OFBiz OFBiz - Dev

[jira] [Commented] (OFBIZ-7162) Delete Child Period in EditCustomTimePeriod not secure

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
1 message Options
Nicolas Malin (Jira)
Reply | Threaded
Open this post in threaded view
|

[jira] [Commented] (OFBIZ-7162) Delete Child Period in EditCustomTimePeriod not secure

Nicolas Malin (Jira)

    [ https://issues.apache.org/jira/browse/OFBIZ-7162?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15317004#comment-15317004 ]

Jacques Le Roux commented on OFBIZ-7162:
----------------------------------------

For the sake of completeness here an answer I made to Deepak after his message on dev ML http://markmail.org/message/vq53356tr4hmeale
Here it is for convenience
{quote}
Hi Arjun,

Its incorrect markup, form tag is not valid child for table, you can't put
form between td tag, You need to put this inside td.

Thanks & Regards
--
Deepak Dixit
{quote}
{quote}
This is right Deepak,

Moreover this is what says the "HTML Validator" plugin in Firefox
(http://users.skynet.be/mgueury/mozilla/) on demo trunk (HEAD)

Result: 61 erreurs / 0 avertissements

Info: W3c Online Validation

line 286 column 49 - Erreur: The “cellspacing” attribute on the “table” element
is obsolete. Use CSS instead.
line 299 column 133 - Erreur: Start tag “form” seen in “table”.
line 299 column 133 - Erreur: Element “form” not allowed as child of element
“tr” in this context. (Suppressing further errors from this subtree.)
line 300 column 76 - Erreur: Start tag “input” seen in “table”.
line 300 column 76 - Erreur: Element “input” not allowed as child of element
“tr” in this context. (Suppressing further errors from this subtree.)
line 394 column 19 - Erreur: Stray end tag “form”.
line 394 column 19 - Erreur: Stray end tag “form”.
line 407 column 133 - Erreur: Start tag “form” seen in “table”.
line 407 column 133 - Erreur: Element “form” not allowed as child of element
“tr” in this context. (Suppressing further errors from this subtree.)
line 408 column 76 - Erreur: Start tag “input” seen in “table”.
line 408 column 76 - Erreur: Element “input” not allowed as child of element
“tr” in this context. (Suppressing further errors from this subtree.)
line 502 column 19 - Erreur: Stray end tag “form”.
line 502 column 19 - Erreur: Stray end tag “form”.
line 515 column 133 - Erreur: Start tag “form” seen in “table”.
line 515 column 133 - Erreur: Element “form” not allowed as child of element
“tr” in this context. (Suppressing further errors from this subtree.)
line 516 column 76 - Erreur: Start tag “input” seen in “table”.
line 516 column 76 - Erreur: Element “input” not allowed as child of element
“tr” in this context. (Suppressing further errors from this subtree.)
line 610 column 19 - Erreur: Stray end tag “form”.
line 610 column 19 - Erreur: Stray end tag “form”.
line 623 column 133 - Erreur: Start tag “form” seen in “table”.
line 623 column 133 - Erreur: Element “form” not allowed as child of element
“tr” in this context. (Suppressing further errors from this subtree.)
line 624 column 76 - Erreur: Start tag “input” seen in “table”.
line 624 column 76 - Erreur: Element “input” not allowed as child of element
“tr” in this context. (Suppressing further errors from this subtree.)
line 718 column 19 - Erreur: Stray end tag “form”.
line 718 column 19 - Erreur: Stray end tag “form”.
line 731 column 133 - Erreur: Start tag “form” seen in “table”.
line 731 column 133 - Erreur: Element “form” not allowed as child of element
“tr” in this context. (Suppressing further errors from this subtree.)
line 732 column 76 - Erreur: Start tag “input” seen in “table”.
line 732 column 76 - Erreur: Element “input” not allowed as child of element
“tr” in this context. (Suppressing further errors from this subtree.)
line 826 column 19 - Erreur: Stray end tag “form”.
line 826 column 19 - Erreur: Stray end tag “form”.
line 839 column 133 - Erreur: Start tag “form” seen in “table”.
line 839 column 133 - Erreur: Element “form” not allowed as child of element
“tr” in this context. (Suppressing further errors from this subtree.)
line 840 column 76 - Erreur: Start tag “input” seen in “table”.
line 840 column 76 - Erreur: Element “input” not allowed as child of element
“tr” in this context. (Suppressing further errors from this subtree.)
line 934 column 19 - Erreur: Stray end tag “form”.
line 934 column 19 - Erreur: Stray end tag “form”.
line 947 column 133 - Erreur: Start tag “form” seen in “table”.
line 947 column 133 - Erreur: Element “form” not allowed as child of element
“tr” in this context. (Suppressing further errors from this subtree.)
line 948 column 76 - Erreur: Start tag “input” seen in “table”.
line 948 column 76 - Erreur: Element “input” not allowed as child of element
“tr” in this context. (Suppressing further errors from this subtree.)
line 1042 column 19 - Erreur: Stray end tag “form”.
line 1042 column 19 - Erreur: Stray end tag “form”.
line 1055 column 133 - Erreur: Start tag “form” seen in “table”.
line 1055 column 133 - Erreur: Element “form” not allowed as child of element
“tr” in this context. (Suppressing further errors from this subtree.)
line 1056 column 76 - Erreur: Start tag “input” seen in “table”.
line 1056 column 76 - Erreur: Element “input” not allowed as child of element
“tr” in this context. (Suppressing further errors from this subtree.)
line 1150 column 19 - Erreur: Stray end tag “form”.
line 1150 column 19 - Erreur: Stray end tag “form”.
line 1163 column 133 - Erreur: Start tag “form” seen in “table”.
line 1163 column 133 - Erreur: Element “form” not allowed as child of element
“tr” in this context. (Suppressing further errors from this subtree.)
line 1164 column 76 - Erreur: Start tag “input” seen in “table”.
line 1164 column 76 - Erreur: Element “input” not allowed as child of element
“tr” in this context. (Suppressing further errors from this subtree.)
line 1258 column 19 - Erreur: Stray end tag “form”.
line 1258 column 19 - Erreur: Stray end tag “form”.
line 1271 column 134 - Erreur: Start tag “form” seen in “table”.
line 1271 column 134 - Erreur: Element “form” not allowed as child of element
“tr” in this context. (Suppressing further errors from this subtree.)
line 1272 column 76 - Erreur: Start tag “input” seen in “table”.
line 1272 column 76 - Erreur: Element “input” not allowed as child of element
“tr” in this context. (Suppressing further errors from this subtree.)
line 1366 column 19 - Erreur: Stray end tag “form”.
line 1366 column 19 - Erreur: Stray end tag “form”.

