[ofbiz-framework] branch trunk updated: Improved: multi-block attribute for html-template tag (OFBIZ-11686)

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

[ofbiz-framework] branch trunk updated: Improved: multi-block attribute for html-template tag (OFBIZ-11686)

James Yong-2
This is an automated email from the ASF dual-hosted git repository.

jamesyong pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git


The following commit(s) were added to refs/heads/trunk by this push:
     new f21dbd6  Improved: multi-block attribute for html-template tag (OFBIZ-11686)
f21dbd6 is described below

commit f21dbd6d74535a740a14a8f9120775aab74cf1d6
Author: James Yong <[hidden email]>
AuthorDate: Sun Jun 7 14:33:16 2020 +0800

    Improved: multi-block attribute for html-template tag (OFBIZ-11686)
   
    Add CSRF token support for 'getJs' request uri.
---
 .../java/org/apache/ofbiz/widget/model/HtmlWidget.java   | 16 +++++++++++++---
 .../ofbiz/widget/model/MultiBlockHtmlTemplateUtil.java   |  5 ++---
 2 files changed, 15 insertions(+), 6 deletions(-)

diff --git a/framework/widget/src/main/java/org/apache/ofbiz/widget/model/HtmlWidget.java b/framework/widget/src/main/java/org/apache/ofbiz/widget/model/HtmlWidget.java
index 1527be2..e03fe38 100644
--- a/framework/widget/src/main/java/org/apache/ofbiz/widget/model/HtmlWidget.java
+++ b/framework/widget/src/main/java/org/apache/ofbiz/widget/model/HtmlWidget.java
@@ -39,6 +39,7 @@ import org.apache.ofbiz.base.util.cache.UtilCache;
 import org.apache.ofbiz.base.util.collections.MapStack;
 import org.apache.ofbiz.base.util.string.FlexibleStringExpander;
 import org.apache.ofbiz.base.util.template.FreeMarkerWorker;
+import org.apache.ofbiz.security.CsrfUtil;
 import org.apache.ofbiz.widget.renderer.ScreenRenderer;
 import org.apache.ofbiz.widget.renderer.ScreenStringRenderer;
 import org.apache.ofbiz.widget.renderer.html.HtmlWidgetRenderer;
@@ -57,6 +58,8 @@ import freemarker.template.TemplateModel;
 import freemarker.template.TemplateModelException;
 import freemarker.template.Version;
 
+import javax.servlet.http.HttpServletRequest;
+
 /**
  * Widget Library - Screen model HTML class.
  */
@@ -226,10 +229,17 @@ public class HtmlWidget extends ModelScreenWidget {
                 }
                 MultiBlockHtmlTemplateUtil.putScriptInCache(context, fileName, scripts.toString());
 
-                // store value to be used by scriptTagsFooter freemarker macro
+                // construct script link
                 String webappName = (String) context.get("webappName");
-                MultiBlockHtmlTemplateUtil.addScriptLinkForFoot(context, "/" + webappName + "/control/getJs?name="
-                        + fileName);
+                String url = "/" + webappName + "/control/getJs?name=" + fileName;
+
+                // add csrf token to script link
+                HttpServletRequest request = (HttpServletRequest) context.get("request");
+                String tokenValue = CsrfUtil.generateTokenForNonAjax(request, "getJs");
+                url = CsrfUtil.addOrUpdateTokenInUrl(url, tokenValue);
+
+                // store script link to be output by scriptTagsFooter freemarker macro
+                MultiBlockHtmlTemplateUtil.addScriptLinkForFoot(request, url);
             }
         }
 
diff --git a/framework/widget/src/main/java/org/apache/ofbiz/widget/model/MultiBlockHtmlTemplateUtil.java b/framework/widget/src/main/java/org/apache/ofbiz/widget/model/MultiBlockHtmlTemplateUtil.java
index 1602642..3181573 100644
--- a/framework/widget/src/main/java/org/apache/ofbiz/widget/model/MultiBlockHtmlTemplateUtil.java
+++ b/framework/widget/src/main/java/org/apache/ofbiz/widget/model/MultiBlockHtmlTemplateUtil.java
@@ -343,11 +343,10 @@ public final class MultiBlockHtmlTemplateUtil {
 
     /**
      * add script link for page footer.
-     * @param context
+     * @param request
      * @param filePath
      */
-    public static void addScriptLinkForFoot(final Map<String, Object> context, final String filePath) {
-        HttpServletRequest request = (HttpServletRequest) context.get("request");
+    public static void addScriptLinkForFoot(final HttpServletRequest request, final String filePath) {
         Set<String> scriptLinks = UtilGenerics.cast(request.getAttribute(SCRIPT_LINKS_FOR_FOOT));
         if (scriptLinks == null) {
             // use of LinkedHashSet to maintain insertion order