatewayConfigForms.xml >>>> URL: >>>> http://svn.apache.org/viewvc/ofbiz/trunk/applications/accounting/widget/PaymentGatewayConfigForms.xml?rev=952119&r1=952118&r2=952119&view=diff >>>> ============================================================================== --- >>>> ofbiz/trunk/applications/accounting/widget/PaymentGatewayConfigForms.xml (original) +++ >>>> ofbiz/trunk/applications/accounting/widget/PaymentGatewayConfigForms.xml Mon Jun 7 07:02:02 2010 @@ -50,7 +50,9 @@ under the >>>> License. <auto-fields-entity entity-name="PaymentGatewayConfig" default-field-type="display"/> >>>> <field name="paymentGatewayConfigId"><hidden/></field> >>>> <field name="description" title="${uiLabelMap.AccountingPaymentGatewayConfigDescription}"> >>>> - <hyperlink description="${description}" >>>> target="EditPaymentGatewayConfig?paymentGatewayConfigId=${paymentGatewayConfigId}"/> + <hyperlink >>>> description="${description}" target="EditPaymentGatewayConfig"> + <parameter param-name="paymentGatewayConfigId" >>>> from-field="paymentGatewayConfigId"/> + </hyperlink> >>>> </field> >>>> <field name="paymentGatewayConfigTypeId" title="${uiLabelMap.AccountingPaymentGatewayConfigTypeId}"> >>>> <display-entity entity-name="PaymentGatewayConfigType" key-field-name="paymentGatewayConfigTypeId" >>>> description="${description}"/> @@ -385,7 +387,9 @@ under the License. >>>> <auto-fields-entity entity-name="PaymentGatewayConfigType" default-field-type="display"/> >>>> <field name="paymentGatewayConfigTypeId"><hidden/></field> >>>> <field name="description" title="${uiLabelMap.AccountingPaymentGatewayConfigTypeDescription}"> >>>> - <hyperlink description="${description}" >>>> target="EditPaymentGatewayConfigType?paymentGatewayConfigTypeId=${paymentGatewayConfigTypeId}"/> + <hyperlink >>>> description="${description}" target="EditPaymentGatewayConfigType"> + <parameter param-name="paymentGatewayConfigTypeId" >>>> from-field="paymentGatewayConfigTypeId"/> + </hyperlink> >>>> </field> >>>> </form> >>>> >>>> >>>> Modified: ofbiz/trunk/applications/order/widget/ordermgr/OrderEntryForms.xml >>>> URL: >>>> http://svn.apache.org/viewvc/ofbiz/trunk/applications/order/widget/ordermgr/OrderEntryForms.xml?rev=952119&r1=952118&r2=952119&view=diff >>>> ============================================================================== --- >>>> ofbiz/trunk/applications/order/widget/ordermgr/OrderEntryForms.xml (original) +++ >>>> ofbiz/trunk/applications/order/widget/ordermgr/OrderEntryForms.xml Mon Jun 7 07:02:02 2010 @@ -199,7 +199,9 @@ under the >>>> License. <form name="LookupAssociatedProducts" type="multi" use-row-submit="true" list-name="productList" title="" >>>> target="BulkAddProducts" paginate-target="LookupAssociatedProducts" default-title-style="tableheadtext" >>>> default-widget-style="inputBox" default-tooltip-style="tabletext"> <field name="productId" >>>> title="${uiLabelMap.ProductProductId}" widget-style="buttontext"> - <hyperlink description="${productId}" >>>> target="/catalog/control/EditProductInventoryItems?productId=${productId}" target-type="inter-app"/> + <hyperlink >>>> description="${productId}" target="/catalog/control/EditProductInventoryItems" target-type="inter-app"> + <parameter >>>> param-name="productId" from-field="productId"/> + </hyperlink> >>>> </field> >>>> <field name="brandName" title="${uiLabelMap.ProductBrandName}"><display/></field> >>>> <field name="internalName"><display/></field> >>>> >>>> Modified: ofbiz/trunk/applications/party/widget/partymgr/CommunicationEventForms.xml >>>> URL: >>>> http://svn.apache.org/viewvc/ofbiz/trunk/applications/party/widget/partymgr/CommunicationEventForms.xml?rev=952119&r1=952118&r2=952119&view=diff >>>> ============================================================================== --- >>>> ofbiz/trunk/applications/party/widget/partymgr/CommunicationEventForms.xml (original) +++ >>>> ofbiz/trunk/applications/party/widget/partymgr/CommunicationEventForms.xml Mon Jun 7 07:02:02 2010 @@ -287,7 +287,9 @@ under >>>> the License. <field name="communicationEventId"><display/></field> >>>> <field name="contactListId" use-when="contactListId!=null"> >>>> <display-entity entity-name="ContactList" description="${contactListName}"> >>>> - <sub-hyperlink target="/marketing/control/EditContactList?contactListId=${communicationEvent.contactListId}" >>>> description="[${communicationEvent.contactListId}]" target-type="inter-app"/> + <sub-hyperlink >>>> target="/marketing/control/EditContactList" description="[${communicationEvent.contactListId}]" target-type="inter-app"> + >>>> <parameter param-name="contactListId" from-field="communicationEvent.contactListId"/> + </sub-hyperlink> >>>> </display-entity> >>>> </field> >>>> <field name="partyIdFrom" use-when=""my"==void" title="${uiLabelMap.PartyPartyFrom}"> >>>> @@ -470,7 +472,9 @@ under the License. >>>> </service> >>>> </actions> >>>> <field name="orderId" title="${uiLabelMap.FormFieldTitle_orderId}"> >>>> - <hyperlink target="/ordermgr/control/orderview?orderId=${orderId}" description="${orderId}" >>>> target-type="inter-app"/> + <hyperlink target="/ordermgr/control/orderview" description="${orderId}" >>>> target-type="inter-app"> + <parameter param-name="orderId" from-field="orderId"/> >>>> + </hyperlink> >>>> </field> >>>> <field name="communicationEventId"> >>>> <hyperlink description="${communicationEventId}" target="ViewCommunicationEvent"> >>>> @@ -1022,7 +1026,9 @@ under the License. >>>> <set