So 2 same are not from Arjun's patch. So I guess he simply followed the "trend"
in this page. I guess we have still a lot like that in all OFBiz. Some
maybe introduced with subtasks of OFBIZ-2330...

I'd not call them bugs since so far browsers are accepting and rendering them.
But I agree it would be good to get rid of (all of) them. This would be
another Jira ;)

Jacques
{quote}


> Delete Child Period in EditCustomTimePeriod not secure
> ------------------------------------------------------
>
>                 Key: OFBIZ-7162
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-7162
>             Project: OFBiz
>          Issue Type: Sub-task
>          Components: accounting
>    Affects Versions: Release Branch 13.07, Release Branch 14.12, Trunk, Release Branch 15.12
>            Reporter: Montalbano Florian
>            Assignee: Pranay Pandey
>            Priority: Minor
>             Fix For: 14.12.01, 15.12.01, 13.07.04
>
>         Attachments: OFBIZ-7162-13_07.patch, OFBIZ-7162-14_12.patch, OFBIZ-7162-15_12.patch, OFBIZ-7162.patch
>
>
> When deleting a Child Periods here : https://localhost:8443/accounting/control/EditCustomTimePeriod . The following error shows up :
> "The Following Errors Occurred:
> Error calling event: org.ofbiz.webapp.event.EventHandlerException: Found URL parameter [customTimePeriodId] passed to secure (https) request-map with uri [deleteCustomTimePeriod] with an event that calls service [deleteCustomTimePeriod]; this is not allowed for security reasons! The data should be encrypted by making it part of the request body (a form field) instead of the request URL. Moreover it would be kind if you could create a Jira sub-task of https://issues.apache.org/jira/browse/OFBIZ-2330 (check before if a sub-task for this error does not exist). If you are not sure how to create a Jira issue please have a look before at http://cwiki.apache.org/confluence/x/JIB2 Thank you in advance for your help."
> I checked the sub task of OFBIZ-2330 and didn't see this one yet.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
Free forum by Nabble Edit this page