svn commit: r1781366 [1/3] - in /ofbiz/trunk: applications/content/widget/compdoc/ applications/content/widget/content/ applications/product/template/ applications/product/template/store/ applications/product/webapp/catalog/WEB-INF/ framework/base/src/...

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

svn commit: r1781366 [1/3] - in /ofbiz/trunk: applications/content/widget/compdoc/ applications/content/widget/content/ applications/product/template/ applications/product/template/store/ applications/product/webapp/catalog/WEB-INF/ framework/base/src/...

jleroux@apache.org
Author: jleroux
Date: Thu Feb  2 10:33:59 2017
New Revision: 1781366

URL: http://svn.apache.org/viewvc?rev=1781366&view=rev
Log:
Implemented:
Improved:
Documented:
Completed:
Reverted:
Fixed:
(OFBIZ-)
Explanation
Thanks:

Added:
    ofbiz/trunk/applications/product/webapp/catalog/WEB-INF/Owasp.CsrfGuard.js   (with props)
    ofbiz/trunk/applications/product/webapp/catalog/WEB-INF/Owasp.CsrfGuard.properties   (with props)
    ofbiz/trunk/applications/product/webapp/catalog/WEB-INF/controller - Copie.xml   (with props)
    ofbiz/trunk/applications/product/webapp/catalog/WEB-INF/web - Copie.xml   (with props)
    ofbiz/trunk/framework/webapp/config/requestHandler - Copie.properties   (with props)
    ofbiz/trunk/themes/tomahawk/template/Header - Copie.ftl   (with props)
Modified:
    ofbiz/trunk/applications/content/widget/compdoc/CompDocTemplateTree.xml
    ofbiz/trunk/applications/content/widget/content/ContentForms.xml
    ofbiz/trunk/applications/product/template/Main.ftl
    ofbiz/trunk/applications/product/template/store/EditProductStoreWebSites.ftl
    ofbiz/trunk/framework/base/src/main/java/org/apache/ofbiz/base/util/template/FreeMarkerWorker.java
    ofbiz/trunk/framework/minilang/src/main/java/org/apache/ofbiz/minilang/method/entityops/EntityOne.java
    ofbiz/trunk/framework/widget/dtd/widget-common.xsd
    ofbiz/trunk/framework/widget/src/main/java/org/apache/ofbiz/widget/renderer/macro/MacroFormRenderer.java

Modified: ofbiz/trunk/applications/content/widget/compdoc/CompDocTemplateTree.xml
URL: http://svn.apache.org/viewvc/ofbiz/trunk/applications/content/widget/compdoc/CompDocTemplateTree.xml?rev=1781366&r1=1781365&r2=1781366&view=diff
==============================================================================
--- ofbiz/trunk/applications/content/widget/compdoc/CompDocTemplateTree.xml (original)
+++ ofbiz/trunk/applications/content/widget/compdoc/CompDocTemplateTree.xml Thu Feb  2 10:33:59 2017
@@ -22,7 +22,7 @@ under the License.
     <tree name="CompDocTemplateTree" entity-name="Content" root-node-name="node-root"
         default-render-style="simple" default-wrap-style="treeWrapper">
         <node name="node-root" wrap-style="treeWrapper">
-            <entity-one entity-name="Content" use-cache="false">
+            <entity-one entity-name="Content" value-field="content" use-cache="false">
                 <field-map field-name="contentId" from-field="rootContentId"/>
             </entity-one>
             <include-screen name="rootTemplateLine" location="component://content/widget/compdoc/CompDocScreens.xml"/>
@@ -54,7 +54,7 @@ under the License.
             </sub-node>
         </node>
         <node name="node-body" join-field-name="itemContentId" entity-name="AssocRevisionItemView" wrap-style="treeWrapper">
-            <entity-one entity-name="Content" use-cache="false">
+            <entity-one entity-name="Content" value-field="content" use-cache="false">
                 <field-map field-name="contentId" from-field="itemContentId"/>
             </entity-one>
             <include-screen name="childTemplateLine" location="component://content/widget/compdoc/CompDocScreens.xml"/>
@@ -90,7 +90,7 @@ under the License.