field="orderTypeId" from-field="orderHeader.orderTypeId"/> >>>> </row-actions> >>>> <field name="orderId" title="${uiLabelMap.FormFieldTitle_orderId}" widget-style="buttontext"> >>>> - <hyperlink target="/ordermgr/control/orderview?orderId=${orderId}" description="${orderId}" >>>> target-type="inter-app"/> + <hyperlink target="/ordermgr/control/orderview" description="${orderId}" >>>> target-type="inter-app"> + <parameter param-name="orderId" from-field="orderId"/> >>>> + </hyperlink> >>>> </field> >>>> <field name="communicationEventId"><hidden/></field> >>>> <field name="orderTypeId" title="${uiLabelMap.OrderOrderType}"> >>>> >>>> Modified: ofbiz/trunk/applications/product/widget/catalog/ProductForms.xml >>>> URL: >>>> http://svn.apache.org/viewvc/ofbiz/trunk/applications/product/widget/catalog/ProductForms.xml?rev=952119&r1=952118&r2=952119&view=diff >>>> ============================================================================== --- >>>> ofbiz/trunk/applications/product/widget/catalog/ProductForms.xml (original) +++ >>>> ofbiz/trunk/applications/product/widget/catalog/ProductForms.xml Mon Jun 7 07:02:02 2010 @@ -1997,7 +1997,9 @@ under the >>>> License. >>>> >>>> <form name="ListCommEvents" list-name="communicationEvents" type="list" header-row-style="header-row" >>>> default-table-style="basic-table"> <field name="communicationEventId" widget-style="buttontext"> >>>> - <hyperlink description="${communicationEventId}" >>>> target="/partymgr/control/EditCommunicationEvent?communicationEventId=${communicationEventId}" target-type="inter-app"/> + >>>> <hyperlink description="${communicationEventId}" target="/partymgr/control/EditCommunicationEvent" target-type="inter-app"> + >>>> <parameter param-name="communicationEventId" from-field="communicationEventId"/> + </hyperlink> >>>> </field> >>>> <field name="subject"><display/></field> >>>> <field name="communicationEventTypeId"><display-entity description="${description}" entity-name="CommunicationEventType" >>>> key-field-name="communicationEventTypeId"/></field> >>>> >>>> Modified: ofbiz/trunk/applications/product/widget/facility/ShipmentGatewayConfigForms.xml >>>> URL: >>>> http://svn.apache.org/viewvc/ofbiz/trunk/applications/product/widget/facility/ShipmentGatewayConfigForms.xml?rev=952119&r1=952118&r2=952119&view=diff >>>> ============================================================================== --- >>>> ofbiz/trunk/applications/product/widget/facility/ShipmentGatewayConfigForms.xml (original) +++ >>>> ofbiz/trunk/applications/product/widget/facility/ShipmentGatewayConfigForms.xml Mon Jun 7 07:02:02 2010 @@ -50,7 +50,9 @@ >>>> under the License. <auto-fields-entity entity-name="ShipmentGatewayConfig" default-field-type="display"/> >>>> <field name="shipmentGatewayConfigId"><hidden/></field> >>>> <field name="description" title="${uiLabelMap.FacilityShipmentGatewayConfigDescription}"> >>>> - <hyperlink description="${description}" >>>> target="EditShipmentGatewayConfig?shipmentGatewayConfigId=${shipmentGatewayConfigId}"/> + <hyperlink >>>> description="${description}" target="EditShipmentGatewayConfig"> + <parameter >>>> param-name="shipmentGatewayConfigId" from-field="shipmentGatewayConfigId"/> + </hyperlink> >>>> </field> >>>> <field name="shipmentGatewayConfTypeId" title="${uiLabelMap.FacilityShipmentGatewayConfigTypeId}"> >>>> <display-entity entity-name="ShipmentGatewayConfigType" key-field-name="shipmentGatewayConfTypeId" >>>> description="${description}"/> @@ -313,7 +315,9 @@ under the License. >>>> <auto-fields-entity entity-name="ShipmentGatewayConfigType" default-field-type="display"/> >>>> <field name="shipmentGatewayConfTypeId"><hidden/></field> >>>> <field name="description" title="${uiLabelMap.FacilityShipmentGatewayConfigTypeDescription}"> >>>> - <hyperlink description="${description}" >>>> target="EditShipmentGatewayConfigType?shipmentGatewayConfTypeId=${shipmentGatewayConfTypeId}"/> + <hyperlink >>>> description="${description}" target="EditShipmentGatewayConfigType"> + <parameter >>>> param-name="shipmentGatewayConfTypeId" from-field="shipmentGatewayConfTypeId"/> + </hyperlink> >>>> </field> >>>> </form> >>>> >>>> >>>> Modified: ofbiz/trunk/specialpurpose/projectmgr/widget/forms/ProjectForms.xml >>>> URL: >>>> http://svn.apache.org/viewvc/ofbiz/trunk/specialpurpose/projectmgr/widget/forms/ProjectForms.xml?rev=952119&r1=952118&r2=952119&view=diff >>>> ============================================================================== --- >>>> ofbiz/trunk/specialpurpose/projectmgr/widget/forms/ProjectForms.xml (original) +++ >>>> ofbiz/trunk/specialpurpose/projectmgr/widget/forms/ProjectForms.xml Mon Jun 7 07:02:02 2010 @@ -340,7 +340,9 @@ >>>> <field name="estimatedStartDate" title="${uiLabelMap.WorkEffortEstimatedStartDate}"><date-time type="date"/></field> >>>> <field name="estimatedCompletionDate" title="${uiLabelMap.WorkEffortEstimatedCompletionDate}"><date-time >>>> type="date"/></field> <field name="edit" title=" "> >>>> - <hyperlink target="EditTask?workEffortId=${workEffortId}" description="${uiLabelMap.CommonEdit}"/> >>>> + <hyperlink target="EditTask" description="${uiLabelMap.CommonEdit"}> >>>> + <parameter param-name="workEffortId" from-field="workEffortId}"/> >>>> + </hyperlink> >>>> </field> >>>> <field name="submitButton" title="${uiLabelMap.CommonUpdate}"><submit button-type="button"/></field> >>>> </form> > > smime.p7s (3K) Download Attachment |
Administrator
|
Ha well, I did not thought about that, thanks!
