Re: svn commit: r952119 - in /ofbiz/trunk: applications/accounting/widget/ applications/order/widget/ordermgr/ applications/party/widget/partymgr/ applications/product/widget/catalog/ applications/product/widget/facility/ specialpurpose/projectmgr/widget/f...

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

Re: svn commit: r952119 - in /ofbiz/trunk: applications/accounting/widget/ applications/order/widget/ordermgr/ applications/party/widget/partymgr/ applications/product/widget/catalog/ applications/product/widget/facility/ specialpurpose/projectmgr/widget/f...

Scott Gray-2
Quite a few of those links don't actually look like they needed to be secured i.e. there is no event attached to that uri, orderview for example.

Regards
Scott

HotWax Media
http://www.hotwaxmedia.com

On 7/06/2010, at 7:02 PM, [hidden email] wrote:

> Author: jleroux
> Date: Mon Jun  7 07:02:02 2010
> New Revision: 952119
>
> URL: http://svn.apache.org/viewvc?rev=952119&view=rev
> Log:
> Secure some targets. Note that they have been introduced since OFBIZ-2243 has been closed.
> Please committers use only target with parameter attribute (not in URL) for link and hyperlink fields when there is an action (ie DB modification)
>
> Modified:
>    ofbiz/trunk/applications/accounting/widget/InvoiceForms.xml
>    ofbiz/trunk/applications/accounting/widget/PaymentGatewayConfigForms.xml
>    ofbiz/trunk/applications/order/widget/ordermgr/OrderEntryForms.xml
>    ofbiz/trunk/applications/party/widget/partymgr/CommunicationEventForms.xml
>    ofbiz/trunk/applications/product/widget/catalog/ProductForms.xml
>    ofbiz/trunk/applications/product/widget/facility/ShipmentGatewayConfigForms.xml
>    ofbiz/trunk/specialpurpose/projectmgr/widget/forms/ProjectForms.xml
>
> Modified: ofbiz/trunk/applications/accounting/widget/InvoiceForms.xml
> URL: http://svn.apache.org/viewvc/ofbiz/trunk/applications/accounting/widget/InvoiceForms.xml?rev=952119&r1=952118&r2=952119&view=diff
> ==============================================================================
> --- ofbiz/trunk/applications/accounting/widget/InvoiceForms.xml (original)
> +++ ofbiz/trunk/applications/accounting/widget/InvoiceForms.xml Mon Jun  7 07:02:02 2010
> @@ -215,7 +215,12 @@ under the License.
>         <field name="paymentId"><hyperlink target="paymentOverview?paymentId=${paymentId}" description="${paymentId}"/></field>
>         <field name="amount"><display type="currency" currency="${currencyUomId}"/></field>
>         <field name="origAmount"><display type="currency" currency="${origCurrencyUomId}"/></field>
> -        <field name="acctgTransId"><hyperlink description="${acctgTransId}" target="EditAcctgTrans?acctgTransId=${acctgTransId}&amp;organizationPartyId=${organizationPartyId}"/></field>
> +        <field name="acctgTransId">
> +            <hyperlink description="${acctgTransId}" target="EditAcctgTrans">
> +                <parameter param-name="acctgTransId" from-field="acctgTransId"/>
> +                <parameter param-name="organizationPartyId" from-field="organizationPartyId"/>
> +            </hyperlink>
> +        </field>
>         <field name="acctgTransTypeId" title="${uiLabelMap.FormFieldTitle_acctgTransType}"><display-entity entity-name="AcctgTransType"/></field>
>         <field name="glJournalId" title="${uiLabelMap.FormFieldTitle_glJournal}"><display-entity entity-name="GlJournal" description="${glJournalName}"/></field>
>         <field name="glAccountTypeId" title="${uiLabelMap.FormFieldTitle_glAccountType}"><display-entity entity-name="GlAccountType"/></field>
>
> Modified: ofbiz/trunk/applications/accounting/widget/PaymentGatewayConfigForms.xml
> URL: http://svn.apache.org/viewvc/ofbiz/trunk/applications/accounting/widget/PaymentGatewayConfigForms.xml?rev=952119&r1=952118&r2=952119&view=diff
> ==============================================================================
> --- ofbiz/trunk/applications/accounting/widget/PaymentGatewayConfigForms.xml (original)
> +++ ofbiz/trunk/applications/accounting/widget/PaymentGatewayConfigForms.xml Mon Jun  7 07:02:02 2010
> @@ -50,7 +50,9 @@ under the License.
>         <auto-fields-entity entity-name="PaymentGatewayConfig" default-field-type="display"/>
>         <field name="paymentGatewayConfigId"><hidden/></field>
>         <field name="description" title="${uiLabelMap.AccountingPaymentGatewayConfigDescription}">
> -            <hyperlink description="${description}" target="EditPaymentGatewayConfig?paymentGatewayConfigId=${paymentGatewayConfigId}"/>
> +            <hyperlink description="${description}" target="EditPaymentGatewayConfig">
> +                <parameter param-name="paymentGatewayConfigId" from-field="paymentGatewayConfigId"/>
> +            </hyperlink>
>         </field>
>         <field name="paymentGatewayConfigTypeId" title="${uiLabelMap.AccountingPaymentGatewayConfigTypeId}">
>             <display-entity entity-name="PaymentGatewayConfigType" key-field-name="paymentGatewayConfigTypeId" description="${description}"/>
> @@ -385,7 +387,9 @@ under the License.
>         <auto-fields-entity entity-name="PaymentGatewayConfigType" default-field-type="display"/>
>         <field name="paymentGatewayConfigTypeId"><hidden/></field>
>         <field name="description" title="${uiLabelMap.AccountingPaymentGatewayConfigTypeDescription}">
> -            <hyperlink description="${description}" target="EditPaymentGatewayConfigType?paymentGatewayConfigTypeId=${paymentGatewayConfigTypeId}"/>
> +            <hyperlink description="${description}" target="EditPaymentGatewayConfigType">
> + <parameter param-name="paymentGatewayConfigTypeId" from-field="paymentGatewayConfigTypeId"/>
> + </hyperlink>
>         </field>
>     </form>
>
>
> Modified: ofbiz/trunk/applications/order/widget/ordermgr/OrderEntryForms.xml
> URL: http://svn.apache.org/viewvc/ofbiz/trunk/applications/order/widget/ordermgr/OrderEntryForms.xml?rev=952119&r1=952118&r2=952119&view=diff
> ==============================================================================
> --- ofbiz/trunk/applications/order/widget/ordermgr/OrderEntryForms.xml (original)
> +++ ofbiz/trunk/applications/order/widget/ordermgr/OrderEntryForms.xml Mon Jun  7 07:02:02 2010
> @@ -199,7 +199,9 @@ under the License.
>     <form name="LookupAssociatedProducts" type="multi" use-row-submit="true" list-name="productList" title="" target="BulkAddProducts"
>         paginate-target="LookupAssociatedProducts" default-title-style="tableheadtext" default-widget-style="inputBox" default-tooltip-style="tabletext">
>         <field name="productId"  title="${uiLabelMap.ProductProductId}" widget-style="buttontext">
> -            <hyperlink description="${productId}" target="/catalog/control/EditProductInventoryItems?productId=${productId}" target-type="inter-app"/>
> +            <hyperlink description="${productId}" target="/catalog/control/EditProductInventoryItems" target-type="inter-app">
> + <parameter param-name="productId" from-field="productId"/>
> + </hyperlink>
>         </field>
>         <field name="brandName" title="${uiLabelMap.ProductBrandName}"><display/></field>
>         <field name="internalName"><display/></field>
>
> Modified: ofbiz/trunk/applications/party/widget/partymgr/CommunicationEventForms.xml
> URL: http://svn.apache.org/viewvc/ofbiz/trunk/applications/party/widget/partymgr/CommunicationEventForms.xml?rev=952119&r1=952118&r2=952119&view=diff
> ==============================================================================
> --- ofbiz/trunk/applications/party/widget/partymgr/CommunicationEventForms.xml (original)
> +++ ofbiz/trunk/applications/party/widget/partymgr/CommunicationEventForms.xml Mon Jun  7 07:02:02 2010
> @@ -287,7 +287,9 @@ under the License.
>         <field name="communicationEventId"><display/></field>
>         <field name="contactListId" use-when="contactListId!=null">
>             <display-entity entity-name="ContactList" description="${contactListName}">
> -                <sub-hyperlink target="/marketing/control/EditContactList?contactListId=${communicationEvent.contactListId}" description="[${communicationEvent.contactListId}]" target-type="inter-app"/>
> +                <sub-hyperlink target="/marketing/control/EditContactList" description="[${communicationEvent.contactListId}]" target-type="inter-app">
> +                <parameter param-name="contactListId" from-field="communicationEvent.contactListId"/>
> +            </sub-hyperlink>
>             </display-entity>
>         </field>
>         <field name="partyIdFrom" use-when="&quot;my&quot;==void" title="${uiLabelMap.PartyPartyFrom}">
> @@ -470,7 +472,9 @@ under the License.
>             </service>
>         </actions>
>         <field name="orderId" title="${uiLabelMap.FormFieldTitle_orderId}">
> -            <hyperlink target="/ordermgr/control/orderview?orderId=${orderId}" description="${orderId}" target-type="inter-app"/>
> +            <hyperlink target="/ordermgr/control/orderview" description="${orderId}" target-type="inter-app">
> +                <parameter param-name="orderId" from-field="orderId"/>
> +            </hyperlink>
>         </field>
>         <field name="communicationEventId">
>             <hyperlink description="${communicationEventId}" target="ViewCommunicationEvent">
> @@ -1022,7 +1026,9 @@ under the License.
>             <set field="orderTypeId" from-field="orderHeader.orderTypeId"/>
>         </row-actions>
>         <field name="orderId" title="${uiLabelMap.FormFieldTitle_orderId}" widget-style="buttontext">
> -            <hyperlink target="/ordermgr/control/orderview?orderId=${orderId}" description="${orderId}" target-type="inter-app"/>
> +            <hyperlink target="/ordermgr/control/orderview" description="${orderId}" target-type="inter-app">
> +                <parameter param-name="orderId" from-field="orderId"/>
> +            </hyperlink>
>         </field>
>         <field name="communicationEventId"><hidden/></field>
>         <field name="orderTypeId" title="${uiLabelMap.OrderOrderType}">
>
> Modified: ofbiz/trunk/applications/product/widget/catalog/ProductForms.xml
> URL: http://svn.apache.org/viewvc/ofbiz/trunk/applications/product/widget/catalog/ProductForms.xml?rev=952119&r1=952118&r2=952119&view=diff
> ==============================================================================
> --- ofbiz/trunk/applications/product/widget/catalog/ProductForms.xml (original)
> +++ ofbiz/trunk/applications/product/widget/catalog/ProductForms.xml Mon Jun  7 07:02:02 2010
> @@ -1997,7 +1997,9 @@ under the License.
>
>     <form name="ListCommEvents" list-name="communicationEvents" type="list" header-row-style="header-row" default-table-style="basic-table">
>         <field name="communicationEventId" widget-style="buttontext">
> -            <hyperlink description="${communicationEventId}" target="/partymgr/control/EditCommunicationEvent?communicationEventId=${communicationEventId}" target-type="inter-app"/>
> +            <hyperlink description="${communicationEventId}" target="/partymgr/control/EditCommunicationEvent" target-type="inter-app">
> + <parameter param-name="communicationEventId" from-field="communicationEventId"/>
> + </hyperlink>
>         </field>
>         <field name="subject"><display/></field>
>         <field name="communicationEventTypeId"><display-entity description="${description}" entity-name="CommunicationEventType" key-field-name="communicationEventTypeId"/></field>
>
> Modified: ofbiz/trunk/applications/product/widget/facility/ShipmentGatewayConfigForms.xml
> URL: http://svn.apache.org/viewvc/ofbiz/trunk/applications/product/widget/facility/ShipmentGatewayConfigForms.xml?rev=952119&r1=952118&r2=952119&view=diff
> ==============================================================================
> --- ofbiz/trunk/applications/product/widget/facility/ShipmentGatewayConfigForms.xml (original)
> +++ ofbiz/trunk/applications/product/widget/facility/ShipmentGatewayConfigForms.xml Mon Jun  7 07:02:02 2010
> @@ -50,7 +50,9 @@ under the License.
>         <auto-fields-entity entity-name="ShipmentGatewayConfig" default-field-type="display"/>
>         <field name="shipmentGatewayConfigId"><hidden/></field>
>         <field name="description" title="${uiLabelMap.FacilityShipmentGatewayConfigDescription}">
> -            <hyperlink description="${description}" target="EditShipmentGatewayConfig?shipmentGatewayConfigId=${shipmentGatewayConfigId}"/>
> +            <hyperlink description="${description}" target="EditShipmentGatewayConfig">
> +                <parameter param-name="shipmentGatewayConfigId" from-field="shipmentGatewayConfigId"/>
> +            </hyperlink>
>         </field>
>         <field name="shipmentGatewayConfTypeId" title="${uiLabelMap.FacilityShipmentGatewayConfigTypeId}">
>             <display-entity entity-name="ShipmentGatewayConfigType" key-field-name="shipmentGatewayConfTypeId" description="${description}"/>
> @@ -313,7 +315,9 @@ under the License.
>         <auto-fields-entity entity-name="ShipmentGatewayConfigType" default-field-type="display"/>
>         <field name="shipmentGatewayConfTypeId"><hidden/></field>
>         <field name="description" title="${uiLabelMap.FacilityShipmentGatewayConfigTypeDescription}">
> -            <hyperlink description="${description}" target="EditShipmentGatewayConfigType?shipmentGatewayConfTypeId=${shipmentGatewayConfTypeId}"/>
> +            <hyperlink description="${description}" target="EditShipmentGatewayConfigType">
> +                <parameter param-name="shipmentGatewayConfTypeId" from-field="shipmentGatewayConfTypeId"/>
> +            </hyperlink>
>         </field>
>     </form>
>
>
> Modified: ofbiz/trunk/specialpurpose/projectmgr/widget/forms/ProjectForms.xml
> URL: http://svn.apache.org/viewvc/ofbiz/trunk/specialpurpose/projectmgr/widget/forms/ProjectForms.xml?rev=952119&r1=952118&r2=952119&view=diff
> ==============================================================================
> --- ofbiz/trunk/specialpurpose/projectmgr/widget/forms/ProjectForms.xml (original)
> +++ ofbiz/trunk/specialpurpose/projectmgr/widget/forms/ProjectForms.xml Mon Jun  7 07:02:02 2010
> @@ -340,7 +340,9 @@
>         <field name="estimatedStartDate" title="${uiLabelMap.WorkEffortEstimatedStartDate}"><date-time type="date"/></field>
>         <field name="estimatedCompletionDate" title="${uiLabelMap.WorkEffortEstimatedCompletionDate}"><date-time type="date"/></field>
>         <field name="edit" title=" ">
> -            <hyperlink target="EditTask?workEffortId=${workEffortId}" description="${uiLabelMap.CommonEdit}"/>
> +            <hyperlink target="EditTask" description="${uiLabelMap.CommonEdit"}>
> +                <parameter param-name="workEffortId" from-field="workEffortId}"/>
> +            </hyperlink>
>         </field>
>         <field name="submitButton" title="${uiLabelMap.CommonUpdate}"><submit button-type="button"/></field>
>     </form>
>
>