     <tree name="CompDocInstanceTree" entity-name="Content" root-node-name="node-root"
         default-render-style="simple" default-wrap-style="treeWrapper">
         <node name="node-root">
-            <entity-one entity-name="Content" use-cache="false">
+            <entity-one entity-name="Content" value-field="content" use-cache="false">
                 <field-map field-name="contentId" from-field="instanceContent.instanceOfContentId"/>
             </entity-one>
             <include-screen name="rootInstanceLine" location="component://content/widget/compdoc/CompDocScreens.xml"/>
@@ -122,7 +122,7 @@ under the License.
             </sub-node>
         </node>
         <node name="node-body" join-field-name="itemContentId" entity-name="AssocRevisionItemView">
-            <entity-one entity-name="Content" use-cache="false">
+            <entity-one entity-name="Content" value-field="content" use-cache="false">
                 <field-map field-name="contentId" from-field="itemContentId"/>
             </entity-one>
             <include-screen name="childInstanceLine" location="component://content/widget/compdoc/CompDocScreens.xml"/>

Modified: ofbiz/trunk/applications/content/widget/content/ContentForms.xml
URL: http://svn.apache.org/viewvc/ofbiz/trunk/applications/content/widget/content/ContentForms.xml?rev=1781366&r1=1781365&r2=1781366&view=diff
==============================================================================
--- ofbiz/trunk/applications/content/widget/content/ContentForms.xml (original)
+++ ofbiz/trunk/applications/content/widget/content/ContentForms.xml Thu Feb  2 10:33:59 2017
@@ -230,9 +230,9 @@ under the License.
     </form>
     <!-- ContentAssoc forms -->
     <form name="EditContentAssoc" target="updateContentAssoc" title="" type="single"
-        header-row-style="header-row" default-table-style="basic-table">
+        header-row-style="header-row" default-table-style="basic-table" default-entity-name="contentAssocX">
         <actions>
-            <entity-one entity-name="ContentAssoc" use-cache="true">
+            <entity-one entity-name="ContentAssoc" use-cache="true" value-field="contentAssoc">
                 <field-map field-name="contentId" from-field="contentId"/>
                 <field-map field-name="contentIdTo" from-field="contentIdTo"/>
                 <field-map field-name="contentAssocTypeId" from-field="contentAssocTypeId"/>

Modified: ofbiz/trunk/applications/product/template/Main.ftl
URL: http://svn.apache.org/viewvc/ofbiz/trunk/applications/product/template/Main.ftl?rev=1781366&r1=1781365&r2=1781366&view=diff
==============================================================================
--- ofbiz/trunk/applications/product/template/Main.ftl (original)
+++ ofbiz/trunk/applications/product/template/Main.ftl Thu Feb  2 10:33:59 2017
@@ -29,6 +29,8 @@ under the License.
   </form>
   <div class="label">${uiLabelMap.CommonOr}: <a href="<@ofbizUrl>EditProdCatalog</@ofbizUrl>" class="buttontext">${uiLabelMap.ProductCreateNewCatalog}</a></div>
   <br />
+<p>Output format: ${.output_format}
+<p>Auto-escaping: ${.auto_esc?c}  
   <div class="label">${uiLabelMap.ProductEditCategoryWithCategoryId}:</div>
   <form method="post" action="<@ofbizUrl>EditCategory</@ofbizUrl>" style="margin: 0;" name="EditCategoryForm">
     <@htmlTemplate.lookupField name="productCategoryId" id="productCategoryId" formName="EditCategoryForm" fieldFormName="LookupProductCategory"/>

Modified: ofbiz/trunk/applications/product/template/store/EditProductStoreWebSites.ftl
URL: http://svn.apache.org/viewvc/ofbiz/trunk/applications/product/template/store/EditProductStoreWebSites.ftl?rev=1781366&r1=1781365&r2=1781366&view=diff
==============================================================================
--- ofbiz/trunk/applications/product/template/store/EditProductStoreWebSites.ftl (original)
+++ ofbiz/trunk/applications/product/template/store/EditProductStoreWebSites.ftl Thu Feb  2 10:33:59 2017
@@ -37,12 +37,7 @@ under the License.