I revert... Jacques Scott Gray wrote: > Hi Jacques, > > In a small way it does hurt because whenever we use "post" instead of "get" the user will be prompted "do you want to submit the > form again?" when they click the back button on the browser to go back to one of those screens. > > But yeah I wouldn't rely on searching alone unless you are willing to check each target before altering it. > > Regards > Scott > > On 7/06/2010, at 7:44 PM, Jacques Le Roux wrote: > >> I quickly used regex S/R. I wrongly put the 2 orderview (I removed a lot more) but thought the other were real actions as they >> have Edit as prefix in their names. Actually I did not check if they were calling an event. I just did and you are right. >> >> Anyway it does not hurt, and it's finally a good thing that I did not find any real issues :o). I think I should not care >> anymore. Because if we let some get through they will be detected and signaled as to be reported as a child of OFBIZ-2330 >> (even if they don't use FTL, but I did not check that either, I suppose it's right since for one year now we got any new issue) >> >> One worry less, great! >> >> Jacques >> >> Scott Gray wrote: >>> On second look there were no targets in this commit that needed to be secured. >>> >>> Regards >>> Scott >>> >>> On 7/06/2010, at 7:18 PM, Scott Gray wrote: >>> >>>> Quite a few of those links don't actually look like they needed to be secured i.e. there is no event attached to that uri, >>>> orderview for example. >>>> >>>> Regards >>>> Scott >>>> >>>> HotWax Media >>>> http://www.hotwaxmedia.com >>>> >>>> On 7/06/2010, at 7:02 PM, [hidden email] wrote: >>>> >>>>> Author: jleroux >>>>> Date: Mon Jun 7 07:02:02 2010 >>>>> New Revision: 952119 >>>>> >>>>> URL: http://svn.apache.org/viewvc?rev=952119&view=rev >>>>> Log: >>>>> Secure some targets. Note that they have been introduced since OFBIZ-2243 has been closed. >>>>> Please committers use only target with parameter attribute (not in URL) for link and hyperlink fields when there is an action >>>>> (ie DB modification) >>>>> >>>>> Modified: >>>>> ofbiz/trunk/applications/accounting/widget/InvoiceForms.xml >>>>> ofbiz/trunk/applications/accounting/widget/PaymentGatewayConfigForms.xml >>>>> ofbiz/trunk/applications/order/widget/ordermgr/OrderEntryForms.xml >>>>> ofbiz/trunk/applications/party/widget/partymgr/CommunicationEventForms.xml >>>>> ofbiz/trunk/applications/product/widget/catalog/ProductForms.xml >>>>> ofbiz/trunk/applications/product/widget/facility/ShipmentGatewayConfigForms.xml >>>>> ofbiz/trunk/specialpurpose/projectmgr/widget/forms/ProjectForms.xml >>>>> >>>>> Modified: ofbiz/trunk/applications/accounting/widget/InvoiceForms.xml >>>>> URL: >>>>> http://svn.apache.org/viewvc/ofbiz/trunk/applications/accounting/widget/InvoiceForms.xml?rev=952119&r1=952118&r2=952119&view=diff >>>>> ============================================================================== --- >>>>> ofbiz/trunk/applications/accounting/widget/InvoiceForms.xml (original) +++ >>>>> ofbiz/trunk/applications/accounting/widget/InvoiceForms.xml Mon Jun 7 07:02:02 2010 @@ -215,7 +215,12 @@ under the License. >>>>> <field name="paymentId"><hyperlink target="paymentOverview?paymentId=${paymentId}" description="${paymentId}"/></field> >>>>> <field name="amount"><display type="currency" currency="${currencyUomId}"/></field> >>>>> <field name="origAmount"><display type="currency" currency="${origCurrencyUomId}"/></field> >>>>> - <field name="acctgTransId"><hyperlink description="${acctgTransId}" >>>>> target="EditAcctgTrans?acctgTransId=${acctgTransId}&organizationPartyId=${organizationPartyId}"/></field> + <field >>>>> name="acctgTransId"> + <hyperlink description="${acctgTransId}" target="EditAcctgTrans"> >>>>> + <parameter param-name="acctgTransId" from-field="acctgTransId"/> >>>>> + <parameter param-name="organizationPartyId" from-field="organizationPartyId"/> >>>>> + </hyperlink> >>>>> + </field> >>>>> <field name="acctgTransTypeId" title="${uiLabelMap.FormFieldTitle_acctgTransType}"><display-entity >>>>> entity-name="AcctgTransType"/></field> <field name="glJournalId" >>>>> title="${uiLabelMap.FormFieldTitle_glJournal}"><display-entity entity-name="GlJournal" >>>>> description="${glJournalName}"/></field> <field name="glAccountTypeId" >>>>> title="${uiLabelMap.FormFieldTitle_glAccountType}"><display-entity entity-name="GlAccountType"/></field> >>>>> >>>>> Modified: ofbiz/trunk/applications/accounting/widget/PaymentGatewayConfigForms.xml >>>>> URL: >>>>> http://svn.apache.org/viewvc/ofbiz/trunk/applications/accounting/widget/PaymentGatewayConfigForms.xml?rev=952119&r1=952118&r2=952119&view=diff >>>>> ============================================================================== --- >>>>> ofbiz/trunk/applications/accounting/widget/PaymentGatewayConfigForms.xml (original) +++ >>>>> ofbiz/trunk/applications/accounting/widget/PaymentGatewayConfigForms.xml Mon Jun 7 07:02:02 2010 @@ -50,7 +50,9 @@ under the >>>>> License. <auto-fields-entity entity-name="PaymentGatewayConfig" default-field-type="display"/> >>>>> <field name="paymentGatewayConfigId"><hidden/></field> >>>>> <field name="description" title="${uiLabelMap.AccountingPaymentGatewayConfigDescription}"> >>>>> - <hyperlink