smime.p7s (3K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: svn commit: r952119 - in /ofbiz/trunk: applications/accounting/widget/ applications/order/widget/ordermgr/ applications/party/widget/partymgr/ applications/product/widget/catalog/ applications/product/widget/facility/ specialpurpose/projectmgr/widget/f...

Scott Gray-2
On second look there were no targets in this commit that needed to be secured.

Regards
Scott

On 7/06/2010, at 7:18 PM, Scott Gray wrote:

> Quite a few of those links don't actually look like they needed to be secured i.e. there is no event attached to that uri, orderview for example.
>
> Regards
> Scott
>
> HotWax Media
> http://www.hotwaxmedia.com
>
> On 7/06/2010, at 7:02 PM, [hidden email] wrote:
>
>> Author: jleroux
>> Date: Mon Jun  7 07:02:02 2010
>> New Revision: 952119
>>
>> URL: http://svn.apache.org/viewvc?rev=952119&view=rev
>> Log:
>> Secure some targets. Note that they have been introduced since OFBIZ-2243 has been closed.
>> Please committers use only target with parameter attribute (not in URL) for link and hyperlink fields when there is an action (ie DB modification)
>>
>> Modified:
>>   ofbiz/trunk/applications/accounting/widget/InvoiceForms.xml
>>   ofbiz/trunk/applications/accounting/widget/PaymentGatewayConfigForms.xml
>>   ofbiz/trunk/applications/order/widget/ordermgr/OrderEntryForms.xml
>>   ofbiz/trunk/applications/party/widget/partymgr/CommunicationEventForms.xml
>>   ofbiz/trunk/applications/product/widget/catalog/ProductForms.xml
>>   ofbiz/trunk/applications/product/widget/facility/ShipmentGatewayConfigForms.xml
>>   ofbiz/trunk/specialpurpose/projectmgr/widget/forms/ProjectForms.xml
>>
>> Modified: ofbiz/trunk/applications/accounting/widget/InvoiceForms.xml
>> URL: http://svn.apache.org/viewvc/ofbiz/trunk/applications/accounting/widget/InvoiceForms.xml?rev=952119&r1=952118&r2=952119&view=diff
>> ==============================================================================
>> --- ofbiz/trunk/applications/accounting/widget/InvoiceForms.xml (original)
>> +++ ofbiz/trunk/applications/accounting/widget/InvoiceForms.xml Mon Jun  7 07:02:02 2010
>> @@ -215,7 +215,12 @@ under the License.
>>        <field name="paymentId"><hyperlink target="paymentOverview?paymentId=${paymentId}" description="${paymentId}"/></field>
>>        <field name="amount"><display type="currency" currency="${currencyUomId}"/></field>
>>        <field name="origAmount"><display type="currency" currency="${origCurrencyUomId}"/></field>
>> -        <field name="acctgTransId"><hyperlink description="${acctgTransId}" target="EditAcctgTrans?acctgTransId=${acctgTransId}&amp;organizationPartyId=${organizationPartyId}"/></field>
>> +        <field name="acctgTransId">
>> +            <hyperlink description="${acctgTransId}" target="EditAcctgTrans">
>> +                <parameter param-name="acctgTransId" from-field="acctgTransId"/>
>> +                <parameter param-name="organizationPartyId" from-field="organizationPartyId"/>
>> +            </hyperlink>
>> +        </field>
>>        <field name="acctgTransTypeId" title="${uiLabelMap.FormFieldTitle_acctgTransType}"><display-entity entity-name="AcctgTransType"/></field>
>>        <field name="glJournalId" title="${uiLabelMap.FormFieldTitle_glJournal}"><display-entity entity-name="GlJournal" description="${glJournalName}"/></field>
>>        <field name="glAccountTypeId" title="${uiLabelMap.FormFieldTitle_glAccountType}"><display-entity entity-name="GlAccountType"/></field>
>>
>> Modified: ofbiz/trunk/applications/accounting/widget/PaymentGatewayConfigForms.xml
>> URL: http://svn.apache.org/viewvc/ofbiz/trunk/applications/accounting/widget/PaymentGatewayConfigForms.xml?rev=952119&r1=952118&r2=952119&view=diff
>> ==============================================================================
>> --- ofbiz/trunk/applications/accounting/widget/PaymentGatewayConfigForms.xml (original)
>> +++ ofbiz/trunk/applications/accounting/widget/PaymentGatewayConfigForms.xml Mon Jun  7 07:02:02 2010
>> @@ -50,7 +50,9 @@ under the License.
>>        <auto-fields-entity entity-name="PaymentGatewayConfig" default-field-type="display"/>
>>        <field name="paymentGatewayConfigId"><hidden/></field>
>>        <field name="description" title="${uiLabelMap.AccountingPaymentGatewayConfigDescription}">
>> -            <hyperlink description="${description}" target="EditPaymentGatewayConfig?paymentGatewayConfigId=${paymentGatewayConfigId}"/>
>> +            <hyperlink description="${description}" target="EditPaymentGatewayConfig">
>> +                <parameter param-name="paymentGatewayConfigId" from-field="paymentGatewayConfigId"/>
>> +            </hyperlink>
>>        </field>
>>        <field name="paymentGatewayConfigTypeId" title="${uiLabelMap.AccountingPaymentGatewayConfigTypeId}">
>>            <display-entity entity-name="PaymentGatewayConfigType" key-field-name="paymentGatewayConfigTypeId" description="${description}"/>
>> @@ -385,7 +387,9 @@ under the License.
>>        <auto-fields-entity entity-name="PaymentGatewayConfigType" default-field-type="display"/>
>>        <field name="paymentGatewayConfigTypeId"><hidden/></field>
>>        <field name="description" title="${uiLabelMap.AccountingPaymentGatewayConfigTypeDescription}">
>> -            <hyperlink description="${description}" target="EditPaymentGatewayConfigType?paymentGatewayConfigTypeId=${paymentGatewayConfigTypeId}"/>
>> +            <hyperlink description="${description}" target="EditPaymentGatewayConfigType">
>> + <parameter param-name="paymentGatewayConfigTypeId" from-field="paymentGatewayConfigTypeId"/>
>> + </hyperlink>
>>        </field>
>>    </form>
>>
>>
>> Modified: ofbiz/trunk/applications/order/widget/ordermgr/OrderEntryForms.xml
>> URL: http://svn.apache.org/viewvc/ofbiz/trunk/applications/order/widget/ordermgr/OrderEntryForms.xml?rev=952119&r1=952118&r2=952119&view=diff
>> ==============================================================================
>> --- ofbiz/trunk/applications/order/widget/ordermgr/OrderEntryForms.xml (original)
>> +++ ofbiz/trunk/applications/order/widget/ordermgr/OrderEntryForms.xml Mon Jun  7 07:02:02 2010
>> @@ -199,7 +199,9 @@ under the License.
>>    <form name="LookupAssociatedProducts" type="multi" use-row-submit="true" list-name="productList" title="" target="BulkAddProducts"
>>        paginate-target="LookupAssociatedProducts" default-title-style="tableheadtext" default-widget-style="inputBox" default-tooltip-style="tabletext">
>>        <field name="productId"  title="${uiLabelMap.ProductProductId}" widget-style="buttontext">
>> -            <hyperlink description="${productId}" target="/catalog/control/EditProductInventoryItems?productId=${productId}" target-type="inter-app"/>
>> +            <hyperlink description="${productId}" target="/catalog/control/EditProductInventoryItems" target-type="inter-app">
>> + <parameter param-name="productId" from-field="productId"/>
>> + </hyperlink>
>>        </field>
>>        <field name="brandName" title="${uiLabelMap.ProductBrandName}"><display/></field>
>>        <field name="internalName"><display/></field>
>>
>> Modified: ofbiz/trunk/applications/party/widget/partymgr/CommunicationEventForms.xml
>> URL: http://svn.apache.org/viewvc/ofbiz/trunk/applications/party/widget/partymgr/CommunicationEventForms.xml?rev=952119&r1=952118&r2=952119&view=diff
>> ==============================================================================
>> --- ofbiz/trunk/applications/party/widget/partymgr/CommunicationEventForms.xml (original)
>> +++ ofbiz/trunk/applications/party/widget/partymgr/CommunicationEventForms.xml Mon Jun  7 07:02:02 2010
>> @@ -287,7 +287,9 @@ under the License.
>>        <field name="communicationEventId"><display/></field>
>>        <field name="contactListId" use-when="contactListId!=null">
>>            <display-entity entity-name="ContactList" description="${contactListName}">
>> -                <sub-hyperlink target="/marketing/control/EditContactList?contactListId=${communicationEvent.contactListId}" description="[${communicationEvent.contactListId}]" target-type="inter-app"/>
>> +                <sub-hyperlink target="/marketing/control/EditContactList" description="[${communicationEvent.contactListId}]" target-type="inter-app">
>> +                <parameter param-name="contactListId" from-field="communicationEvent.contactListId"/>
>> +            </sub-hyperlink>
>>            </display-entity>
>>        </field>
>>        <field name="partyIdFrom" use-when="&quot;my&quot;==void" title="${uiLabelMap.PartyPartyFrom}">
>> @@ -470,7 +472,9 @@ under the License.
>>            </service>
>>        </actions>
>>        <field name="orderId" title="${uiLabelMap.FormFieldTitle_orderId}">
>> -            <hyperlink target="/ordermgr/control/orderview?orderId=${orderId}" description="${orderId}" target-type="inter-app"/>
>> +            <hyperlink target="/ordermgr/control/orderview" description="${orderId}" target-type="inter-app">
>> +                <parameter param-name="orderId" from-field="orderId"/>
>> +            </hyperlink>
>>        </field>
>>        <field name="communicationEventId">
>>            <hyperlink description="${communicationEventId}" target="ViewCommunicationEvent">
>> @@ -1022,7 +1026,9 @@ under the License.
>>            <set field="orderTypeId" from-field="orderHeader.orderTypeId"/>
>>        </row-actions>
>>        <field name="orderId" title="${uiLabelMap.FormFieldTitle_orderId}" widget-style="buttontext">
>> -            <hyperlink target="/ordermgr/control/orderview?orderId=${orderId}" description="${orderId}" target-type="inter-app"/>
>> +            <hyperlink target="/ordermgr/control/orderview" description="${orderId}" target-type="inter-app">
>> +                <parameter param-name="orderId" from-field="orderId"/>
>> +            </hyperlink>
>>        </field>
>>        <field name="communicationEventId"><hidden/></field>
>>        <field name="orderTypeId" title="${uiLabelMap.OrderOrderType}">
>>
>> Modified: ofbiz/trunk/applications/product/widget/catalog/ProductForms.xml
>> URL: http://svn.apache.org/viewvc/ofbiz/trunk/applications/product/widget/catalog/ProductForms.xml?rev=952119&r1=952118&r2=952119&view=diff
>> ==============================================================================
>> --- ofbiz/trunk/applications/product/widget/catalog/ProductForms.xml (original)
>> +++ ofbiz/trunk/applications/product/widget/catalog/ProductForms.xml Mon Jun  7 07:02:02 2010
>> @@ -1997,7 +1997,9 @@ under the License.
>>
>>    <form name="ListCommEvents" list-name="communicationEvents" type="list" header-row-style="header-row" default-table-style="basic-table">
>>        <field name="communicationEventId" widget-style="buttontext">
>> -            <hyperlink description="${communicationEventId}" target="/partymgr/control/EditCommunicationEvent?communicationEventId=${communicationEventId}" target-type="inter-app"/>
>> +            <hyperlink description="${communicationEventId}" target="/partymgr/control/EditCommunicationEvent" target-type="inter-app">
>> + <parameter param-name="communicationEventId" from-field="communicationEventId"/>
>> + </hyperlink>
>>        </field>
>>        <field name="subject"><display/></field>
>>        <field name="communicationEventTypeId"><display-entity description="${description}" entity-name="CommunicationEventType" key-field-name="communicationEventTypeId"/></field>
>>
>> Modified: ofbiz/trunk/applications/product/widget/facility/ShipmentGatewayConfigForms.xml
>> URL: http://svn.apache.org/viewvc/ofbiz/trunk/applications/product/widget/facility/ShipmentGatewayConfigForms.xml?rev=952119&r1=952118&r2=952119&view=diff
>> ==============================================================================
>> --- ofbiz/trunk/applications/product/widget/facility/ShipmentGatewayConfigForms.xml (original)
>> +++ ofbiz/trunk/applications/product/widget/facility/ShipmentGatewayConfigForms.xml Mon Jun  7 07:02:02 2010
>> @@ -50,7 +50,9 @@ under the License.
>>        <auto-fields-entity entity-name="ShipmentGatewayConfig" default-field-type="display"/>
>>        <field name="shipmentGatewayConfigId"><hidden/></field>
>>        <field name="description" title="${uiLabelMap.FacilityShipmentGatewayConfigDescription}">
>> -            <hyperlink description="${description}" target="EditShipmentGatewayConfig?shipmentGatewayConfigId=${shipmentGatewayConfigId}"/>
>> +            <hyperlink description="${description}" target="EditShipmentGatewayConfig">
>> +                <parameter param-name="shipmentGatewayConfigId" from-field="shipmentGatewayConfigId"/>
>> +            </hyperlink>
>>        </field>
>>        <field name="shipmentGatewayConfTypeId" title="${uiLabelMap.FacilityShipmentGatewayConfigTypeId}">
>>            <display-entity entity-name="ShipmentGatewayConfigType" key-field-name="shipmentGatewayConfTypeId" description="${description}"/>
>> @@ -313,7 +315,9 @@ under the License.
>>        <auto-fields-entity entity-name="ShipmentGatewayConfigType" default-field-type="display"/>
>>        <field name="shipmentGatewayConfTypeId"><hidden/></field>
>>        <field name="description" title="${uiLabelMap.FacilityShipmentGatewayConfigTypeDescription}">
>> -            <hyperlink description="${description}" target="EditShipmentGatewayConfigType?shipmentGatewayConfTypeId=${shipmentGatewayConfTypeId}"/>
>> +            <hyperlink description="${description}" target="EditShipmentGatewayConfigType">
>> +                <parameter param-name="shipmentGatewayConfTypeId" from-field="shipmentGatewayConfTypeId"/>
>> +            </hyperlink>
>>        </field>
>>    </form>
>>
>>
>> Modified: ofbiz/trunk/specialpurpose/projectmgr/widget/forms/ProjectForms.xml
>> URL: http://svn.apache.org/viewvc/ofbiz/trunk/specialpurpose/projectmgr/widget/forms/ProjectForms.xml?rev=952119&r1=952118&r2=952119&view=diff
>> ==============================================================================
>> --- ofbiz/trunk/specialpurpose/projectmgr/widget/forms/ProjectForms.xml (original)
>> +++ ofbiz/trunk/specialpurpose/projectmgr/widget/forms/ProjectForms.xml Mon Jun  7 07:02:02 2010
>> @@ -340,7 +340,9 @@
>>        <field name="estimatedStartDate" title="${uiLabelMap.WorkEffortEstimatedStartDate}"><date-time type="date"/></field>
>>        <field name="estimatedCompletionDate" title="${uiLabelMap.WorkEffortEstimatedCompletionDate}"><date-time type="date"/></field>
>>        <field name="edit" title=" ">
>> -            <hyperlink target="EditTask?workEffortId=${workEffortId}" description="${uiLabelMap.CommonEdit}"/>
>> +            <hyperlink target="EditTask" description="${uiLabelMap.CommonEdit"}>
>> +                <parameter param-name="workEffortId" from-field="workEffortId}"/>
>> +            </hyperlink>
>>        </field>
>>        <field name="submitButton" title="${uiLabelMap.CommonUpdate}"><submit button-type="button"/></field>
>>    </form>
>>
>>
>