                   <td>${webSite.httpHost?default('&nbsp;')}</td>
                   <td>${webSite.httpPort?default('&nbsp;')}</td>
                   <td align="center">
-                    <a href="javascript:document.storeUpdateWebSite_${webSite_index}.submit();" class="buttontext">${uiLabelMap.CommonDelete}</a>
-                    <form name="storeUpdateWebSite_${webSite_index}" method="post" action="<@ofbizUrl>storeUpdateWebSite</@ofbizUrl>">
-                        <input type="hidden" name="viewProductStoreId" value="${productStoreId}"/>
-                        <input type="hidden" name="productStoreId" value=""/>
-                        <input type="hidden" name="webSiteId" value="${webSite.webSiteId}"/>
-                    </form>                      
+                    <a href="<@ofbizUrl>storeUpdateWebSite?viewProductStoreId=${productStoreId}&productStoreId=&webSiteId=${webSite.webSiteId}</@ofbizUrl>" class="buttontext">${uiLabelMap.CommonDelete}</a>
                   </td>
                 </tr>
                 <#-- toggle the row color -->

Added: ofbiz/trunk/applications/product/webapp/catalog/WEB-INF/Owasp.CsrfGuard.js
URL: http://svn.apache.org/viewvc/ofbiz/trunk/applications/product/webapp/catalog/WEB-INF/Owasp.CsrfGuard.js?rev=1781366&view=auto
==============================================================================
--- ofbiz/trunk/applications/product/webapp/catalog/WEB-INF/Owasp.CsrfGuard.js (added)
+++ ofbiz/trunk/applications/product/webapp/catalog/WEB-INF/Owasp.CsrfGuard.js Thu Feb  2 10:33:59 2017
@@ -0,0 +1,447 @@
+/**
+ * The OWASP CSRFGuard Project, BSD License
+ * Eric Sheridan ([hidden email]), Copyright (c) 2011
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ *    1. Redistributions of source code must retain the above copyright notice,
+ *       this list of conditions and the following disclaimer.
+ *    2. Redistributions in binary form must reproduce the above copyright
+ *       notice, this list of conditions and the following disclaimer in the
+ *       documentation and/or other materials provided with the distribution.
+ *    3. Neither the name of OWASP nor the names of its contributors may be used
+ *       to endorse or promote products derived from this software without specific
+ *       prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
+ * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+(function() {
+    /**
+     * Code to ensure our event always gets triggered when the DOM is updated.
+     * @param obj
+     * @param type
+     * @param fn
+     * @source http://www.dustindiaz.com/rock-solid-addevent/
+     */
+    function addEvent( obj, type, fn ) {
+        if (obj.addEventListener) {
+            obj.addEventListener( type, fn, false );
+            EventCache.add(obj, type, fn);
+        }
+        else if (obj.attachEvent) {
+            obj["e"+type+fn] = fn;
+            obj[type+fn] = function() { obj["e"+type+fn]( window.event ); }
+            obj.attachEvent( "on"+type, obj[type+fn] );
+            EventCache.add(obj, type, fn);
+        }
+        else {
+            obj["on"+type] = obj["e"+type+fn];
+        }
+    }
+    
+    var EventCache = function(){
+        var listEvents = [];
+        return {
+            listEvents : listEvents,
+            add : function(node, sEventName, fHandler){
+                listEvents.push(arguments);
+            },
+            flush : function(){
+                var i, item;
+                for(i = listEvents.length - 1; i >= 0; i = i - 1){
+                    item = listEvents[i];
+                    if(item[0].removeEventListener){
+                        item[0].removeEventListener(item[1], item[2], item[3]);
+                    };
+                    if(item[1].substring(0, 2) != "on"){
+                        item[1] = "on" + item[1];
+                    };
+                    if(item[0].detachEvent){
+                        item[0].detachEvent(item[1], item[2]);
+                    };
+                };
+            }
+        };
+    }();
+    
+    /** string utility functions **/
+    String.prototype.startsWith = function(prefix) {
+        return this.indexOf(prefix) === 0;
+    };
+
+    String.prototype.endsWith = function(suffix) {
+        return this.match(suffix+"$") == suffix;
+    };
+
+    /** hook using standards based prototype **/
+    function hijackStandard() {
+        XMLHttpRequest.prototype._open = XMLHttpRequest.prototype.open;
+        XMLHttpRequest.prototype.open = function(method, url, async, user, pass) {
+            this.url = url;
+            
+            this._open.apply(this, arguments);
+        };
+        
+        XMLHttpRequest.prototype._send = XMLHttpRequest.prototype.send;
+        XMLHttpRequest.prototype.send = function(data) {
+            if(this.onsend != null) {
+                this.onsend.apply(this, arguments);
+            }
+            
+            this._send.apply(this, arguments);
+        };
+    }
+
+    /** ie does not properly support prototype - wrap completely **/
+    function hijackExplorer() {
+        var _XMLHttpRequest = window.XMLHttpRequest;