description="${description}" >>>>> target="EditPaymentGatewayConfig?paymentGatewayConfigId=${paymentGatewayConfigId}"/> + <hyperlink >>>>> description="${description}" target="EditPaymentGatewayConfig"> + <parameter >>>>> param-name="paymentGatewayConfigId" from-field="paymentGatewayConfigId"/> + </hyperlink> >>>>> </field> >>>>> <field name="paymentGatewayConfigTypeId" title="${uiLabelMap.AccountingPaymentGatewayConfigTypeId}"> >>>>> <display-entity entity-name="PaymentGatewayConfigType" key-field-name="paymentGatewayConfigTypeId" >>>>> description="${description}"/> @@ -385,7 +387,9 @@ under the License. >>>>> <auto-fields-entity entity-name="PaymentGatewayConfigType" default-field-type="display"/> >>>>> <field name="paymentGatewayConfigTypeId"><hidden/></field> >>>>> <field name="description" title="${uiLabelMap.AccountingPaymentGatewayConfigTypeDescription}"> >>>>> - <hyperlink description="${description}" >>>>> target="EditPaymentGatewayConfigType?paymentGatewayConfigTypeId=${paymentGatewayConfigTypeId}"/> + <hyperlink >>>>> description="${description}" target="EditPaymentGatewayConfigType"> + <parameter param-name="paymentGatewayConfigTypeId" >>>>> from-field="paymentGatewayConfigTypeId"/> + </hyperlink> >>>>> </field> >>>>> </form> >>>>> >>>>> >>>>> Modified: ofbiz/trunk/applications/order/widget/ordermgr/OrderEntryForms.xml >>>>> URL: >>>>> http://svn.apache.org/viewvc/ofbiz/trunk/applications/order/widget/ordermgr/OrderEntryForms.xml?rev=952119&r1=952118&r2=952119&view=diff >>>>> ============================================================================== --- >>>>> ofbiz/trunk/applications/order/widget/ordermgr/OrderEntryForms.xml (original) +++ >>>>> ofbiz/trunk/applications/order/widget/ordermgr/OrderEntryForms.xml Mon Jun 7 07:02:02 2010 @@ -199,7 +199,9 @@ under the >>>>> License. <form name="LookupAssociatedProducts" type="multi" use-row-submit="true" list-name="productList" title="" >>>>> target="BulkAddProducts" paginate-target="LookupAssociatedProducts" default-title-style="tableheadtext" >>>>> default-widget-style="inputBox" default-tooltip-style="tabletext"> <field name="productId" >>>>> title="${uiLabelMap.ProductProductId}" widget-style="buttontext"> - <hyperlink description="${productId}" >>>>> target="/catalog/control/EditProductInventoryItems?productId=${productId}" target-type="inter-app"/> + <hyperlink >>>>> description="${productId}" target="/catalog/control/EditProductInventoryItems" target-type="inter-app"> + <parameter >>>>> param-name="productId" from-field="productId"/> + </hyperlink> >>>>> </field> >>>>> <field name="brandName" title="${uiLabelMap.ProductBrandName}"><display/></field> >>>>> <field name="internalName"><display/></field> >>>>> >>>>> Modified: ofbiz/trunk/applications/party/widget/partymgr/CommunicationEventForms.xml >>>>> URL: >>>>> http://svn.apache.org/viewvc/ofbiz/trunk/applications/party/widget/partymgr/CommunicationEventForms.xml?rev=952119&r1=952118&r2=952119&view=diff >>>>> ============================================================================== --- >>>>> ofbiz/trunk/applications/party/widget/partymgr/CommunicationEventForms.xml (original) +++ >>>>> ofbiz/trunk/applications/party/widget/partymgr/CommunicationEventForms.xml Mon Jun 7 07:02:02 2010 @@ -287,7 +287,9 @@ under >>>>> the License. <field name="communicationEventId"><display/></field> >>>>> <field name="contactListId" use-when="contactListId!=null"> >>>>> <display-entity entity-name="ContactList" description="${contactListName}"> >>>>> - <sub-hyperlink target="/marketing/control/EditContactList?contactListId=${communicationEvent.contactListId}" >>>>> description="[${communicationEvent.contactListId}]" target-type="inter-app"/> + <sub-hyperlink >>>>> target="/marketing/control/EditContactList" description="[${communicationEvent.contactListId}]" target-type="inter-app"> + >>>>> <parameter param-name="contactListId" from-field="communicationEvent.contactListId"/> + </sub-hyperlink> >>>>> </display-entity> >>>>> </field> >>>>> <field name="partyIdFrom" use-when=""my"==void" title="${uiLabelMap.PartyPartyFrom}"> >>>>> @@ -470,7 +472,9 @@ under the License. >>>>> </service> >>>>> </actions> >>>>> <field name="orderId" title="${uiLabelMap.FormFieldTitle_orderId}"> >>>>> - <hyperlink target="/ordermgr/control/orderview?orderId=${orderId}" description="${orderId}" >>>>> target-type="inter-app"/> + <hyperlink target="/ordermgr/control/orderview" description="${orderId}" >>>>> target-type="inter-app"> + <parameter param-name="orderId" from-field="orderId"/> >>>>> + </hyperlink> >>>>> </field> >>>>> <field name="communicationEventId"> >>>>> <hyperlink description="${communicationEventId}" target="ViewCommunicationEvent"> >>>>> @@ -1022,7 +1026,9 @@ under the License. >>>>> <set field="orderTypeId" from-field="orderHeader.orderTypeId"/> >>>>> </row-actions> >>>>> <field name="orderId" title="${uiLabelMap.FormFieldTitle_orderId}" widget-style="buttontext"> >>>>> - <hyperlink target="/ordermgr/control/orderview?orderId=${orderId}" description="${orderId}" >>>>> target-type="inter-app"/> + <hyperlink target="/ordermgr/control/orderview" description="${orderId}" >>>>> target-type="inter-app"> + <parameter