smime.p7s (3K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: svn commit: r952119 - in /ofbiz/trunk: applications/accounting/widget/ applications/order/widget/ordermgr/ applications/party/widget/partymgr/ applications/product/widget/catalog/ applications/product/widget/facility/ specialpurpose/projectmgr/widget/f

Jacques Le Roux
Administrator
I quickly used regex S/R. I wrongly put the 2 orderview (I removed a lot more) but thought the other were real actions as they have
Edit as prefix in their names. Actually I did not check if they were calling an event. I just did and you are right.

Anyway it does not hurt, and it's finally a good thing that I did not find any real issues :o). I think I should not care anymore.
Because  if we let some get through they will be detected and signaled as to be reported as a child of  OFBIZ-2330 (even if they
don't use FTL, but I did not check that either, I suppose it's right since for one year now we got any new issue)

One worry less, great!

Jacques

Scott Gray wrote:

> On second look there were no targets in this commit that needed to be secured.
>
> Regards
> Scott
>
> On 7/06/2010, at 7:18 PM, Scott Gray wrote:
>
>> Quite a few of those links don't actually look like they needed to be secured i.e. there is no event attached to that uri,
>> orderview for example.
>>
>> Regards
>> Scott
>>
>> HotWax Media
>> http://www.hotwaxmedia.com
>>
>> On 7/06/2010, at 7:02 PM, [hidden email] wrote:
>>
>>> Author: jleroux
>>> Date: Mon Jun  7 07:02:02 2010
>>> New Revision: 952119
>>>
>>> URL: http://svn.apache.org/viewvc?rev=952119&view=rev
>>> Log:
>>> Secure some targets. Note that they have been introduced since OFBIZ-2243 has been closed.
>>> Please committers use only target with parameter attribute (not in URL) for link and hyperlink fields when there is an action
>>> (ie DB modification)
>>>
>>> Modified:
>>>   ofbiz/trunk/applications/accounting/widget/InvoiceForms.xml
>>>   ofbiz/trunk/applications/accounting/widget/PaymentGatewayConfigForms.xml
>>>   ofbiz/trunk/applications/order/widget/ordermgr/OrderEntryForms.xml
>>>   ofbiz/trunk/applications/party/widget/partymgr/CommunicationEventForms.xml
>>>   ofbiz/trunk/applications/product/widget/catalog/ProductForms.xml
>>>   ofbiz/trunk/applications/product/widget/facility/ShipmentGatewayConfigForms.xml
>>>   ofbiz/trunk/specialpurpose/projectmgr/widget/forms/ProjectForms.xml
>>>
>>> Modified: ofbiz/trunk/applications/accounting/widget/InvoiceForms.xml
>>> URL:
>>> http://svn.apache.org/viewvc/ofbiz/trunk/applications/accounting/widget/InvoiceForms.xml?rev=952119&r1=952118&r2=952119&view=diff
>>> ============================================================================== ---
>>> ofbiz/trunk/applications/accounting/widget/InvoiceForms.xml (original) +++
>>> ofbiz/trunk/applications/accounting/widget/InvoiceForms.xml Mon Jun  7 07:02:02 2010 @@ -215,7 +215,12 @@ under the License.
>>>        <field name="paymentId"><hyperlink target="paymentOverview?paymentId=${paymentId}" description="${paymentId}"/></field>
>>>        <field name="amount"><display type="currency" currency="${currencyUomId}"/></field>
>>>        <field name="origAmount"><display type="currency" currency="${origCurrencyUomId}"/></field>
>>> -        <field name="acctgTransId"><hyperlink description="${acctgTransId}"
>>> target="EditAcctgTrans?acctgTransId=${acctgTransId}&amp;organizationPartyId=${organizationPartyId}"/></field> +        <field
>>> name="acctgTransId"> +            <hyperlink description="${acctgTransId}" target="EditAcctgTrans">
>>> +                <parameter param-name="acctgTransId" from-field="acctgTransId"/>
>>> +                <parameter param-name="organizationPartyId" from-field="organizationPartyId"/>
>>> +            </hyperlink>
>>> +        </field>
>>>        <field name="acctgTransTypeId" title="${uiLabelMap.FormFieldTitle_acctgTransType}"><display-entity
>>>        entity-name="AcctgTransType"/></field> <field name="glJournalId"
>>>        title="${uiLabelMap.FormFieldTitle_glJournal}"><display-entity entity-name="GlJournal"
>>> description="${glJournalName}"/></field> <field name="glAccountTypeId"
>>> title="${uiLabelMap.FormFieldTitle_glAccountType}"><display-entity entity-name="GlAccountType"/></field>
>>>
>>> Modified: ofbiz/trunk/applications/accounting/widget/PaymentGatewayConfigForms.xml
>>> URL:
>>> http://svn.apache.org/viewvc/ofbiz/trunk/applications/accounting/widget/PaymentGatewayConfigForms.xml?rev=952119&r1=952118&r2=952119&view=diff
>>> ============================================================================== ---
>>> ofbiz/trunk/applications/accounting/widget/PaymentGatewayConfigForms.xml (original) +++
>>> ofbiz/trunk/applications/accounting/widget/PaymentGatewayConfigForms.xml Mon Jun  7 07:02:02 2010 @@ -50,7 +50,9 @@ under the
>>>        License. <auto-fields-entity entity-name="PaymentGatewayConfig" default-field-type="display"/>
>>>        <field name="paymentGatewayConfigId"><hidden/></field>
>>>        <field name="description" title="${uiLabelMap.AccountingPaymentGatewayConfigDescription}">
>>> -            <hyperlink description="${description}"
>>> target="EditPaymentGatewayConfig?paymentGatewayConfigId=${paymentGatewayConfigId}"/> +            <hyperlink
>>> description="${description}" target="EditPaymentGatewayConfig"> +                <parameter param-name="paymentGatewayConfigId"
>>> from-field="paymentGatewayConfigId"/> +            </hyperlink>
>>>        </field>
>>>        <field name="paymentGatewayConfigTypeId" title="${uiLabelMap.AccountingPaymentGatewayConfigTypeId}">
>>>            <display-entity entity-name="PaymentGatewayConfigType" key-field-name="paymentGatewayConfigTypeId"
>>> description="${description}"/> @@ -385,7 +387,9 @@ under the License.
>>>        <auto-fields-entity entity-name="PaymentGatewayConfigType" default-field-type="display"/>
>>>        <field name="paymentGatewayConfigTypeId"><hidden/></field>
>>>        <field name="description" title="${uiLabelMap.AccountingPaymentGatewayConfigTypeDescription}">
>>> -            <hyperlink description="${description}"
>>> target="EditPaymentGatewayConfigType?paymentGatewayConfigTypeId=${paymentGatewayConfigTypeId}"/> +            <hyperlink
>>> description="${description}" target="EditPaymentGatewayConfigType"> + <parameter param-name="paymentGatewayConfigTypeId"
>>> from-field="paymentGatewayConfigTypeId"/> + </hyperlink>
>>>        </field>
>>>    </form>
>>>
>>>
>>> Modified: ofbiz/trunk/applications/order/widget/ordermgr/OrderEntryForms.xml
>>> URL:
>>> http://svn.apache.org/viewvc/ofbiz/trunk/applications/order/widget/ordermgr/OrderEntryForms.xml?rev=952119&r1=952118&r2=952119&view=diff
>>> ============================================================================== ---
>>> ofbiz/trunk/applications/order/widget/ordermgr/OrderEntryForms.xml (original) +++
>>> ofbiz/trunk/applications/order/widget/ordermgr/OrderEntryForms.xml Mon Jun  7 07:02:02 2010 @@ -199,7 +199,9 @@ under the
>>>    License. <form name="LookupAssociatedProducts" type="multi" use-row-submit="true" list-name="productList" title=""
>>>        target="BulkAddProducts" paginate-target="LookupAssociatedProducts" default-title-style="tableheadtext"
>>>        default-widget-style="inputBox" default-tooltip-style="tabletext"> <field name="productId"
>>> title="${uiLabelMap.ProductProductId}" widget-style="buttontext"> -            <hyperlink description="${productId}"
>>> target="/catalog/control/EditProductInventoryItems?productId=${productId}" target-type="inter-app"/> +            <hyperlink
>>> description="${productId}" target="/catalog/control/EditProductInventoryItems" target-type="inter-app"> + <parameter
>>> param-name="productId" from-field="productId"/> + </hyperlink>
>>>        </field>
>>>        <field name="brandName" title="${uiLabelMap.ProductBrandName}"><display/></field>
>>>        <field name="internalName"><display/></field>
>>>
>>> Modified: ofbiz/trunk/applications/party/widget/partymgr/CommunicationEventForms.xml
>>> URL:
>>> http://svn.apache.org/viewvc/ofbiz/trunk/applications/party/widget/partymgr/CommunicationEventForms.xml?rev=952119&r1=952118&r2=952119&view=diff
>>> ============================================================================== ---
>>> ofbiz/trunk/applications/party/widget/partymgr/CommunicationEventForms.xml (original) +++
>>> ofbiz/trunk/applications/party/widget/partymgr/CommunicationEventForms.xml Mon Jun  7 07:02:02 2010 @@ -287,7 +287,9 @@ under
>>>        the License. <field name="communicationEventId"><display/></field>
>>>        <field name="contactListId" use-when="contactListId!=null">
>>>            <display-entity entity-name="ContactList" description="${contactListName}">
>>> -                <sub-hyperlink target="/marketing/control/EditContactList?contactListId=${communicationEvent.contactListId}"
>>> description="[${communicationEvent.contactListId}]" target-type="inter-app"/> +                <sub-hyperlink
>>> target="/marketing/control/EditContactList" description="[${communicationEvent.contactListId}]" target-type="inter-app"> +
>>> <parameter param-name="contactListId" from-field="communicationEvent.contactListId"/> +            </sub-hyperlink>
>>>            </display-entity>
>>>        </field>
>>>        <field name="partyIdFrom" use-when="&quot;my&quot;==void" title="${uiLabelMap.PartyPartyFrom}">
>>> @@ -470,7 +472,9 @@ under the License.
>>>            </service>
>>>        </actions>
>>>        <field name="orderId" title="${uiLabelMap.FormFieldTitle_orderId}">
>>> -            <hyperlink target="/ordermgr/control/orderview?orderId=${orderId}" description="${orderId}"
>>> target-type="inter-app"/> +            <hyperlink target="/ordermgr/control/orderview" description="${orderId}"
>>> target-type="inter-app"> +                <parameter param-name="orderId" from-field="orderId"/>
>>> +            </hyperlink>
>>>        </field>
>>>        <field name="communicationEventId">
>>>            <hyperlink description="${communicationEventId}" target="ViewCommunicationEvent">
>>> @@ -1022,7 +1026,9 @@ under the License.
>>>            <set field="orderTypeId" from-field="orderHeader.orderTypeId"/>
>>>        </row-actions>
>>>        <field name="orderId" title="${uiLabelMap.FormFieldTitle_orderId}" widget-style="buttontext">
>>> -            <hyperlink target="/ordermgr/control/orderview?orderId=${orderId}" description="${orderId}"
>>> target-type="inter-app"/> +            <hyperlink target="/ordermgr/control/orderview" description="${orderId}"
>>> target-type="inter-app"> +                <parameter param-name="orderId" from-field="orderId"/>
>>> +            </hyperlink>
>>>        </field>
>>>        <field name="communicationEventId"><hidden/></field>
>>>        <field name="orderTypeId" title="${uiLabelMap.OrderOrderType}">
>>>
>>> Modified: ofbiz/trunk/applications/product/widget/catalog/ProductForms.xml
>>> URL:
>>> http://svn.apache.org/viewvc/ofbiz/trunk/applications/product/widget/catalog/ProductForms.xml?rev=952119&r1=952118&r2=952119&view=diff
>>> ============================================================================== ---
>>> ofbiz/trunk/applications/product/widget/catalog/ProductForms.xml (original) +++
>>> ofbiz/trunk/applications/product/widget/catalog/ProductForms.xml Mon Jun  7 07:02:02 2010 @@ -1997,7 +1997,9 @@ under the
>>> License.
>>>
>>>    <form name="ListCommEvents" list-name="communicationEvents" type="list" header-row-style="header-row"
>>>        default-table-style="basic-table"> <field name="communicationEventId" widget-style="buttontext">
>>> -            <hyperlink description="${communicationEventId}"
>>> target="/partymgr/control/EditCommunicationEvent?communicationEventId=${communicationEventId}" target-type="inter-app"/> +
>>> <hyperlink description="${communicationEventId}" target="/partymgr/control/EditCommunicationEvent" target-type="inter-app"> +
>>> <parameter param-name="communicationEventId" from-field="communicationEventId"/> + </hyperlink>
>>>        </field>
>>>        <field name="subject"><display/></field>
>>>        <field name="communicationEventTypeId"><display-entity description="${description}" entity-name="CommunicationEventType"
>>> key-field-name="communicationEventTypeId"/></field>
>>>
>>> Modified: ofbiz/trunk/applications/product/widget/facility/ShipmentGatewayConfigForms.xml
>>> URL:
>>> http://svn.apache.org/viewvc/ofbiz/trunk/applications/product/widget/facility/ShipmentGatewayConfigForms.xml?rev=952119&r1=952118&r2=952119&view=diff
>>> ============================================================================== ---
>>> ofbiz/trunk/applications/product/widget/facility/ShipmentGatewayConfigForms.xml (original) +++
>>> ofbiz/trunk/applications/product/widget/facility/ShipmentGatewayConfigForms.xml Mon Jun  7 07:02:02 2010 @@ -50,7 +50,9 @@
>>>        under the License. <auto-fields-entity entity-name="ShipmentGatewayConfig" default-field-type="display"/>
>>>        <field name="shipmentGatewayConfigId"><hidden/></field>
>>>        <field name="description" title="${uiLabelMap.FacilityShipmentGatewayConfigDescription}">
>>> -            <hyperlink description="${description}"
>>> target="EditShipmentGatewayConfig?shipmentGatewayConfigId=${shipmentGatewayConfigId}"/> +            <hyperlink
>>> description="${description}" target="EditShipmentGatewayConfig"> +                <parameter
>>> param-name="shipmentGatewayConfigId" from-field="shipmentGatewayConfigId"/> +            </hyperlink>
>>>        </field>
>>>        <field name="shipmentGatewayConfTypeId" title="${uiLabelMap.FacilityShipmentGatewayConfigTypeId}">
>>>            <display-entity entity-name="ShipmentGatewayConfigType" key-field-name="shipmentGatewayConfTypeId"
>>> description="${description}"/> @@ -313,7 +315,9 @@ under the License.
>>>        <auto-fields-entity entity-name="ShipmentGatewayConfigType" default-field-type="display"/>
>>>        <field name="shipmentGatewayConfTypeId"><hidden/></field>
>>>        <field name="description" title="${uiLabelMap.FacilityShipmentGatewayConfigTypeDescription}">
>>> -            <hyperlink description="${description}"
>>> target="EditShipmentGatewayConfigType?shipmentGatewayConfTypeId=${shipmentGatewayConfTypeId}"/> +            <hyperlink
>>> description="${description}" target="EditShipmentGatewayConfigType"> +                <parameter
>>> param-name="shipmentGatewayConfTypeId" from-field="shipmentGatewayConfTypeId"/> +            </hyperlink>
>>>        </field>
>>>    </form>
>>>
>>>
>>> Modified: ofbiz/trunk/specialpurpose/projectmgr/widget/forms/ProjectForms.xml
>>> URL:
>>> http://svn.apache.org/viewvc/ofbiz/trunk/specialpurpose/projectmgr/widget/forms/ProjectForms.xml?rev=952119&r1=952118&r2=952119&view=diff
>>> ============================================================================== ---
>>> ofbiz/trunk/specialpurpose/projectmgr/widget/forms/ProjectForms.xml (original) +++
>>> ofbiz/trunk/specialpurpose/projectmgr/widget/forms/ProjectForms.xml Mon Jun  7 07:02:02 2010 @@ -340,7 +340,9 @@
>>>        <field name="estimatedStartDate" title="${uiLabelMap.WorkEffortEstimatedStartDate}"><date-time type="date"/></field>
>>>        <field name="estimatedCompletionDate" title="${uiLabelMap.WorkEffortEstimatedCompletionDate}"><date-time
>>>        type="date"/></field> <field name="edit" title=" ">
>>> -            <hyperlink target="EditTask?workEffortId=${workEffortId}" description="${uiLabelMap.CommonEdit}"/>
>>> +            <hyperlink target="EditTask" description="${uiLabelMap.CommonEdit"}>
>>> +                <parameter param-name="workEffortId" from-field="workEffortId}"/>
>>> +            </hyperlink>
>>>        </field>
>>>        <field name="submitButton" title="${uiLabelMap.CommonUpdate}"><submit button-type="button"/></field>
>>>    </form>


Reply | Threaded
Open this post in threaded view
|

Re: svn commit: r952119 - in /ofbiz/trunk: applications/accounting/widget/ applications/order/widget/ordermgr/ applications/party/widget/partymgr/ applications/product/widget/catalog/ applications/product/widget/facility/ specialpurpose/projectmgr/widget/f

Scott Gray-2
Hi Jacques,

In a small way it does hurt because whenever we use "post" instead of "get" the user will be prompted "do you want to submit the form again?" when they click the back button on the browser to go back to one of those screens.

But yeah I wouldn't rely on searching alone unless you are willing to check each target before altering it.

Regards
Scott

On 7/06/2010, at 7:44 PM, Jacques Le Roux wrote:

> I quickly used regex S/R. I wrongly put the 2 orderview (I removed a lot more) but thought the other were real actions as they have Edit as prefix in their names. Actually I did not check if they were calling an event. I just did and you are right.
>
> Anyway it does not hurt, and it's finally a good thing that I did not find any real issues :o). I think I should not care anymore. Because  if we let some get through they will be detected and signaled as to be reported as a child of  OFBIZ-2330 (even if they don't use FTL, but I did not check that either, I suppose it's right since for one year now we got any new issue)
>
> One worry less, great!
>
> Jacques
>
> Scott Gray wrote:
>> On second look there were no targets in this commit that needed to be secured.
>>
>> Regards
>> Scott
>>
>> On 7/06/2010, at 7:18 PM, Scott Gray wrote:
>>
>>> Quite a few of those links don't actually look like they needed to be secured i.e. there is no event attached to that uri,
>>> orderview for example.
>>>
>>> Regards
>>> Scott
>>>
>>> HotWax Media
>>> http://www.hotwaxmedia.com
>>>
>>> On 7/06/2010, at 7:02 PM, [hidden email] wrote:
>>>
>>>> Author: jleroux
>>>> Date: Mon Jun  7 07:02:02 2010
>>>> New Revision: 952119
>>>>
>>>> URL: http://svn.apache.org/viewvc?rev=952119&view=rev
>>>> Log:
>>>> Secure some targets. Note that they have been introduced since OFBIZ-2243 has been closed.
>>>> Please committers use only target with parameter attribute (not in URL) for link and hyperlink fields when there is an action
>>>> (ie DB modification)
>>>>
>>>> Modified:
>>>>  ofbiz/trunk/applications/accounting/widget/InvoiceForms.xml
>>>>  ofbiz/trunk/applications/accounting/widget/PaymentGatewayConfigForms.xml
>>>>  ofbiz/trunk/applications/order/widget/ordermgr/OrderEntryForms.xml
>>>>  ofbiz/trunk/applications/party/widget/partymgr/CommunicationEventForms.xml
>>>>  ofbiz/trunk/applications/product/widget/catalog/ProductForms.xml
>>>>  ofbiz/trunk/applications/product/widget/facility/ShipmentGatewayConfigForms.xml
>>>>  ofbiz/trunk/specialpurpose/projectmgr/widget/forms/ProjectForms.xml
>>>>
>>>> Modified: ofbiz/trunk/applications/accounting/widget/InvoiceForms.xml
>>>> URL:
>>>> http://svn.apache.org/viewvc/ofbiz/trunk/applications/accounting/widget/InvoiceForms.xml?rev=952119&r1=952118&r2=952119&view=diff
>>>> ============================================================================== ---
>>>> ofbiz/trunk/applications/accounting/widget/InvoiceForms.xml (original) +++
>>>> ofbiz/trunk/applications/accounting/widget/InvoiceForms.xml Mon Jun  7 07:02:02 2010 @@ -215,7 +215,12 @@ under the License.
>>>>       <field name="paymentId"><hyperlink target="paymentOverview?paymentId=${paymentId}" description="${paymentId}"/></field>
>>>>       <field name="amount"><display type="currency" currency="${currencyUomId}"/></field>
>>>>       <field name="origAmount"><display type="currency" currency="${origCurrencyUomId}"/></field>
>>>> -        <field name="acctgTransId"><hyperlink description="${acctgTransId}"
>>>> target="EditAcctgTrans?acctgTransId=${acctgTransId}&amp;organizationPartyId=${organizationPartyId}"/></field> +        <field
>>>> name="acctgTransId"> +            <hyperlink description="${acctgTransId}" target="EditAcctgTrans">
>>>> +                <parameter param-name="acctgTransId" from-field="acctgTransId"/>
>>>> +                <parameter param-name="organizationPartyId" from-field="organizationPartyId"/>
>>>> +            </hyperlink>
>>>> +        </field>
>>>>       <field name="acctgTransTypeId" title="${uiLabelMap.FormFieldTitle_acctgTransType}"><display-entity
>>>>       entity-name="AcctgTransType"/></field> <field name="glJournalId"
>>>>       title="${uiLabelMap.FormFieldTitle_glJournal}"><display-entity entity-name="GlJournal"
>>>> description="${glJournalName}"/></field> <field name="glAccountTypeId"
>>>> title="${uiLabelMap.FormFieldTitle_glAccountType}"><display-entity entity-name="GlAccountType"/></field>
>>>>
>>>> Modified: ofbiz/trunk/applications/accounting/widget/PaymentGatewayConfigForms.xml
>>>> URL:
>>>> http://svn.apache.org/viewvc/ofbiz/trunk/applications/accounting/widget/PaymentGatewayConfigForms.xml?rev=952119&r1=952118&r2=952119&view=diff
>>>> ============================================================================== ---
>>>> ofbiz/trunk/applications/accounting/widget/PaymentGatewayConfigForms.xml (original) +++
>>>> ofbiz/trunk/applications/accounting/widget/PaymentGatewayConfigForms.xml Mon Jun  7 07:02:02 2010 @@ -50,7 +50,9 @@ under the
>>>>       License. <auto-fields-entity entity-name="PaymentGatewayConfig" default-field-type="display"/>
>>>>       <field name="paymentGatewayConfigId"><hidden/></field>
>>>>       <field name="description" title="${uiLabelMap.AccountingPaymentGatewayConfigDescription}">
>>>> -            <hyperlink description="${description}"
>>>> target="EditPaymentGatewayConfig?paymentGatewayConfigId=${paymentGatewayConfigId}"/> +            <hyperlink
>>>> description="${description}" target="EditPaymentGatewayConfig"> +                <parameter param-name="paymentGatewayConfigId"
>>>> from-field="paymentGatewayConfigId"/> +            </hyperlink>
>>>>       </field>
>>>>       <field name="paymentGatewayConfigTypeId" title="${uiLabelMap.AccountingPaymentGatewayConfigTypeId}">
>>>>           <display-entity entity-name="PaymentGatewayConfigType" key-field-name="paymentGatewayConfigTypeId"
>>>> description="${description}"/> @@ -385,7 +387,9 @@ under the License.
>>>>       <auto-fields-entity entity-name="PaymentGatewayConfigType" default-field-type="display"/>
>>>>       <field name="paymentGatewayConfigTypeId"><hidden/></field>
>>>>       <field name="description" title="${uiLabelMap.AccountingPaymentGatewayConfigTypeDescription}">
>>>> -            <hyperlink description="${description}"
>>>> target="EditPaymentGatewayConfigType?paymentGatewayConfigTypeId=${paymentGatewayConfigTypeId}"/> +            <hyperlink
>>>> description="${description}" target="EditPaymentGatewayConfigType"> + <parameter param-name="paymentGatewayConfigTypeId"
>>>> from-field="paymentGatewayConfigTypeId"/> + </hyperlink>
>>>>       </field>
>>>>   </form>
>>>>
>>>>
>>>> Modified: ofbiz/trunk/applications/order/widget/ordermgr/OrderEntryForms.xml
>>>> URL:
>>>> http://svn.apache.org/viewvc/ofbiz/trunk/applications/order/widget/ordermgr/OrderEntryForms.xml?rev=952119&r1=952118&r2=952119&view=diff
>>>> ============================================================================== ---
>>>> ofbiz/trunk/applications/order/widget/ordermgr/OrderEntryForms.xml (original) +++
>>>> ofbiz/trunk/applications/order/widget/ordermgr/OrderEntryForms.xml Mon Jun  7 07:02:02 2010 @@ -199,7 +199,9 @@ under the
>>>>   License. <form name="LookupAssociatedProducts" type="multi" use-row-submit="true" list-name="productList" title=""
>>>>       target="BulkAddProducts" paginate-target="LookupAssociatedProducts" default-title-style="tableheadtext"
>>>>       default-widget-style="inputBox" default-tooltip-style="tabletext"> <field name="productId"
>>>> title="${uiLabelMap.ProductProductId}" widget-style="buttontext"> -            <hyperlink description="${productId}"
>>>> target="/catalog/control/EditProductInventoryItems?productId=${productId}" target-type="inter-app"/> +            <hyperlink
>>>> description="${productId}" target="/catalog/control/EditProductInventoryItems" target-type="inter-app"> + <parameter
>>>> param-name="productId" from-field="productId"/> + </hyperlink>
>>>>       </field>
>>>>       <field name="brandName" title="${uiLabelMap.ProductBrandName}"><display/></field>
>>>>       <field name="internalName"><display/></field>
>>>>
>>>> Modified: ofbiz/trunk/applications/party/widget/partymgr/CommunicationEventForms.xml
>>>> URL:
>>>> http://svn.apache.org/viewvc/ofbiz/trunk/applications/party/widget/partymgr/CommunicationEventForms.xml?rev=952119&r1=952118&r2=952119&view=diff
>>>> ============================================================================== ---
>>>> ofbiz/trunk/applications/party/widget/partymgr/CommunicationEventForms.xml (original) +++
>>>> ofbiz/trunk/applications/party/widget/partymgr/CommunicationEventForms.xml Mon Jun  7 07:02:02 2010 @@ -287,7 +287,9 @@ under
>>>>       the License. <field name="communicationEventId"><display/></field>
>>>>       <field name="contactListId" use-when="contactListId!=null">
>>>>           <display-entity entity-name="ContactList" description="${contactListName}">
>>>> -                <sub-hyperlink target="/marketing/control/EditContactList?contactListId=${communicationEvent.contactListId}"
>>>> description="[${communicationEvent.contactListId}]" target-type="inter-app"/> +                <sub-hyperlink
>>>> target="/marketing/control/EditContactList" description="[${communicationEvent.contactListId}]" target-type="inter-app"> +
>>>> <parameter param-name="contactListId" from-field="communicationEvent.contactListId"/> +            </sub-hyperlink>
>>>>           </display-entity>
>>>>       </field>
>>>>       <field name="partyIdFrom" use-when="&quot;my&quot;==void" title="${uiLabelMap.PartyPartyFrom}">
>>>> @@ -470,7 +472,9 @@ under the License.
>>>>           </service>
>>>>       </actions>
>>>>       <field name="orderId" title="${uiLabelMap.FormFieldTitle_orderId}">
>>>> -            <hyperlink target="/ordermgr/control/orderview?orderId=${orderId}" description="${orderId}"
>>>> target-type="inter-app"/> +            <hyperlink target="/ordermgr/control/orderview" description="${orderId}"
>>>> target-type="inter-app"> +                <parameter param-name="orderId" from-field="orderId"/>
>>>> +            </hyperlink>
>>>>       </field>
>>>>       <field name="communicationEventId">
>>>>           <hyperlink description="${communicationEventId}" target="ViewCommunicationEvent">
>>>> @@ -1022,7 +1026,9 @@ under the License.
>>>>           <set field="orderTypeId" from-field="orderHeader.orderTypeId"/>
>>>>       </row-actions>
>>>>       <field name="orderId" title="${uiLabelMap.FormFieldTitle_orderId}" widget-style="buttontext">
>>>> -            <hyperlink target="/ordermgr/control/orderview?orderId=${orderId}" description="${orderId}"
>>>> target-type="inter-app"/> +            <hyperlink target="/ordermgr/control/orderview" description="${orderId}"
>>>> target-type="inter-app"> +                <parameter param-name="orderId" from-field="orderId"/>
>>>> +            </hyperlink>
>>>>       </field>
>>>>       <field name="communicationEventId"><hidden/></field>
>>>>       <field name="orderTypeId" title="${uiLabelMap.OrderOrderType}">
>>>>
>>>> Modified: ofbiz/trunk/applications/product/widget/catalog/ProductForms.xml
>>>> URL:
>>>> http://svn.apache.org/viewvc/ofbiz/trunk/applications/product/widget/catalog/ProductForms.xml?rev=952119&r1=952118&r2=952119&view=diff
>>>> ============================================================================== ---
>>>> ofbiz/trunk/applications/product/widget/catalog/ProductForms.xml (original) +++
>>>> ofbiz/trunk/applications/product/widget/catalog/ProductForms.xml Mon Jun  7 07:02:02 2010 @@ -1997,7 +1997,9 @@ under the
>>>> License.
>>>>
>>>>   <form name="ListCommEvents" list-name="communicationEvents" type="list" header-row-style="header-row"
>>>>       default-table-style="basic-table"> <field name="communicationEventId" widget-style="buttontext">
>>>> -            <hyperlink description="${communicationEventId}"
>>>> target="/partymgr/control/EditCommunicationEvent?communicationEventId=${communicationEventId}" target-type="inter-app"/> +
>>>> <hyperlink description="${communicationEventId}" target="/partymgr/control/EditCommunicationEvent" target-type="inter-app"> +
>>>> <parameter param-name="communicationEventId" from-field="communicationEventId"/> + </hyperlink>
>>>>       </field>
>>>>       <field name="subject"><display/></field>
>>>>       <field name="communicationEventTypeId"><display-entity description="${description}" entity-name="CommunicationEventType"
>>>> key-field-name="communicationEventTypeId"/></field>
>>>>
>>>> Modified: ofbiz/trunk/applications/product/widget/facility/ShipmentGatewayConfigForms.xml
>>>> URL:
>>>> http://svn.apache.org/viewvc/ofbiz/trunk/applications/product/widget/facility/ShipmentGatewayConfigForms.xml?rev=952119&r1=952118&r2=952119&view=diff
>>>> ============================================================================== ---
>>>> ofbiz/trunk/applications/product/widget/facility/ShipmentGatewayConfigForms.xml (original) +++
>>>> ofbiz/trunk/applications/product/widget/facility/ShipmentGatewayConfigForms.xml Mon Jun  7 07:02:02 2010 @@ -50,7 +50,9 @@
>>>>       under the License. <auto-fields-entity entity-name="ShipmentGatewayConfig" default-field-type="display"/>
>>>>       <field name="shipmentGatewayConfigId"><hidden/></field>
>>>>       <field name="description" title="${uiLabelMap.FacilityShipmentGatewayConfigDescription}">
>>>> -            <hyperlink description="${description}"
>>>> target="EditShipmentGatewayConfig?shipmentGatewayConfigId=${shipmentGatewayConfigId}"/> +            <hyperlink
>>>> description="${description}" target="EditShipmentGatewayConfig"> +                <parameter
>>>> param-name="shipmentGatewayConfigId" from-field="shipmentGatewayConfigId"/> +            </hyperlink>
>>>>       </field>
>>>>       <field name="shipmentGatewayConfTypeId" title="${uiLabelMap.FacilityShipmentGatewayConfigTypeId}">
>>>>           <display-entity entity-name="ShipmentGatewayConfigType" key-field-name="shipmentGatewayConfTypeId"
>>>> description="${description}"/> @@ -313,7 +315,9 @@ under the License.
>>>>       <auto-fields-entity entity-name="ShipmentGatewayConfigType" default-field-type="display"/>
>>>>       <field name="shipmentGatewayConfTypeId"><hidden/></field>
>>>>       <field name="description" title="${uiLabelMap.FacilityShipmentGatewayConfigTypeDescription}">
>>>> -            <hyperlink description="${description}"
>>>> target="EditShipmentGatewayConfigType?shipmentGatewayConfTypeId=${shipmentGatewayConfTypeId}"/> +            <hyperlink
>>>> description="${description}" target="EditShipmentGatewayConfigType"> +                <parameter
>>>> param-name="shipmentGatewayConfTypeId" from-field="shipmentGatewayConfTypeId"/> +            </hyperlink>
>>>>       </field>
>>>>   </form>
>>>>
>>>>
>>>> Modified: ofbiz/trunk/specialpurpose/projectmgr/widget/forms/ProjectForms.xml
>>>> URL:
>>>> http://svn.apache.org/viewvc/ofbiz/trunk/specialpurpose/projectmgr/widget/forms/ProjectForms.xml?rev=952119&r1=952118&r2=952119&view=diff
>>>> ============================================================================== ---
>>>> ofbiz/trunk/specialpurpose/projectmgr/widget/forms/ProjectForms.xml (original) +++
>>>> ofbiz/trunk/specialpurpose/projectmgr/widget/forms/ProjectForms.xml Mon Jun  7 07:02:02 2010 @@ -340,7 +340,9 @@
>>>>       <field name="estimatedStartDate" title="${uiLabelMap.WorkEffortEstimatedStartDate}"><date-time type="date"/></field>
>>>>       <field name="estimatedCompletionDate" title="${uiLabelMap.WorkEffortEstimatedCompletionDate}"><date-time
>>>>       type="date"/></field> <field name="edit" title=" ">
>>>> -            <hyperlink target="EditTask?workEffortId=${workEffortId}" description="${uiLabelMap.CommonEdit}"/>
>>>> +            <hyperlink target="EditTask" description="${uiLabelMap.CommonEdit"}>
>>>> +                <parameter param-name="workEffortId" from-field="workEffortId}"/>
>>>> +            </hyperlink>
>>>>       </field>
>>>>       <field name="submitButton" title="${uiLabelMap.CommonUpdate}"><submit button-type="button"/></field>
>>>>   </form>
>
>


smime.p7s (3K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: svn commit: r952119 - in /ofbiz/trunk: applications/accounting/widget/ applications/order/widget/ordermgr/ applications/party/widget/partymgr/ applications/product/widget/catalog/ applications/product/widget/facility/ specialpurpose/projectmgr/widget/f

Jacques Le Roux
Administrator
Ha well, I did not thought about that, thanks!

