This is an automated email from the ASF dual-hosted git repository.
jamesyong pushed a commit to branch trunk
in repository
https://gitbox.apache.org/repos/asf/ofbiz-framework.gitThe following commit(s) were added to refs/heads/trunk by this push:
new f21dbd6 Improved: multi-block attribute for html-template tag (OFBIZ-11686)
f21dbd6 is described below
commit f21dbd6d74535a740a14a8f9120775aab74cf1d6
Author: James Yong <
[hidden email]>
AuthorDate: Sun Jun 7 14:33:16 2020 +0800
Improved: multi-block attribute for html-template tag (OFBIZ-11686)
Add CSRF token support for 'getJs' request uri.
---
.../java/org/apache/ofbiz/widget/model/HtmlWidget.java | 16 +++++++++++++---
.../ofbiz/widget/model/MultiBlockHtmlTemplateUtil.java | 5 ++---
2 files changed, 15 insertions(+), 6 deletions(-)
diff --git a/framework/widget/src/main/java/org/apache/ofbiz/widget/model/HtmlWidget.java b/framework/widget/src/main/java/org/apache/ofbiz/widget/model/HtmlWidget.java
index 1527be2..e03fe38 100644
--- a/framework/widget/src/main/java/org/apache/ofbiz/widget/model/HtmlWidget.java
+++ b/framework/widget/src/main/java/org/apache/ofbiz/widget/model/HtmlWidget.java
@@ -39,6 +39,7 @@ import org.apache.ofbiz.base.util.cache.UtilCache;
import org.apache.ofbiz.base.util.collections.MapStack;
import org.apache.ofbiz.base.util.string.FlexibleStringExpander;
import org.apache.ofbiz.base.util.template.FreeMarkerWorker;
+import org.apache.ofbiz.security.CsrfUtil;
import org.apache.ofbiz.widget.renderer.ScreenRenderer;
import org.apache.ofbiz.widget.renderer.ScreenStringRenderer;
import org.apache.ofbiz.widget.renderer.html.HtmlWidgetRenderer;
@@ -57,6 +58,8 @@ import freemarker.template.TemplateModel;
import freemarker.template.TemplateModelException;
import freemarker.template.Version;
+import javax.servlet.http.HttpServletRequest;
+
/**
* Widget Library - Screen model HTML class.
*/
@@ -226,10 +229,17 @@ public class HtmlWidget extends ModelScreenWidget {
}
MultiBlockHtmlTemplateUtil.putScriptInCache(context, fileName, scripts.toString());
- // store value to be used by scriptTagsFooter freemarker macro
+ // construct script link
String webappName = (String) context.get("webappName");
- MultiBlockHtmlTemplateUtil.addScriptLinkForFoot(context, "/" + webappName + "/control/getJs?name="
- + fileName);
+ String url = "/" + webappName + "/control/getJs?name=" + fileName;
+
+ // add csrf token to script link
+ HttpServletRequest request = (HttpServletRequest) context.get("request");
+ String tokenValue = CsrfUtil.generateTokenForNonAjax(request, "getJs");
+ url = CsrfUtil.addOrUpdateTokenInUrl(url, tokenValue);
+
+ // store script link to be output by scriptTagsFooter freemarker macro
+ MultiBlockHtmlTemplateUtil.addScriptLinkForFoot(request, url);
}
}
diff --git a/framework/widget/src/main/java/org/apache/ofbiz/widget/model/MultiBlockHtmlTemplateUtil.java b/framework/widget/src/main/java/org/apache/ofbiz/widget/model/MultiBlockHtmlTemplateUtil.java
index 1602642..3181573 100644
--- a/framework/widget/src/main/java/org/apache/ofbiz/widget/model/MultiBlockHtmlTemplateUtil.java
+++ b/framework/widget/src/main/java/org/apache/ofbiz/widget/model/MultiBlockHtmlTemplateUtil.java
@@ -343,11 +343,10 @@ public final class MultiBlockHtmlTemplateUtil {
/**
* add script link for page footer.
- * @param context
+ * @param request
* @param filePath
*/
- public static void addScriptLinkForFoot(final Map<String, Object> context, final String filePath) {
- HttpServletRequest request = (HttpServletRequest) context.get("request");
+ public static void addScriptLinkForFoot(final HttpServletRequest request, final String filePath) {
Set<String> scriptLinks = UtilGenerics.cast(request.getAttribute(SCRIPT_LINKS_FOR_FOOT));
if (scriptLinks == null) {
// use of LinkedHashSet to maintain insertion order
Locked