param-name="orderId" from-field="orderId"/> >>>>> + </hyperlink> >>>>> </field> >>>>> <field name="communicationEventId"><hidden/></field> >>>>> <field name="orderTypeId" title="${uiLabelMap.OrderOrderType}"> >>>>> >>>>> Modified: ofbiz/trunk/applications/product/widget/catalog/ProductForms.xml >>>>> URL: >>>>> http://svn.apache.org/viewvc/ofbiz/trunk/applications/product/widget/catalog/ProductForms.xml?rev=952119&r1=952118&r2=952119&view=diff >>>>> ============================================================================== --- >>>>> ofbiz/trunk/applications/product/widget/catalog/ProductForms.xml (original) +++ >>>>> ofbiz/trunk/applications/product/widget/catalog/ProductForms.xml Mon Jun 7 07:02:02 2010 @@ -1997,7 +1997,9 @@ under the >>>>> License. >>>>> >>>>> <form name="ListCommEvents" list-name="communicationEvents" type="list" header-row-style="header-row" >>>>> default-table-style="basic-table"> <field name="communicationEventId" widget-style="buttontext"> >>>>> - <hyperlink description="${communicationEventId}" >>>>> target="/partymgr/control/EditCommunicationEvent?communicationEventId=${communicationEventId}" target-type="inter-app"/> + >>>>> <hyperlink description="${communicationEventId}" target="/partymgr/control/EditCommunicationEvent" target-type="inter-app"> + >>>>> <parameter param-name="communicationEventId" from-field="communicationEventId"/> + </hyperlink> >>>>> </field> >>>>> <field name="subject"><display/></field> >>>>> <field name="communicationEventTypeId"><display-entity description="${description}" entity-name="CommunicationEventType" >>>>> key-field-name="communicationEventTypeId"/></field> >>>>> >>>>> Modified: ofbiz/trunk/applications/product/widget/facility/ShipmentGatewayConfigForms.xml >>>>> URL: >>>>> http://svn.apache.org/viewvc/ofbiz/trunk/applications/product/widget/facility/ShipmentGatewayConfigForms.xml?rev=952119&r1=952118&r2=952119&view=diff >>>>> ============================================================================== --- >>>>> ofbiz/trunk/applications/product/widget/facility/ShipmentGatewayConfigForms.xml (original) +++ >>>>> ofbiz/trunk/applications/product/widget/facility/ShipmentGatewayConfigForms.xml Mon Jun 7 07:02:02 2010 @@ -50,7 +50,9 @@ >>>>> under the License. <auto-fields-entity entity-name="ShipmentGatewayConfig" default-field-type="display"/> >>>>> <field name="shipmentGatewayConfigId"><hidden/></field> >>>>> <field name="description" title="${uiLabelMap.FacilityShipmentGatewayConfigDescription}"> >>>>> - <hyperlink description="${description}" >>>>> target="EditShipmentGatewayConfig?shipmentGatewayConfigId=${shipmentGatewayConfigId}"/> + <hyperlink >>>>> description="${description}" target="EditShipmentGatewayConfig"> + <parameter >>>>> param-name="shipmentGatewayConfigId" from-field="shipmentGatewayConfigId"/> + </hyperlink> >>>>> </field> >>>>> <field name="shipmentGatewayConfTypeId" title="${uiLabelMap.FacilityShipmentGatewayConfigTypeId}"> >>>>> <display-entity entity-name="ShipmentGatewayConfigType" key-field-name="shipmentGatewayConfTypeId" >>>>> description="${description}"/> @@ -313,7 +315,9 @@ under the License. >>>>> <auto-fields-entity entity-name="ShipmentGatewayConfigType" default-field-type="display"/> >>>>> <field name="shipmentGatewayConfTypeId"><hidden/></field> >>>>> <field name="description" title="${uiLabelMap.FacilityShipmentGatewayConfigTypeDescription}"> >>>>> - <hyperlink description="${description}" >>>>> target="EditShipmentGatewayConfigType?shipmentGatewayConfTypeId=${shipmentGatewayConfTypeId}"/> + <hyperlink >>>>> description="${description}" target="EditShipmentGatewayConfigType"> + <parameter >>>>> param-name="shipmentGatewayConfTypeId" from-field="shipmentGatewayConfTypeId"/> + </hyperlink> >>>>> </field> >>>>> </form> >>>>> >>>>> >>>>> Modified: ofbiz/trunk/specialpurpose/projectmgr/widget/forms/ProjectForms.xml >>>>> URL: >>>>> http://svn.apache.org/viewvc/ofbiz/trunk/specialpurpose/projectmgr/widget/forms/ProjectForms.xml?rev=952119&r1=952118&r2=952119&view=diff >>>>> ============================================================================== --- >>>>> ofbiz/trunk/specialpurpose/projectmgr/widget/forms/ProjectForms.xml (original) +++ >>>>> ofbiz/trunk/specialpurpose/projectmgr/widget/forms/ProjectForms.xml Mon Jun 7 07:02:02 2010 @@ -340,7 +340,9 @@ >>>>> <field name="estimatedStartDate" title="${uiLabelMap.WorkEffortEstimatedStartDate}"><date-time type="date"/></field> >>>>> <field name="estimatedCompletionDate" title="${uiLabelMap.WorkEffortEstimatedCompletionDate}"><date-time >>>>> type="date"/></field> <field name="edit" title=" "> >>>>> - <hyperlink target="EditTask?workEffortId=${workEffortId}" description="${uiLabelMap.CommonEdit}"/> >>>>> + <hyperlink target="EditTask" description="${uiLabelMap.CommonEdit"}> >>>>> + <parameter param-name="workEffortId" from-field="workEffortId}"/> >>>>> + </hyperlink> >>>>> </field> >>>>> <field name="submitButton" title="${uiLabelMap.CommonUpdate}"><submit button-type="button"/></field> >>>>> </form> |
Thanks Jacques