+        
+        function alloc_XMLHttpRequest() {
+            this.base = _XMLHttpRequest ? new _XMLHttpRequest : new window.ActiveXObject("Microsoft.XMLHTTP");
+        }
+        
+        function init_XMLHttpRequest() {
+            return new alloc_XMLHttpRequest;
+        }
+        
+        init_XMLHttpRequest.prototype = alloc_XMLHttpRequest.prototype;
+        
+        /** constants **/
+        init_XMLHttpRequest.UNSENT = 0;
+        init_XMLHttpRequest.OPENED = 1;
+        init_XMLHttpRequest.HEADERS_RECEIVED = 2;
+        init_XMLHttpRequest.LOADING = 3;
+        init_XMLHttpRequest.DONE = 4;
+        
+        /** properties **/
+        init_XMLHttpRequest.prototype.status = 0;
+        init_XMLHttpRequest.prototype.statusText = "";
+        init_XMLHttpRequest.prototype.readyState = init_XMLHttpRequest.UNSENT;
+        init_XMLHttpRequest.prototype.responseText = "";
+        init_XMLHttpRequest.prototype.responseXML = null;
+        init_XMLHttpRequest.prototype.onsend = null;
+        
+        init_XMLHttpRequest.url = null;
+        init_XMLHttpRequest.onreadystatechange = null;
+
+        /** methods **/
+        init_XMLHttpRequest.prototype.open = function(method, url, async, user, pass) {
+            var self = this;
+            this.url = url;
+            
+            this.base.onreadystatechange = function() {
+                try { self.status = self.base.status; } catch (e) { }
+                try { self.statusText = self.base.statusText; } catch (e) { }
+                try { self.readyState = self.base.readyState; } catch (e) { }
+                try { self.responseText = self.base.responseText; } catch(e) { }
+                try { self.responseXML = self.base.responseXML; } catch(e) { }
+                
+                if(self.onreadystatechange != null) {
+                    self.onreadystatechange.apply(this, arguments);
+                }
+            }
+            
+            this.base.open(method, url, async, user, pass);
+        };
+        
+        init_XMLHttpRequest.prototype.send = function(data) {
+            if(this.onsend != null) {
+                this.onsend.apply(this, arguments);
+            }
+            
+            this.base.send(data);
+        };
+        
+        init_XMLHttpRequest.prototype.abort = function() {
+            this.base.abort();
+        };
+        
+        init_XMLHttpRequest.prototype.getAllResponseHeaders = function() {
+            return this.base.getAllResponseHeaders();
+        };
+        
+        init_XMLHttpRequest.prototype.getResponseHeader = function(name) {
+            return this.base.getResponseHeader(name);
+        };
+        
+        init_XMLHttpRequest.prototype.setRequestHeader = function(name, value) {
+            return this.base.setRequestHeader(name, value);
+        };
+        
+        /** hook **/
+        window.XMLHttpRequest = init_XMLHttpRequest;
+    }
+
+    /** check if valid domain based on domainStrict **/
+    function isValidDomain(current, target) {
+        var result = false;
+        
+        /** check exact or subdomain match **/
+        if(current == target) {
+            result = true;
+        } else if(%DOMAIN_STRICT% == false) {
+            if(target.charAt(0) == '.') {
+                result = current.endsWith(target);
+            } else {
+                result = current.endsWith('.' + target);
+            }
+        }
+        
+        return result;
+    }
+
+    /** determine if uri/url points to valid domain **/
+    function isValidUrl(src) {
+        var result = false;
+        
+        /** parse out domain to make sure it points to our own **/
+        if(src.substring(0, 7) == "http://" || src.substring(0, 8) == "https://") {
+            var token = "://";
+            var index = src.indexOf(token);
+            var part = src.substring(index + token.length);
+            var domain = "";
+            
+            /** parse up to end, first slash, or anchor **/
+            for(var i=0; i<part.length; i++) {
+                var character = part.charAt(i);
+                
+                if(character == '/' || character == ':' || character == '#') {
+                    break;
+                } else {
+                    domain += character;
+                }
+            }
+            
+            result = isValidDomain(document.domain, domain);
+            /** explicitly skip anchors **/
+        } else if(src.charAt(0) == '#') {
+            result = false;
+            /** ensure it is a local resource without a protocol **/
+        } else if(!src.startsWith("//") && (src.charAt(0) == '/' || src.indexOf(':') == -1)) {
+            result = true;
+        }
+        
+        return result;
+    }
+
+    /** parse uri from url **/
+    function parseUri(url) {
+        var uri = "";
+        var token = "://";
+        var index = url.indexOf(token);
+        var part = "";
+        
+        /**
+         * ensure to skip protocol and prepend context path for non-qualified
+         * resources (ex: "protect.html" vs
+         * "/Owasp.CsrfGuard.Test/protect.html").