I revert...

Jacques

Scott Gray wrote:

> Hi Jacques,
>
> In a small way it does hurt because whenever we use "post" instead of "get" the user will be prompted "do you want to submit the
> form again?" when they click the back button on the browser to go back to one of those screens.
>
> But yeah I wouldn't rely on searching alone unless you are willing to check each target before altering it.
>
> Regards
> Scott
>
> On 7/06/2010, at 7:44 PM, Jacques Le Roux wrote:
>
>> I quickly used regex S/R. I wrongly put the 2 orderview (I removed a lot more) but thought the other were real actions as they
>> have Edit as prefix in their names. Actually I did not check if they were calling an event. I just did and you are right.
>>
>> Anyway it does not hurt, and it's finally a good thing that I did not find any real issues :o). I think I should not care
>> anymore. Because  if we let some get through they will be detected and signaled as to be reported as a child of  OFBIZ-2330
>> (even if they don't use FTL, but I did not check that either, I suppose it's right since for one year now we got any new issue)
>>
>> One worry less, great!
>>
>> Jacques
>>
>> Scott Gray wrote:
>>> On second look there were no targets in this commit that needed to be secured.
>>>
>>> Regards
>>> Scott
>>>
>>> On 7/06/2010, at 7:18 PM, Scott Gray wrote:
>>>
>>>> Quite a few of those links don't actually look like they needed to be secured i.e. there is no event attached to that uri,
>>>> orderview for example.
>>>>
>>>> Regards
>>>> Scott
>>>>
>>>> HotWax Media
>>>> http://www.hotwaxmedia.com
>>>>
>>>> On 7/06/2010, at 7:02 PM, [hidden email] wrote:
>>>>
>>>>> Author: jleroux
>>>>> Date: Mon Jun  7 07:02:02 2010
>>>>> New Revision: 952119
>>>>>
>>>>> URL: http://svn.apache.org/viewvc?rev=952119&view=rev
>>>>> Log:
>>>>> Secure some targets. Note that they have been introduced since OFBIZ-2243 has been closed.
>>>>> Please committers use only target with parameter attribute (not in URL) for link and hyperlink fields when there is an action
>>>>> (ie DB modification)
>>>>>
>>>>> Modified:
>>>>>  ofbiz/trunk/applications/accounting/widget/InvoiceForms.xml
>>>>>  ofbiz/trunk/applications/accounting/widget/PaymentGatewayConfigForms.xml
>>>>>  ofbiz/trunk/applications/order/widget/ordermgr/OrderEntryForms.xml
>>>>>  ofbiz/trunk/applications/party/widget/partymgr/CommunicationEventForms.xml
>>>>>  ofbiz/trunk/applications/product/widget/catalog/ProductForms.xml
>>>>>  ofbiz/trunk/applications/product/widget/facility/ShipmentGatewayConfigForms.xml
>>>>>  ofbiz/trunk/specialpurpose/projectmgr/widget/forms/ProjectForms.xml
>>>>>
>>>>> Modified: ofbiz/trunk/applications/accounting/widget/InvoiceForms.xml
>>>>> URL:
>>>>> http://svn.apache.org/viewvc/ofbiz/trunk/applications/accounting/widget/InvoiceForms.xml?rev=952119&r1=952118&r2=952119&view=diff
>>>>> ============================================================================== ---
>>>>> ofbiz/trunk/applications/accounting/widget/InvoiceForms.xml (original) +++
>>>>> ofbiz/trunk/applications/accounting/widget/InvoiceForms.xml Mon Jun  7 07:02:02 2010 @@ -215,7 +215,12 @@ under the License.
>>>>>       <field name="paymentId"><hyperlink target="paymentOverview?paymentId=${paymentId}" description="${paymentId}"/></field>
>>>>>       <field name="amount"><display type="currency" currency="${currencyUomId}"/></field>
>>>>>       <field name="origAmount"><display type="currency" currency="${origCurrencyUomId}"/></field>
>>>>> -        <field name="acctgTransId"><hyperlink description="${acctgTransId}"
>>>>> target="EditAcctgTrans?acctgTransId=${acctgTransId}&amp;organizationPartyId=${organizationPartyId}"/></field> +        <field
>>>>> name="acctgTransId"> +            <hyperlink description="${acctgTransId}" target="EditAcctgTrans">
>>>>> +                <parameter param-name="acctgTransId" from-field="acctgTransId"/>
>>>>> +                <parameter param-name="organizationPartyId" from-field="organizationPartyId"/>
>>>>> +            </hyperlink>
>>>>> +        </field>
>>>>>       <field name="acctgTransTypeId" title="${uiLabelMap.FormFieldTitle_acctgTransType}"><display-entity
>>>>>       entity-name="AcctgTransType"/></field> <field name="glJournalId"
>>>>>       title="${uiLabelMap.FormFieldTitle_glJournal}"><display-entity entity-name="GlJournal"
>>>>> description="${glJournalName}"/></field> <field name="glAccountTypeId"
>>>>> title="${uiLabelMap.FormFieldTitle_glAccountType}"><display-entity entity-name="GlAccountType"/></field>
>>>>>
>>>>> Modified: ofbiz/trunk/applications/accounting/widget/PaymentGatewayConfigForms.xml
>>>>> URL:
>>>>> http://svn.apache.org/viewvc/ofbiz/trunk/applications/accounting/widget/PaymentGatewayConfigForms.xml?rev=952119&r1=952118&r2=952119&view=diff
>>>>> ============================================================================== ---
>>>>> ofbiz/trunk/applications/accounting/widget/PaymentGatewayConfigForms.xml (original) +++
>>>>> ofbiz/trunk/applications/accounting/widget/PaymentGatewayConfigForms.xml Mon Jun  7 07:02:02 2010 @@ -50,7 +50,9 @@ under the
>>>>>       License. <auto-fields-entity entity-name="PaymentGatewayConfig" default-field-type="display"/>
>>>>>       <field name="paymentGatewayConfigId"><hidden/></field>
>>>>>       <field name="description" title="${uiLabelMap.AccountingPaymentGatewayConfigDescription}">
>>>>> -            <hyperlink description="${description}"
>>>>> target="EditPaymentGatewayConfig?paymentGatewayConfigId=${paymentGatewayConfigId}"/> +            <hyperlink
>>>>> description="${description}" target="EditPaymentGatewayConfig"> +                <parameter
>>>>> param-name="paymentGatewayConfigId" from-field="paymentGatewayConfigId"/> +            </hyperlink>
>>>>>       </field>
>>>>>       <field name="paymentGatewayConfigTypeId" title="${uiLabelMap.AccountingPaymentGatewayConfigTypeId}">
>>>>>           <display-entity entity-name="PaymentGatewayConfigType" key-field-name="paymentGatewayConfigTypeId"
>>>>> description="${description}"/> @@ -385,7 +387,9 @@ under the License.
>>>>>       <auto-fields-entity entity-name="PaymentGatewayConfigType" default-field-type="display"/>
>>>>>       <field name="paymentGatewayConfigTypeId"><hidden/></field>
>>>>>       <field name="description" title="${uiLabelMap.AccountingPaymentGatewayConfigTypeDescription}">
>>>>> -            <hyperlink description="${description}"
>>>>> target="EditPaymentGatewayConfigType?paymentGatewayConfigTypeId=${paymentGatewayConfigTypeId}"/> +            <hyperlink
>>>>> description="${description}" target="EditPaymentGatewayConfigType"> + <parameter param-name="paymentGatewayConfigTypeId"
>>>>> from-field="paymentGatewayConfigTypeId"/> + </hyperlink>
>>>>>       </field>
>>>>>   </form>
>>>>>
>>>>>
>>>>> Modified: ofbiz/trunk/applications/order/widget/ordermgr/OrderEntryForms.xml
>>>>> URL:
>>>>> http://svn.apache.org/viewvc/ofbiz/trunk/applications/order/widget/ordermgr/OrderEntryForms.xml?rev=952119&r1=952118&r2=952119&view=diff
>>>>> ============================================================================== ---
>>>>> ofbiz/trunk/applications/order/widget/ordermgr/OrderEntryForms.xml (original) +++
>>>>> ofbiz/trunk/applications/order/widget/ordermgr/OrderEntryForms.xml Mon Jun  7 07:02:02 2010 @@ -199,7 +199,9 @@ under the
>>>>>   License. <form name="LookupAssociatedProducts" type="multi" use-row-submit="true" list-name="productList" title=""
>>>>>       target="BulkAddProducts" paginate-target="LookupAssociatedProducts" default-title-style="tableheadtext"
>>>>>       default-widget-style="inputBox" default-tooltip-style="tabletext"> <field name="productId"
>>>>> title="${uiLabelMap.ProductProductId}" widget-style="buttontext"> -            <hyperlink description="${productId}"
>>>>> target="/catalog/control/EditProductInventoryItems?productId=${productId}" target-type="inter-app"/> +            <hyperlink
>>>>> description="${productId}" target="/catalog/control/EditProductInventoryItems" target-type="inter-app"> + <parameter
>>>>> param-name="productId" from-field="productId"/> + </hyperlink>
>>>>>       </field>
>>>>>       <field name="brandName" title="${uiLabelMap.ProductBrandName}"><display/></field>