Regards Scott On 7/06/2010, at 9:15 PM, Jacques Le Roux wrote: > Ha well, I did not thought about that, thanks! > > I revert... > > Jacques > > Scott Gray wrote: >> Hi Jacques, >> >> In a small way it does hurt because whenever we use "post" instead of "get" the user will be prompted "do you want to submit the >> form again?" when they click the back button on the browser to go back to one of those screens. >> >> But yeah I wouldn't rely on searching alone unless you are willing to check each target before altering it. >> >> Regards >> Scott >> >> On 7/06/2010, at 7:44 PM, Jacques Le Roux wrote: >> >>> I quickly used regex S/R. I wrongly put the 2 orderview (I removed a lot more) but thought the other were real actions as they >>> have Edit as prefix in their names. Actually I did not check if they were calling an event. I just did and you are right. >>> >>> Anyway it does not hurt, and it's finally a good thing that I did not find any real issues :o). I think I should not care >>> anymore. Because if we let some get through they will be detected and signaled as to be reported as a child of OFBIZ-2330 >>> (even if they don't use FTL, but I did not check that either, I suppose it's right since for one year now we got any new issue) >>> >>> One worry less, great! >>> >>> Jacques >>> >>> Scott Gray wrote: >>>> On second look there were no targets in this commit that needed to be secured. >>>> >>>> Regards >>>> Scott >>>> >>>> On 7/06/2010, at 7:18 PM, Scott Gray wrote: >>>> >>>>> Quite a few of those links don't actually look like they needed to be secured i.e. there is no event attached to that uri, >>>>> orderview for example. >>>>> >>>>> Regards >>>>> Scott >>>>> >>>>> HotWax Media >>>>> http://www.hotwaxmedia.com >>>>> >>>>> On 7/06/2010, at 7:02 PM, [hidden email] wrote: >>>>> >>>>>> Author: jleroux >>>>>> Date: Mon Jun 7 07:02:02 2010 >>>>>> New Revision: 952119 >>>>>> >>>>>> URL: http://svn.apache.org/viewvc?rev=952119&view=rev >>>>>> Log: >>>>>> Secure some targets. Note that they have been introduced since OFBIZ-2243 has been closed. >>>>>> Please committers use only target with parameter attribute (not in URL) for link and hyperlink fields when there is an action >>>>>> (ie DB modification) >>>>>> >>>>>> Modified: >>>>>> ofbiz/trunk/applications/accounting/widget/InvoiceForms.xml >>>>>> ofbiz/trunk/applications/accounting/widget/PaymentGatewayConfigForms.xml >>>>>> ofbiz/trunk/applications/order/widget/ordermgr/OrderEntryForms.xml >>>>>> ofbiz/trunk/applications/party/widget/partymgr/CommunicationEventForms.xml >>>>>> ofbiz/trunk/applications/product/widget/catalog/ProductForms.xml >>>>>> ofbiz/trunk/applications/product/widget/facility/ShipmentGatewayConfigForms.xml >>>>>> ofbiz/trunk/specialpurpose/projectmgr/widget/forms/ProjectForms.xml >>>>>> >>>>>> Modified: ofbiz/trunk/applications/accounting/widget/InvoiceForms.xml >>>>>> URL: >>>>>> http://svn.apache.org/viewvc/ofbiz/trunk/applications/accounting/widget/InvoiceForms.xml?rev=952119&r1=952118&r2=952119&view=diff >>>>>> ============================================================================== --- >>>>>> ofbiz/trunk/applications/accounting/widget/InvoiceForms.xml (original) +++ >>>>>> ofbiz/trunk/applications/accounting/widget/InvoiceForms.xml Mon Jun 7 07:02:02 2010 @@ -215,7 +215,12 @@ under the License. >>>>>> <field name="paymentId"><hyperlink target="paymentOverview?paymentId=${paymentId}" description="${paymentId}"/></field> >>>>>> <field name="amount"><display type="currency" currency="${currencyUomId}"/></field> >>>>>> <field name="origAmount"><display type="currency" currency="${origCurrencyUomId}"/></field> >>>>>> - <field name="acctgTransId"><hyperlink description="${acctgTransId}" >>>>>> target="EditAcctgTrans?acctgTransId=${acctgTransId}&organizationPartyId=${organizationPartyId}"/></field> + <field >>>>>> name="acctgTransId"> + <hyperlink description="${acctgTransId}" target="EditAcctgTrans"> >>>>>> + <parameter param-name="acctgTransId" from-field="acctgTransId"/> >>>>>> + <parameter param-name="organizationPartyId" from-field="organizationPartyId"/> >>>>>> + </hyperlink> >>>>>> + </field> >>>>>> <field name="acctgTransTypeId" title="${uiLabelMap.FormFieldTitle_acctgTransType}"><display-entity >>>>>> entity-name="AcctgTransType"/></field> <field name="glJournalId" >>>>>> title="${uiLabelMap.FormFieldTitle_glJournal}"><display-entity entity-name="GlJournal" >>>>>> description="${glJournalName}"/></field> <field name="glAccountTypeId" >>>>>> title="${uiLabelMap.FormFieldTitle_glAccountType}"><display-entity entity-name="GlAccountType"/></field> >>>>>> >>>>>> Modified: ofbiz/trunk/applications/accounting/widget/PaymentGatewayConfigForms.xml >>>>>> URL: >>>>>> http://svn.apache.org/viewvc/ofbiz/trunk/applications/accounting/widget/PaymentGatewayConfigForms.xml?rev=952119&r1=952118&r2=952119&view=diff >>>>>> ============================================================================== --- >>>>>> ofbiz/trunk/applications/accounting/widget/PaymentGatewayConfigForms.xml (original) +++ >>>>>> ofbiz/trunk/applications/accounting/widget/PaymentGatewayConfigForms.xml Mon Jun 7 07:02:02 2010 @@ -50,7 +50,9 @@ under the >>>>>> License. <auto-fields-entity entity-name="PaymentGatewayConfig" default-field-type="display"/> >>>>>> <field name="paymentGatewayConfigId"><hidden/></field> >>>>>> <field name="description" title="${uiLabelMap.AccountingPaymentGatewayConfigDescription}"> >>>>>> - <hyperlink