+         */
+        if(index > 0) {
+            part = url.substring(index + token.length);
+        } else if(url.charAt(0) != '/') {
+            part = "%CONTEXT_PATH%/" + url;
+        } else {
+            part = url;
+        }
+        
+        /** parse up to end or query string **/
+        var uriContext = (index == -1);
+        
+        for(var i=0; i<part.length; i++) {
+            var character = part.charAt(i);
+            
+            if(character == '/') {
+                uriContext = true;
+            } else if(uriContext == true && (character == '?' || character == '#')) {
+                uriContext = false;
+                break;
+            }
+            
+            if(uriContext == true) {
+                uri += character;
+            }
+        }
+        
+        return uri;
+    }
+
+    /** inject tokens as hidden fields into forms **/
+    function injectTokenForm(form, tokenName, tokenValue, pageTokens,injectGetForms) {
+      
+        if (!injectGetForms) {
+            var method = form.getAttribute("method");
+      
+            if ((typeof method != 'undefined') && method != null && method.toLowerCase() == "get") {
+                return;
+            }
+        }
+      
+        var value = tokenValue;
+        var action = form.getAttribute("action");
+        
+        if(action != null && isValidUrl(action)) {
+            var uri = parseUri(action);
+            value = pageTokens[uri] != null ? pageTokens[uri] : tokenValue;
+        }
+        
+        var hidden = document.createElement("input");
+        
+        hidden.setAttribute("type", "hidden");
+        hidden.setAttribute("name", tokenName);
+        hidden.setAttribute("value", value);
+        
+        form.appendChild(hidden);
+    }
+
+    /** inject tokens as query string parameters into url **/
+    function injectTokenAttribute(element, attr, tokenName, tokenValue, pageTokens) {
+        var location = element.getAttribute(attr);
+        
+        if(location != null && isValidUrl(location)) {
+            var uri = parseUri(location);
+            var value = (pageTokens[uri] != null ? pageTokens[uri] : tokenValue);
+            
+            if(location.indexOf('?') != -1) {
+                location = location + '&' + tokenName + '=' + value;
+            } else {
+                location = location + '?' + tokenName + '=' + value;
+            }
+
+            try {
+                element.setAttribute(attr, location);
+            } catch (e) {
+                // attempted to set/update unsupported attribute
+            }
+        }
+    }
+
+    /** inject csrf prevention tokens throughout dom **/
+    function injectTokens(tokenName, tokenValue) {
+        /** obtain reference to page tokens if enabled **/
+        var pageTokens = {};
+        
+        if(%TOKENS_PER_PAGE% == true) {
+            pageTokens = requestPageTokens();
+        }
+        
+        /** iterate over all elements and injection token **/
+        var all = document.all ? document.all : document.getElementsByTagName('*');
+        var len = all.length;
+
+        //these are read from the csrf guard config file(s)
+        var injectForms = %INJECT_FORMS%;
+        var injectGetForms = %INJECT_GET_FORMS%;
+        var injectFormAttributes = %INJECT_FORM_ATTRIBUTES%;
+        var injectAttributes = %INJECT_ATTRIBUTES%;
+        
+        for(var i=0; i<len; i++) {
+            var element = all[i];
+            
+            /** inject into form **/
+            if(element.tagName.toLowerCase() == "form") {
+                if(injectForms) {
+                    injectTokenForm(element, tokenName, tokenValue, pageTokens,injectGetForms);
+                }
+                if (injectFormAttributes) {
+                    injectTokenAttribute(element, "action", tokenName, tokenValue, pageTokens);
+                }
+                /** inject into attribute **/
+            } else if(injectAttributes) {
+                injectTokenAttribute(element, "src", tokenName, tokenValue, pageTokens);
+                injectTokenAttribute(element, "href", tokenName, tokenValue, pageTokens);
+            }
+        }
+    }
+
+    /** obtain array of page specific tokens **/
+    function requestPageTokens() {
+        var xhr = window.XMLHttpRequest ? new window.XMLHttpRequest : new window.ActiveXObject("Microsoft.XMLHTTP");
+        var pageTokens = {};
+        
+        xhr.open("POST", "%SERVLET_PATH%", false);
+        xhr.send(null);
+        
+        var text = xhr.responseText;
+        var name = "";
+        var value = "";
+        var nameContext = true;
+        
+        for(var i=0; i<text.length; i++) {
+            var character = text.charAt(i);
+            
+            if(character == ':') {
+                nameContext = false;
+            } else if(character != ',') {
+                if(nameContext == true) {
+                    name += character;
+                } else {
+                    value += character;
+                }
+            }
+            
+            if(character == ',' || (i + 1) >= text.length) {
+                pageTokens[name] = value;
+                name = "";
+                value = "";
+                nameContext = true;
+            }
+        }
+        
+        return pageTokens;
+    }
+    
+    /**
+     * Only inject the tokens if the JavaScript was referenced from HTML that
+     * was served by us. Otherwise, the code was referenced from malicious HTML
+     * which may be trying to steal tokens using JavaScript hijacking techniques.