>>>>>       <field name="internalName"><display/></field>
>>>>>
>>>>> Modified: ofbiz/trunk/applications/party/widget/partymgr/CommunicationEventForms.xml
>>>>> URL:
>>>>> http://svn.apache.org/viewvc/ofbiz/trunk/applications/party/widget/partymgr/CommunicationEventForms.xml?rev=952119&r1=952118&r2=952119&view=diff
>>>>> ============================================================================== ---
>>>>> ofbiz/trunk/applications/party/widget/partymgr/CommunicationEventForms.xml (original) +++
>>>>> ofbiz/trunk/applications/party/widget/partymgr/CommunicationEventForms.xml Mon Jun  7 07:02:02 2010 @@ -287,7 +287,9 @@ under
>>>>>       the License. <field name="communicationEventId"><display/></field>
>>>>>       <field name="contactListId" use-when="contactListId!=null">
>>>>>           <display-entity entity-name="ContactList" description="${contactListName}">
>>>>> -                <sub-hyperlink target="/marketing/control/EditContactList?contactListId=${communicationEvent.contactListId}"
>>>>> description="[${communicationEvent.contactListId}]" target-type="inter-app"/> +                <sub-hyperlink
>>>>> target="/marketing/control/EditContactList" description="[${communicationEvent.contactListId}]" target-type="inter-app"> +
>>>>> <parameter param-name="contactListId" from-field="communicationEvent.contactListId"/> +            </sub-hyperlink>
>>>>>           </display-entity>
>>>>>       </field>
>>>>>       <field name="partyIdFrom" use-when="&quot;my&quot;==void" title="${uiLabelMap.PartyPartyFrom}">
>>>>> @@ -470,7 +472,9 @@ under the License.
>>>>>           </service>
>>>>>       </actions>
>>>>>       <field name="orderId" title="${uiLabelMap.FormFieldTitle_orderId}">
>>>>> -            <hyperlink target="/ordermgr/control/orderview?orderId=${orderId}" description="${orderId}"
>>>>> target-type="inter-app"/> +            <hyperlink target="/ordermgr/control/orderview" description="${orderId}"
>>>>> target-type="inter-app"> +                <parameter param-name="orderId" from-field="orderId"/>
>>>>> +            </hyperlink>
>>>>>       </field>
>>>>>       <field name="communicationEventId">
>>>>>           <hyperlink description="${communicationEventId}" target="ViewCommunicationEvent">
>>>>> @@ -1022,7 +1026,9 @@ under the License.
>>>>>           <set field="orderTypeId" from-field="orderHeader.orderTypeId"/>
>>>>>       </row-actions>
>>>>>       <field name="orderId" title="${uiLabelMap.FormFieldTitle_orderId}" widget-style="buttontext">
>>>>> -            <hyperlink target="/ordermgr/control/orderview?orderId=${orderId}" description="${orderId}"
>>>>> target-type="inter-app"/> +            <hyperlink target="/ordermgr/control/orderview" description="${orderId}"
>>>>> target-type="inter-app"> +                <parameter param-name="orderId" from-field="orderId"/>
>>>>> +            </hyperlink>
>>>>>       </field>
>>>>>       <field name="communicationEventId"><hidden/></field>
>>>>>       <field name="orderTypeId" title="${uiLabelMap.OrderOrderType}">
>>>>>
>>>>> Modified: ofbiz/trunk/applications/product/widget/catalog/ProductForms.xml
>>>>> URL:
>>>>> http://svn.apache.org/viewvc/ofbiz/trunk/applications/product/widget/catalog/ProductForms.xml?rev=952119&r1=952118&r2=952119&view=diff
>>>>> ============================================================================== ---
>>>>> ofbiz/trunk/applications/product/widget/catalog/ProductForms.xml (original) +++
>>>>> ofbiz/trunk/applications/product/widget/catalog/ProductForms.xml Mon Jun  7 07:02:02 2010 @@ -1997,7 +1997,9 @@ under the
>>>>> License.
>>>>>
>>>>>   <form name="ListCommEvents" list-name="communicationEvents" type="list" header-row-style="header-row"
>>>>>       default-table-style="basic-table"> <field name="communicationEventId" widget-style="buttontext">
>>>>> -            <hyperlink description="${communicationEventId}"
>>>>> target="/partymgr/control/EditCommunicationEvent?communicationEventId=${communicationEventId}" target-type="inter-app"/> +
>>>>> <hyperlink description="${communicationEventId}" target="/partymgr/control/EditCommunicationEvent" target-type="inter-app"> +
>>>>> <parameter param-name="communicationEventId" from-field="communicationEventId"/> + </hyperlink>
>>>>>       </field>
>>>>>       <field name="subject"><display/></field>
>>>>>       <field name="communicationEventTypeId"><display-entity description="${description}" entity-name="CommunicationEventType"
>>>>> key-field-name="communicationEventTypeId"/></field>
>>>>>
>>>>> Modified: ofbiz/trunk/applications/product/widget/facility/ShipmentGatewayConfigForms.xml
>>>>> URL:
>>>>> http://svn.apache.org/viewvc/ofbiz/trunk/applications/product/widget/facility/ShipmentGatewayConfigForms.xml?rev=952119&r1=952118&r2=952119&view=diff
>>>>> ============================================================================== ---
>>>>> ofbiz/trunk/applications/product/widget/facility/ShipmentGatewayConfigForms.xml (original) +++
>>>>> ofbiz/trunk/applications/product/widget/facility/ShipmentGatewayConfigForms.xml Mon Jun  7 07:02:02 2010 @@ -50,7 +50,9 @@
>>>>>       under the License. <auto-fields-entity entity-name="ShipmentGatewayConfig" default-field-type="display"/>
>>>>>       <field name="shipmentGatewayConfigId"><hidden/></field>
>>>>>       <field name="description" title="${uiLabelMap.FacilityShipmentGatewayConfigDescription}">
>>>>> -            <hyperlink description="${description}"
>>>>> target="EditShipmentGatewayConfig?shipmentGatewayConfigId=${shipmentGatewayConfigId}"/> +            <hyperlink
>>>>> description="${description}" target="EditShipmentGatewayConfig"> +                <parameter
>>>>> param-name="shipmentGatewayConfigId" from-field="shipmentGatewayConfigId"/> +            </hyperlink>
>>>>>       </field>
>>>>>       <field name="shipmentGatewayConfTypeId" title="${uiLabelMap.FacilityShipmentGatewayConfigTypeId}">
>>>>>           <display-entity entity-name="ShipmentGatewayConfigType" key-field-name="shipmentGatewayConfTypeId"
>>>>> description="${description}"/> @@ -313,7 +315,9 @@ under the License.
>>>>>       <auto-fields-entity entity-name="ShipmentGatewayConfigType" default-field-type="display"/>
>>>>>       <field name="shipmentGatewayConfTypeId"><hidden/></field>
>>>>>       <field name="description" title="${uiLabelMap.FacilityShipmentGatewayConfigTypeDescription}">
>>>>> -            <hyperlink description="${description}"
>>>>> target="EditShipmentGatewayConfigType?shipmentGatewayConfTypeId=${shipmentGatewayConfTypeId}"/> +            <hyperlink
>>>>> description="${description}" target="EditShipmentGatewayConfigType"> +                <parameter
>>>>> param-name="shipmentGatewayConfTypeId" from-field="shipmentGatewayConfTypeId"/> +            </hyperlink>
>>>>>       </field>
>>>>>   </form>
>>>>>
>>>>>
>>>>> Modified: ofbiz/trunk/specialpurpose/projectmgr/widget/forms/ProjectForms.xml
>>>>> URL:
>>>>> http://svn.apache.org/viewvc/ofbiz/trunk/specialpurpose/projectmgr/widget/forms/ProjectForms.xml?rev=952119&r1=952118&r2=952119&view=diff
>>>>> ============================================================================== ---
>>>>> ofbiz/trunk/specialpurpose/projectmgr/widget/forms/ProjectForms.xml (original) +++
>>>>> ofbiz/trunk/specialpurpose/projectmgr/widget/forms/ProjectForms.xml Mon Jun  7 07:02:02 2010 @@ -340,7 +340,9 @@
>>>>>       <field name="estimatedStartDate" title="${uiLabelMap.WorkEffortEstimatedStartDate}"><date-time type="date"/></field>
>>>>>       <field name="estimatedCompletionDate" title="${uiLabelMap.WorkEffortEstimatedCompletionDate}"><date-time
>>>>>       type="date"/></field> <field name="edit" title=" ">
>>>>> -            <hyperlink target="EditTask?workEffortId=${workEffortId}" description="${uiLabelMap.CommonEdit}"/>
>>>>> +            <hyperlink target="EditTask" description="${uiLabelMap.CommonEdit"}>
>>>>> +                <parameter param-name="workEffortId" from-field="workEffortId}"/>
>>>>> +            </hyperlink>
>>>>>       </field>
>>>>>       <field name="submitButton" title="${uiLabelMap.CommonUpdate}"><submit button-type="button"/></field>
>>>>>   </form>