description="${description}" >>>>>> target="EditPaymentGatewayConfig?paymentGatewayConfigId=${paymentGatewayConfigId}"/> + <hyperlink >>>>>> description="${description}" target="EditPaymentGatewayConfig"> + <parameter >>>>>> param-name="paymentGatewayConfigId" from-field="paymentGatewayConfigId"/> + </hyperlink> >>>>>> </field> >>>>>> <field name="paymentGatewayConfigTypeId" title="${uiLabelMap.AccountingPaymentGatewayConfigTypeId}"> >>>>>> <display-entity entity-name="PaymentGatewayConfigType" key-field-name="paymentGatewayConfigTypeId" >>>>>> description="${description}"/> @@ -385,7 +387,9 @@ under the License. >>>>>> <auto-fields-entity entity-name="PaymentGatewayConfigType" default-field-type="display"/> >>>>>> <field name="paymentGatewayConfigTypeId"><hidden/></field> >>>>>> <field name="description" title="${uiLabelMap.AccountingPaymentGatewayConfigTypeDescription}"> >>>>>> - <hyperlink description="${description}" >>>>>> target="EditPaymentGatewayConfigType?paymentGatewayConfigTypeId=${paymentGatewayConfigTypeId}"/> + <hyperlink >>>>>> description="${description}" target="EditPaymentGatewayConfigType"> + <parameter param-name="paymentGatewayConfigTypeId" >>>>>> from-field="paymentGatewayConfigTypeId"/> + </hyperlink> >>>>>> </field> >>>>>> </form> >>>>>> >>>>>> >>>>>> Modified: ofbiz/trunk/applications/order/widget/ordermgr/OrderEntryForms.xml >>>>>> URL: >>>>>> http://svn.apache.org/viewvc/ofbiz/trunk/applications/order/widget/ordermgr/OrderEntryForms.xml?rev=952119&r1=952118&r2=952119&view=diff >>>>>> ============================================================================== --- >>>>>> ofbiz/trunk/applications/order/widget/ordermgr/OrderEntryForms.xml (original) +++ >>>>>> ofbiz/trunk/applications/order/widget/ordermgr/OrderEntryForms.xml Mon Jun 7 07:02:02 2010 @@ -199,7 +199,9 @@ under the >>>>>> License. <form name="LookupAssociatedProducts" type="multi" use-row-submit="true" list-name="productList" title="" >>>>>> target="BulkAddProducts" paginate-target="LookupAssociatedProducts" default-title-style="tableheadtext" >>>>>> default-widget-style="inputBox" default-tooltip-style="tabletext"> <field name="productId" >>>>>> title="${uiLabelMap.ProductProductId}" widget-style="buttontext"> - <hyperlink description="${productId}" >>>>>> target="/catalog/control/EditProductInventoryItems?productId=${productId}" target-type="inter-app"/> + <hyperlink >>>>>> description="${productId}" target="/catalog/control/EditProductInventoryItems" target-type="inter-app"> + <parameter >>>>>> param-name="productId" from-field="productId"/> + </hyperlink> >>>>>> </field> >>>>>> <field name="brandName" title="${uiLabelMap.ProductBrandName}"><display/></field> >>>>>> <field name="internalName"><display/></field> >>>>>> >>>>>> Modified: ofbiz/trunk/applications/party/widget/partymgr/CommunicationEventForms.xml >>>>>> URL: >>>>>> http://svn.apache.org/viewvc/ofbiz/trunk/applications/party/widget/partymgr/CommunicationEventForms.xml?rev=952119&r1=952118&r2=952119&view=diff >>>>>> ============================================================================== --- >>>>>> ofbiz/trunk/applications/party/widget/partymgr/CommunicationEventForms.xml (original) +++ >>>>>> ofbiz/trunk/applications/party/widget/partymgr/CommunicationEventForms.xml Mon Jun 7 07:02:02 2010 @@ -287,7 +287,9 @@ under >>>>>> the License. <field name="communicationEventId"><display/></field> >>>>>> <field name="contactListId" use-when="contactListId!=null"> >>>>>> <display-entity entity-name="ContactList" description="${contactListName}"> >>>>>> - <sub-hyperlink target="/marketing/control/EditContactList?contactListId=${communicationEvent.contactListId}" >>>>>> description="[${communicationEvent.contactListId}]" target-type="inter-app"/> + <sub-hyperlink >>>>>> target="/marketing/control/EditContactList" description="[${communicationEvent.contactListId}]" target-type="inter-app"> + >>>>>> <parameter param-name="contactListId" from-field="communicationEvent.contactListId"/> + </sub-hyperlink> >>>>>> </display-entity> >>>>>> </field> >>>>>> <field name="partyIdFrom" use-when=""my"==void" title="${uiLabelMap.PartyPartyFrom}"> >>>>>> @@ -470,7 +472,9 @@ under the License. >>>>>> </service> >>>>>> </actions> >>>>>> <field name="orderId" title="${uiLabelMap.FormFieldTitle_orderId}"> >>>>>> - <hyperlink target="/ordermgr/control/orderview?orderId=${orderId}" description="${orderId}" >>>>>> target-type="inter-app"/> + <hyperlink target="/ordermgr/control/orderview" description="${orderId}" >>>>>> target-type="inter-app"> + <parameter param-name="orderId" from-field="orderId"/> >>>>>> + </hyperlink> >>>>>> </field> >>>>>> <field name="communicationEventId"> >>>>>> <hyperlink description="${communicationEventId}" target="ViewCommunicationEvent"> >>>>>> @@ -1022,7 +1026,9 @@ under the License. >>>>>> <set field="orderTypeId" from-field="orderHeader.orderTypeId"/> >>>>>> </row-actions> >>>>>> <field name="orderId" title="${uiLabelMap.FormFieldTitle_orderId}" widget-style="buttontext"> >>>>>> - <hyperlink target="/ordermgr/control/orderview?orderId=${orderId}" description="${orderId}" >>>>>> target-type="inter-app"/> + <hyperlink