+     * The token is now removed and fetched using another POST request to solve,
+     * the token hijacking problem.
+     */
+    if(isValidDomain(document.domain, "%DOMAIN_ORIGIN%")) {
+        /** optionally include Ajax support **/
+        if(%INJECT_XHR% == true) {
+            if(navigator.appName == "Microsoft Internet Explorer") {
+                hijackExplorer();
+            } else {
+                hijackStandard();
+            }
+        
+        var xhr = window.XMLHttpRequest ? new window.XMLHttpRequest : new window.ActiveXObject("Microsoft.XMLHTTP");
+        var csrfToken = {};
+        xhr.open("POST", "%SERVLET_PATH%", false);
+        xhr.setRequestHeader("FETCH-CSRF-TOKEN", "1");
+        xhr.send(null);
+        
+        var token_pair = xhr.responseText;
+        token_pair = token_pair.split(":");
+        var token_name = token_pair[0];
+        var token_value = token_pair[1];
+
+            XMLHttpRequest.prototype.onsend = function(data) {
+                if(isValidUrl(this.url)) {
+                    this.setRequestHeader("X-Requested-With", "XMLHttpRequest")
+                    this.setRequestHeader(token_name, token_value);
+                }
+            };
+        }
+        
+        /** update nodes in DOM after load **/
+        addEvent(window,'unload',EventCache.flush);
+        addEvent(window,'DOMContentLoaded', function() {
+            injectTokens(token_name, token_value);
+        });
+    } else {
+        alert("OWASP CSRFGuard JavaScript was included from within an unauthorized domain!");
+    }
+})();

Propchange: ofbiz/trunk/applications/product/webapp/catalog/WEB-INF/Owasp.CsrfGuard.js
------------------------------------------------------------------------------
    svn:eol-style = native

Propchange: ofbiz/trunk/applications/product/webapp/catalog/WEB-INF/Owasp.CsrfGuard.js
------------------------------------------------------------------------------
    svn:keywords = Date Rev Author URL Id

Propchange: ofbiz/trunk/applications/product/webapp/catalog/WEB-INF/Owasp.CsrfGuard.js
------------------------------------------------------------------------------
    svn:mime-type = text/plain

Added: ofbiz/trunk/applications/product/webapp/catalog/WEB-INF/Owasp.CsrfGuard.properties
URL: http://svn.apache.org/viewvc/ofbiz/trunk/applications/product/webapp/catalog/WEB-INF/Owasp.CsrfGuard.properties?rev=1781366&view=auto
==============================================================================
--- ofbiz/trunk/applications/product/webapp/catalog/WEB-INF/Owasp.CsrfGuard.properties (added)
+++ ofbiz/trunk/applications/product/webapp/catalog/WEB-INF/Owasp.CsrfGuard.properties Thu Feb  2 10:33:59 2017
@@ -0,0 +1,417 @@
+# The OWASP CSRFGuard Project, BSD License
+# Eric Sheridan ([hidden email]), Copyright (c) 2011
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are met:
+#
+# 1. Redistributions of source code must retain the above copyright notice,
+#    this list of conditions and the following disclaimer.