Reply | Threaded
Open this post in threaded view
|

Re: svn commit: r952119 - in /ofbiz/trunk: applications/accounting/widget/ applications/order/widget/ordermgr/ applications/party/widget/partymgr/ applications/product/widget/catalog/ applications/product/widget/facility/ specialpurpose/projectmgr/widget/f

Scott Gray-2
Thanks Jacques

Regards
Scott

On 7/06/2010, at 9:15 PM, Jacques Le Roux wrote:

> Ha well, I did not thought about that, thanks!
>
> I revert...
>
> Jacques
>
> Scott Gray wrote:
>> Hi Jacques,
>>
>> In a small way it does hurt because whenever we use "post" instead of "get" the user will be prompted "do you want to submit the
>> form again?" when they click the back button on the browser to go back to one of those screens.
>>
>> But yeah I wouldn't rely on searching alone unless you are willing to check each target before altering it.
>>
>> Regards
>> Scott
>>
>> On 7/06/2010, at 7:44 PM, Jacques Le Roux wrote:
>>
>>> I quickly used regex S/R. I wrongly put the 2 orderview (I removed a lot more) but thought the other were real actions as they
>>> have Edit as prefix in their names. Actually I did not check if they were calling an event. I just did and you are right.
>>>
>>> Anyway it does not hurt, and it's finally a good thing that I did not find any real issues :o). I think I should not care
>>> anymore. Because  if we let some get through they will be detected and signaled as to be reported as a child of  OFBIZ-2330
>>> (even if they don't use FTL, but I did not check that either, I suppose it's right since for one year now we got any new issue)
>>>
>>> One worry less, great!
>>>
>>> Jacques
>>>
>>> Scott Gray wrote:
>>>> On second look there were no targets in this commit that needed to be secured.
>>>>
>>>> Regards
>>>> Scott
>>>>
>>>> On 7/06/2010, at 7:18 PM, Scott Gray wrote:
>>>>
>>>>> Quite a few of those links don't actually look like they needed to be secured i.e. there is no event attached to that uri,
>>>>> orderview for example.
>>>>>
>>>>> Regards
>>>>> Scott
>>>>>
>>>>> HotWax Media
>>>>> http://www.hotwaxmedia.com
>>>>>
>>>>> On 7/06/2010, at 7:02 PM, [hidden email] wrote:
>>>>>
>>>>>> Author: jleroux
>>>>>> Date: Mon Jun  7 07:02:02 2010
>>>>>> New Revision: 952119
>>>>>>
>>>>>> URL: http://svn.apache.org/viewvc?rev=952119&view=rev
>>>>>> Log:
>>>>>> Secure some targets. Note that they have been introduced since OFBIZ-2243 has been closed.
>>>>>> Please committers use only target with parameter attribute (not in URL) for link and hyperlink fields when there is an action
>>>>>> (ie DB modification)
>>>>>>
>>>>>> Modified:
>>>>>> ofbiz/trunk/applications/accounting/widget/InvoiceForms.xml
>>>>>> ofbiz/trunk/applications/accounting/widget/PaymentGatewayConfigForms.xml
>>>>>> ofbiz/trunk/applications/order/widget/ordermgr/OrderEntryForms.xml
>>>>>> ofbiz/trunk/applications/party/widget/partymgr/CommunicationEventForms.xml
>>>>>> ofbiz/trunk/applications/product/widget/catalog/ProductForms.xml
>>>>>> ofbiz/trunk/applications/product/widget/facility/ShipmentGatewayConfigForms.xml
>>>>>> ofbiz/trunk/specialpurpose/projectmgr/widget/forms/ProjectForms.xml
>>>>>>
>>>>>> Modified: ofbiz/trunk/applications/accounting/widget/InvoiceForms.xml
>>>>>> URL:
>>>>>> http://svn.apache.org/viewvc/ofbiz/trunk/applications/accounting/widget/InvoiceForms.xml?rev=952119&r1=952118&r2=952119&view=diff
>>>>>> ============================================================================== ---
>>>>>> ofbiz/trunk/applications/accounting/widget/InvoiceForms.xml (original) +++
>>>>>> ofbiz/trunk/applications/accounting/widget/InvoiceForms.xml Mon Jun  7 07:02:02 2010 @@ -215,7 +215,12 @@ under the License.
>>>>>>      <field name="paymentId"><hyperlink target="paymentOverview?paymentId=${paymentId}" description="${paymentId}"/></field>
>>>>>>      <field name="amount"><display type="currency" currency="${currencyUomId}"/></field>
>>>>>>      <field name="origAmount"><display type="currency" currency="${origCurrencyUomId}"/></field>
>>>>>> -        <field name="acctgTransId"><hyperlink description="${acctgTransId}"
>>>>>> target="EditAcctgTrans?acctgTransId=${acctgTransId}&amp;organizationPartyId=${organizationPartyId}"/></field> +        <field
>>>>>> name="acctgTransId"> +            <hyperlink description="${acctgTransId}" target="EditAcctgTrans">
>>>>>> +                <parameter param-name="acctgTransId" from-field="acctgTransId"/>
>>>>>> +                <parameter param-name="organizationPartyId" from-field="organizationPartyId"/>
>>>>>> +            </hyperlink>
>>>>>> +        </field>
>>>>>>      <field name="acctgTransTypeId" title="${uiLabelMap.FormFieldTitle_acctgTransType}"><display-entity
>>>>>>      entity-name="AcctgTransType"/></field> <field name="glJournalId"
>>>>>>      title="${uiLabelMap.FormFieldTitle_glJournal}"><display-entity entity-name="GlJournal"
>>>>>> description="${glJournalName}"/></field> <field name="glAccountTypeId"
>>>>>> title="${uiLabelMap.FormFieldTitle_glAccountType}"><display-entity entity-name="GlAccountType"/></field>
>>>>>>
>>>>>> Modified: ofbiz/trunk/applications/accounting/widget/PaymentGatewayConfigForms.xml
>>>>>> URL:
>>>>>> http://svn.apache.org/viewvc/ofbiz/trunk/applications/accounting/widget/PaymentGatewayConfigForms.xml?rev=952119&r1=952118&r2=952119&view=diff
>>>>>> ============================================================================== ---
>>>>>> ofbiz/trunk/applications/accounting/widget/PaymentGatewayConfigForms.xml (original) +++
>>>>>> ofbiz/trunk/applications/accounting/widget/PaymentGatewayConfigForms.xml Mon Jun  7 07:02:02 2010 @@ -50,7 +50,9 @@ under the
>>>>>>      License. <auto-fields-entity entity-name="PaymentGatewayConfig" default-field-type="display"/>
>>>>>>      <field name="paymentGatewayConfigId"><hidden/></field>
>>>>>>      <field name="description" title="${uiLabelMap.AccountingPaymentGatewayConfigDescription}">
>>>>>> -            <hyperlink description="${description}"
>>>>>> target="EditPaymentGatewayConfig?paymentGatewayConfigId=${paymentGatewayConfigId}"/> +            <hyperlink
>>>>>> description="${description}" target="EditPaymentGatewayConfig"> +                <parameter
>>>>>> param-name="paymentGatewayConfigId" from-field="paymentGatewayConfigId"/> +            </hyperlink>
>>>>>>      </field>
>>>>>>      <field name="paymentGatewayConfigTypeId" title="${uiLabelMap.AccountingPaymentGatewayConfigTypeId}">
>>>>>>          <display-entity entity-name="PaymentGatewayConfigType" key-field-name="paymentGatewayConfigTypeId"
>>>>>> description="${description}"/> @@ -385,7 +387,9 @@ under the License.
>>>>>>      <auto-fields-entity entity-name="PaymentGatewayConfigType" default-field-type="display"/>
>>>>>>      <field name="paymentGatewayConfigTypeId"><hidden/></field>
>>>>>>      <field name="description" title="${uiLabelMap.AccountingPaymentGatewayConfigTypeDescription}">
>>>>>> -            <hyperlink description="${description}"
>>>>>> target="EditPaymentGatewayConfigType?paymentGatewayConfigTypeId=${paymentGatewayConfigTypeId}"/> +            <hyperlink
>>>>>> description="${description}" target="EditPaymentGatewayConfigType"> + <parameter param-name="paymentGatewayConfigTypeId"
>>>>>> from-field="paymentGatewayConfigTypeId"/> + </hyperlink>
>>>>>>      </field>
>>>>>>  </form>
>>>>>>
>>>>>>
>>>>>> Modified: ofbiz/trunk/applications/order/widget/ordermgr/OrderEntryForms.xml
>>>>>> URL:
>>>>>> http://svn.apache.org/viewvc/ofbiz/trunk/applications/order/widget/ordermgr/OrderEntryForms.xml?rev=952119&r1=952118&r2=952119&view=diff
>>>>>> ============================================================================== ---
>>>>>> ofbiz/trunk/applications/order/widget/ordermgr/OrderEntryForms.xml (original) +++
>>>>>> ofbiz/trunk/applications/order/widget/ordermgr/OrderEntryForms.xml Mon Jun  7 07:02:02 2010 @@ -199,7 +199,9 @@ under the
>>>>>>  License. <form name="LookupAssociatedProducts" type="multi" use-row-submit="true" list-name="productList" title=""
>>>>>>      target="BulkAddProducts" paginate-target="LookupAssociatedProducts" default-title-style="tableheadtext"
>>>>>>      default-widget-style="inputBox" default-tooltip-style="tabletext"> <field name="productId"
>>>>>> title="${uiLabelMap.ProductProductId}" widget-style="buttontext"> -            <hyperlink description="${productId}"
>>>>>> target="/catalog/control/EditProductInventoryItems?productId=${productId}" target-type="inter-app"/> +            <hyperlink