target="/ordermgr/control/orderview" description="${orderId}" >>>>>> target-type="inter-app"> + <parameter param-name="orderId" from-field="orderId"/> >>>>>> + </hyperlink> >>>>>> </field> >>>>>> <field name="communicationEventId"><hidden/></field> >>>>>> <field name="orderTypeId" title="${uiLabelMap.OrderOrderType}"> >>>>>> >>>>>> Modified: ofbiz/trunk/applications/product/widget/catalog/ProductForms.xml >>>>>> URL: >>>>>> http://svn.apache.org/viewvc/ofbiz/trunk/applications/product/widget/catalog/ProductForms.xml?rev=952119&r1=952118&r2=952119&view=diff >>>>>> ============================================================================== --- >>>>>> ofbiz/trunk/applications/product/widget/catalog/ProductForms.xml (original) +++ >>>>>> ofbiz/trunk/applications/product/widget/catalog/ProductForms.xml Mon Jun 7 07:02:02 2010 @@ -1997,7 +1997,9 @@ under the >>>>>> License. >>>>>> >>>>>> <form name="ListCommEvents" list-name="communicationEvents" type="list" header-row-style="header-row" >>>>>> default-table-style="basic-table"> <field name="communicationEventId" widget-style="buttontext"> >>>>>> - <hyperlink description="${communicationEventId}" >>>>>> target="/partymgr/control/EditCommunicationEvent?communicationEventId=${communicationEventId}" target-type="inter-app"/> + >>>>>> <hyperlink description="${communicationEventId}" target="/partymgr/control/EditCommunicationEvent" target-type="inter-app"> + >>>>>> <parameter param-name="communicationEventId" from-field="communicationEventId"/> + </hyperlink> >>>>>> </field> >>>>>> <field name="subject"><display/></field> >>>>>> <field name="communicationEventTypeId"><display-entity description="${description}" entity-name="CommunicationEventType" >>>>>> key-field-name="communicationEventTypeId"/></field> >>>>>> >>>>>> Modified: ofbiz/trunk/applications/product/widget/facility/ShipmentGatewayConfigForms.xml >>>>>> URL: >>>>>> http://svn.apache.org/viewvc/ofbiz/trunk/applications/product/widget/facility/ShipmentGatewayConfigForms.xml?rev=952119&r1=952118&r2=952119&view=diff >>>>>> ============================================================================== --- >>>>>> ofbiz/trunk/applications/product/widget/facility/ShipmentGatewayConfigForms.xml (original) +++ >>>>>> ofbiz/trunk/applications/product/widget/facility/ShipmentGatewayConfigForms.xml Mon Jun 7 07:02:02 2010 @@ -50,7 +50,9 @@ >>>>>> under the License. <auto-fields-entity entity-name="ShipmentGatewayConfig" default-field-type="display"/> >>>>>> <field name="shipmentGatewayConfigId"><hidden/></field> >>>>>> <field name="description" title="${uiLabelMap.FacilityShipmentGatewayConfigDescription}"> >>>>>> - <hyperlink description="${description}" >>>>>> target="EditShipmentGatewayConfig?shipmentGatewayConfigId=${shipmentGatewayConfigId}"/> + <hyperlink >>>>>> description="${description}" target="EditShipmentGatewayConfig"> + <parameter >>>>>> param-name="shipmentGatewayConfigId" from-field="shipmentGatewayConfigId"/> + </hyperlink> >>>>>> </field> >>>>>> <field name="shipmentGatewayConfTypeId" title="${uiLabelMap.FacilityShipmentGatewayConfigTypeId}"> >>>>>> <display-entity entity-name="ShipmentGatewayConfigType" key-field-name="shipmentGatewayConfTypeId" >>>>>> description="${description}"/> @@ -313,7 +315,9 @@ under the License. >>>>>> <auto-fields-entity entity-name="ShipmentGatewayConfigType" default-field-type="display"/> >>>>>> <field name="shipmentGatewayConfTypeId"><hidden/></field> >>>>>> <field name="description" title="${uiLabelMap.FacilityShipmentGatewayConfigTypeDescription}"> >>>>>> - <hyperlink description="${description}" >>>>>> target="EditShipmentGatewayConfigType?shipmentGatewayConfTypeId=${shipmentGatewayConfTypeId}"/> + <hyperlink >>>>>> description="${description}" target="EditShipmentGatewayConfigType"> + <parameter >>>>>> param-name="shipmentGatewayConfTypeId" from-field="shipmentGatewayConfTypeId"/> + </hyperlink> >>>>>> </field> >>>>>> </form> >>>>>> >>>>>> >>>>>> Modified: ofbiz/trunk/specialpurpose/projectmgr/widget/forms/ProjectForms.xml >>>>>> URL: >>>>>> http://svn.apache.org/viewvc/ofbiz/trunk/specialpurpose/projectmgr/widget/forms/ProjectForms.xml?rev=952119&r1=952118&r2=952119&view=diff >>>>>> ============================================================================== --- >>>>>> ofbiz/trunk/specialpurpose/projectmgr/widget/forms/ProjectForms.xml (original) +++ >>>>>> ofbiz/trunk/specialpurpose/projectmgr/widget/forms/ProjectForms.xml Mon Jun 7 07:02:02 2010 @@ -340,7 +340,9 @@ >>>>>> <field name="estimatedStartDate" title="${uiLabelMap.WorkEffortEstimatedStartDate}"><date-time type="date"/></field> >>>>>> <field name="estimatedCompletionDate" title="${uiLabelMap.WorkEffortEstimatedCompletionDate}"><date-time >>>>>> type="date"/></field> <field name="edit" title=" "> >>>>>> - <hyperlink target="EditTask?workEffortId=${workEffortId}" description="${uiLabelMap.CommonEdit}"/> >>>>>> + <hyperlink target="EditTask" description="${uiLabelMap.CommonEdit"}> >>>>>> + <parameter param-name="workEffortId" from-field="workEffortId}"/> >>>>>> + </hyperlink> >>>>>> </field> >>>>>> <field name="submitButton" title="${uiLabelMap.CommonUpdate}"><submit button-type="button"/></field> >>>>>> </form> > > smime.p7s (3K) Download Attachment |
Free forum by Nabble | Edit this page |