+# 2. Redistributions in binary form must reproduce the above copyright
+#    notice, this list of conditions and the following disclaimer in the
+#    documentation and/or other materials provided with the distribution.
+# 3. Neither the name of OWASP nor the names of its contributors may be used
+#    to endorse or promote products derived from this software without specific
+#    prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+# (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+# LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
+# ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+# SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+# From: https://github.com/esheri3/OWASP-CSRFGuard/blob/master/csrfguard-test/src/main/webapp/WEB-INF/csrfguard.properties
+
+# Common substitutions
+# %servletContext%  is the servlet context (e.g. the configured app prefix or war file name, or blank.
+# e.g. if you deploy a default warfile as someApp.war, then %servletContext% will be /someApp
+# if there isnt a context it will be the empty string.  So to use this in the configuration, use e.g. %servletContext%/something.html
+# which will translate to e.g. /someApp/something.html
+
+# Logger
+#
+# The logger property (org.owasp.csrfguard.Logger) defines the qualified class name of
+# the object responsible for processing all log messages produced by CSRFGuard. The default
+# CSRFGuard logger is org.owasp.csrfguard.log.ConsoleLogger. This class logs all messages
+# to System.out which JavaEE application servers redirect to a vendor specific log file.
+# Developers can customize the logging behavior of CSRFGuard by implementing the
+# org.owasp.csrfguard.log.ILogger interface and setting the logger property to the new
+# logger's qualified class name. The following configuration snippet instructs OWASP CSRFGuard
+# to capture all log messages to the console:
+#
+# org.owasp.csrfguard.Logger=org.owasp.csrfguard.log.ConsoleLogger
+org.owasp.csrfguard.Logger=org.owasp.csrfguard.log.JavaLogger
+
+# Which configuration provider factory you want to use.  The default is org.owasp.csrfguard.config.PropertiesConfigurationProviderFactory
+# Another configuration provider has more features including config overlays: org.owasp.csrfguard.config.overlay.ConfigurationOverlayProviderFactory
+# The default configuration provider is: org.owasp.csrfguard.config.overlay.ConfigurationAutodetectProviderFactory
+# which will look for an overlay file, it is there, and the factory inside that file is set it will use it, otherwise will be PropertiesConfigurationProviderFactory
+# it needs to implement org.owasp.csrfguard.config.ConfigurationProviderFactory
+org.owasp.csrfguard.configuration.provider.factory = org.owasp.csrfguard.config.overlay.ConfigurationAutodetectProviderFactory
+
+
+# If csrfguard filter is enabled
+org.owasp.csrfguard.Enabled = false
+
+# If csrf guard filter should check even if there is no session for the user
+# Note: this changed around 2014/04, the default behavior used to be to
+# not check if there is no session.  If you want the legacy behavior (if your app
+# is not susceptible to CSRF if the user has no session), set this to false
+org.owasp.csrfguard.ValidateWhenNoSessionExists = true
+
+# New Token Landing Page
+#
+# The new token landing page property (org.owasp.csrfguard.NewTokenLandingPage) defines where
+# to send a user if the token is being generated for the first time, and the use new token landing
+# page boolean property (org.owasp.csrfguard.UseNewTokenLandingPage) determines if any redirect happens.
+# UseNewTokenLandingPage defaults to false if NewTokenLandingPage is not specified, and to true
+# if it is specified.. If UseNewTokenLandingPage is set true then this request is generated
+# using auto-posting forms and will only contain the CSRF prevention token parameter, if
+# applicable. All query-string or form parameters sent with the original request will be
+# discarded. If this property is not defined, CSRFGuard will instead auto-post the user to the
+# original context and servlet path. The following configuration snippet instructs OWASP CSRFGuard to
+# redirect the user to %servletContext%/index.html when the user visits a protected resource
+# without having a corresponding CSRF token present in the HttpSession object:
+#
+org.owasp.csrfguard.NewTokenLandingPage=%servletContext%/control/login/*
+
+# Protected Methods
+#
+# The protected methods property (org.owasp.csrfguard.ProtectedMethods) defines a comma
+# separated list of HTTP request methods that should be protected by CSRFGuard. The default
+# list is an empty list which will cause all HTTP methods to be protected, thus preserving
+# legacy behavior. This setting allows the user to inform CSRFGuard that only requests of the
+# given types should be considered for protection. All HTTP methods not in the list will be
+# considered safe (i.e. view only / unable to modify data). This should be used only when the
+# user has concrete knowledge that all requests made via methods not in the list
+# are safe (i.e. do not apply an action to any data) since it can actually introduce new
+# security vulnerabilities. For example: the user thinks that all actionable requests are
+# only available by POST requests when in fact some are available via GET requests. If the
+# user has excluded GET requests from the list then they have introduced a vulnerability.