>>>>>> description="${productId}" target="/catalog/control/EditProductInventoryItems" target-type="inter-app"> + <parameter
>>>>>> param-name="productId" from-field="productId"/> + </hyperlink>
>>>>>>      </field>
>>>>>>      <field name="brandName" title="${uiLabelMap.ProductBrandName}"><display/></field>
>>>>>>      <field name="internalName"><display/></field>
>>>>>>
>>>>>> Modified: ofbiz/trunk/applications/party/widget/partymgr/CommunicationEventForms.xml
>>>>>> URL:
>>>>>> http://svn.apache.org/viewvc/ofbiz/trunk/applications/party/widget/partymgr/CommunicationEventForms.xml?rev=952119&r1=952118&r2=952119&view=diff
>>>>>> ============================================================================== ---
>>>>>> ofbiz/trunk/applications/party/widget/partymgr/CommunicationEventForms.xml (original) +++
>>>>>> ofbiz/trunk/applications/party/widget/partymgr/CommunicationEventForms.xml Mon Jun  7 07:02:02 2010 @@ -287,7 +287,9 @@ under
>>>>>>      the License. <field name="communicationEventId"><display/></field>
>>>>>>      <field name="contactListId" use-when="contactListId!=null">
>>>>>>          <display-entity entity-name="ContactList" description="${contactListName}">
>>>>>> -                <sub-hyperlink target="/marketing/control/EditContactList?contactListId=${communicationEvent.contactListId}"
>>>>>> description="[${communicationEvent.contactListId}]" target-type="inter-app"/> +                <sub-hyperlink
>>>>>> target="/marketing/control/EditContactList" description="[${communicationEvent.contactListId}]" target-type="inter-app"> +
>>>>>> <parameter param-name="contactListId" from-field="communicationEvent.contactListId"/> +            </sub-hyperlink>
>>>>>>          </display-entity>
>>>>>>      </field>
>>>>>>      <field name="partyIdFrom" use-when="&quot;my&quot;==void" title="${uiLabelMap.PartyPartyFrom}">
>>>>>> @@ -470,7 +472,9 @@ under the License.
>>>>>>          </service>
>>>>>>      </actions>
>>>>>>      <field name="orderId" title="${uiLabelMap.FormFieldTitle_orderId}">
>>>>>> -            <hyperlink target="/ordermgr/control/orderview?orderId=${orderId}" description="${orderId}"
>>>>>> target-type="inter-app"/> +            <hyperlink target="/ordermgr/control/orderview" description="${orderId}"
>>>>>> target-type="inter-app"> +                <parameter param-name="orderId" from-field="orderId"/>
>>>>>> +            </hyperlink>
>>>>>>      </field>
>>>>>>      <field name="communicationEventId">
>>>>>>          <hyperlink description="${communicationEventId}" target="ViewCommunicationEvent">
>>>>>> @@ -1022,7 +1026,9 @@ under the License.
>>>>>>          <set field="orderTypeId" from-field="orderHeader.orderTypeId"/>
>>>>>>      </row-actions>
>>>>>>      <field name="orderId" title="${uiLabelMap.FormFieldTitle_orderId}" widget-style="buttontext">
>>>>>> -            <hyperlink target="/ordermgr/control/orderview?orderId=${orderId}" description="${orderId}"
>>>>>> target-type="inter-app"/> +            <hyperlink target="/ordermgr/control/orderview" description="${orderId}"
>>>>>> target-type="inter-app"> +                <parameter param-name="orderId" from-field="orderId"/>
>>>>>> +            </hyperlink>
>>>>>>      </field>
>>>>>>      <field name="communicationEventId"><hidden/></field>
>>>>>>      <field name="orderTypeId" title="${uiLabelMap.OrderOrderType}">
>>>>>>
>>>>>> Modified: ofbiz/trunk/applications/product/widget/catalog/ProductForms.xml
>>>>>> URL:
>>>>>> http://svn.apache.org/viewvc/ofbiz/trunk/applications/product/widget/catalog/ProductForms.xml?rev=952119&r1=952118&r2=952119&view=diff
>>>>>> ============================================================================== ---
>>>>>> ofbiz/trunk/applications/product/widget/catalog/ProductForms.xml (original) +++
>>>>>> ofbiz/trunk/applications/product/widget/catalog/ProductForms.xml Mon Jun  7 07:02:02 2010 @@ -1997,7 +1997,9 @@ under the
>>>>>> License.
>>>>>>
>>>>>>  <form name="ListCommEvents" list-name="communicationEvents" type="list" header-row-style="header-row"
>>>>>>      default-table-style="basic-table"> <field name="communicationEventId" widget-style="buttontext">
>>>>>> -            <hyperlink description="${communicationEventId}"
>>>>>> target="/partymgr/control/EditCommunicationEvent?communicationEventId=${communicationEventId}" target-type="inter-app"/> +
>>>>>> <hyperlink description="${communicationEventId}" target="/partymgr/control/EditCommunicationEvent" target-type="inter-app"> +
>>>>>> <parameter param-name="communicationEventId" from-field="communicationEventId"/> + </hyperlink>
>>>>>>      </field>
>>>>>>      <field name="subject"><display/></field>
>>>>>>      <field name="communicationEventTypeId"><display-entity description="${description}" entity-name="CommunicationEventType"
>>>>>> key-field-name="communicationEventTypeId"/></field>
>>>>>>
>>>>>> Modified: ofbiz/trunk/applications/product/widget/facility/ShipmentGatewayConfigForms.xml
>>>>>> URL:
>>>>>> http://svn.apache.org/viewvc/ofbiz/trunk/applications/product/widget/facility/ShipmentGatewayConfigForms.xml?rev=952119&r1=952118&r2=952119&view=diff
>>>>>> ============================================================================== ---
>>>>>> ofbiz/trunk/applications/product/widget/facility/ShipmentGatewayConfigForms.xml (original) +++
>>>>>> ofbiz/trunk/applications/product/widget/facility/ShipmentGatewayConfigForms.xml Mon Jun  7 07:02:02 2010 @@ -50,7 +50,9 @@
>>>>>>      under the License. <auto-fields-entity entity-name="ShipmentGatewayConfig" default-field-type="display"/>
>>>>>>      <field name="shipmentGatewayConfigId"><hidden/></field>
>>>>>>      <field name="description" title="${uiLabelMap.FacilityShipmentGatewayConfigDescription}">
>>>>>> -            <hyperlink description="${description}"
>>>>>> target="EditShipmentGatewayConfig?shipmentGatewayConfigId=${shipmentGatewayConfigId}"/> +            <hyperlink
>>>>>> description="${description}" target="EditShipmentGatewayConfig"> +                <parameter
>>>>>> param-name="shipmentGatewayConfigId" from-field="shipmentGatewayConfigId"/> +            </hyperlink>
>>>>>>      </field>
>>>>>>      <field name="shipmentGatewayConfTypeId" title="${uiLabelMap.FacilityShipmentGatewayConfigTypeId}">
>>>>>>          <display-entity entity-name="ShipmentGatewayConfigType" key-field-name="shipmentGatewayConfTypeId"
>>>>>> description="${description}"/> @@ -313,7 +315,9 @@ under the License.
>>>>>>      <auto-fields-entity entity-name="ShipmentGatewayConfigType" default-field-type="display"/>
>>>>>>      <field name="shipmentGatewayConfTypeId"><hidden/></field>
>>>>>>      <field name="description" title="${uiLabelMap.FacilityShipmentGatewayConfigTypeDescription}">
>>>>>> -            <hyperlink description="${description}"
>>>>>> target="EditShipmentGatewayConfigType?shipmentGatewayConfTypeId=${shipmentGatewayConfTypeId}"/> +            <hyperlink
>>>>>> description="${description}" target="EditShipmentGatewayConfigType"> +                <parameter
>>>>>> param-name="shipmentGatewayConfTypeId" from-field="shipmentGatewayConfTypeId"/> +            </hyperlink>
>>>>>>      </field>
>>>>>>  </form>
>>>>>>
>>>>>>
>>>>>> Modified: ofbiz/trunk/specialpurpose/projectmgr/widget/forms/ProjectForms.xml
>>>>>> URL:
>>>>>> http://svn.apache.org/viewvc/ofbiz/trunk/specialpurpose/projectmgr/widget/forms/ProjectForms.xml?rev=952119&r1=952118&r2=952119&view=diff
>>>>>> ============================================================================== ---
>>>>>> ofbiz/trunk/specialpurpose/projectmgr/widget/forms/ProjectForms.xml (original) +++
>>>>>> ofbiz/trunk/specialpurpose/projectmgr/widget/forms/ProjectForms.xml Mon Jun  7 07:02:02 2010 @@ -340,7 +340,9 @@
>>>>>>      <field name="estimatedStartDate" title="${uiLabelMap.WorkEffortEstimatedStartDate}"><date-time type="date"/></field>
>>>>>>      <field name="estimatedCompletionDate" title="${uiLabelMap.WorkEffortEstimatedCompletionDate}"><date-time
>>>>>>      type="date"/></field> <field name="edit" title=" ">
>>>>>> -            <hyperlink target="EditTask?workEffortId=${workEffortId}" description="${uiLabelMap.CommonEdit}"/>
>>>>>> +            <hyperlink target="EditTask" description="${uiLabelMap.CommonEdit"}>
>>>>>> +                <parameter param-name="workEffortId" from-field="workEffortId}"/>
>>>>>> +            </hyperlink>
>>>>>>      </field>
>>>>>>      <field name="submitButton" title="${uiLabelMap.CommonUpdate}"><submit button-type="button"/></field>
>>>>>>  </form>
>
>


smime.p7s (3K) Download Attachment