+# The following configuration snippet instructs OWASP CSRFGuard to protect only the POST,
+# PUT, and DELETE HTTP methods.
+#
+# org.owasp.csrfguard.ProtectedMethods=POST,PUT,DELETE
+
+# or you can configure all to be protected, and specify which is unprotected.  This is the preferred approach
+
+# org.owasp.csrfguard.UnprotectedMethods=GET
+
+# Unique Per-Page Tokens
+#
+# The unique token per-page property (org.owasp.csrfguard.TokenPerPage) is a boolean value that
+# determines if CSRFGuard should make use of unique per-page (i.e. URI) prevention tokens as
+# opposed to unique per-session prevention tokens. When a user requests a protected resource,
+# CSRFGuard will determine if a page specific token has been previously generated. If a page
+# specific token has not yet been previously generated, CSRFGuard will verify the request was
+# submitted with the per-session token intact. After verifying the presence of the per-session token,
+# CSRFGuard will create a page specific token that is required for all subsequent requests to the
+# associated resource. The per-session CSRF token can only be used when requesting a resource for
+# the first time. All subsequent requests must have the per-page token intact or the request will
+# be treated as a CSRF attack. This behavior can be changed with the org.owasp.csrfguard.TokenPerPagePrecreate
+# property. Enabling this property will make CSRFGuard calculate the per page token prior to a first
+# visit. This option only works with JSTL token injection and is useful for preserving the validity of
+# links if the user pushes the back button. There may be a performance impact when enabling this option
+# if the .jsp has a large number of proctected links that need tokens to be calculated.
+# Use of the unique token per page property is currently experimental
+# but provides a significant amount of improved security. Consider the exposure of a CSRF token using
+# the legacy unique per-session model. Exposure of this token facilitates the attacker's ability to
+# carry out a CSRF attack against the victim's active session for any resource exposed by the web
+# application. Now consider the exposure of a CSRF token using the experimental unique token per-page
+# model. Exposure of this token would only allow the attacker to carry out a CSRF attack against the
+# victim's active session for a small subset of resources exposed by the web application. Use of the
+# unique token per-page property is a strong defense in depth strategy significantly reducing the
+# impact of exposed CSRF prevention tokens. The following configuration snippet instructs OWASP
+# CSRFGuard to utilize the unique token per-page model:
+#
+# org.owasp.csrfguard.TokenPerPage=true
+# org.owasp.csrfguard.TokenPerPagePrecreate=false
+org.owasp.csrfguard.TokenPerPage=true
+org.owasp.csrfguard.TokenPerPagePrecreate=false
+
+# Token Rotation
+#
+# The rotate token property (org.owasp.csrfguard.Rotate) is a boolean value that determines if
+# CSRFGuard should generate and utilize a new token after verifying the previous token. Rotation
+# helps minimize the window of opportunity an attacker has to leverage the victim's stolen token
+# in a targeted CSRF attack. However, this functionality generally causes navigation problems in
+# most applications. Specifically, the 'Back' button in the browser will often cease to function
+# properly. When a user hits the 'Back' button and interacts with the HTML, the browser may submit
+# an old token causing CSRFGuard to incorrectly believe this request is a CSRF attack in progress
+# (i.e. a 'false positive'). Users can prevent this scenario by preventing the caching of HTML pages
+# containing FORM submissions using the cache-control header. However, this may also introduce
+# performance problems as the browser will have to request HTML on a more frequent basis. The following
+# configuration snippet enables token rotation:
+#
+# org.owasp.csrfguard.Rotate=true
+
+# Ajax and XMLHttpRequest Support
+#
+# The Ajax property (org.owasp.csrfguard.Ajax) is a boolean value that indicates whether or not OWASP
+# CSRFGuard should support the injection and verification of unique per-session prevention tokens for
+# XMLHttpRequests. To leverage Ajax support, the user must not only set this property to true but must
+# also reference the JavaScript DOM Manipulation code using a script element. This dynamic script will
+# override the send method of the XMLHttpRequest object to ensure the submission of an X-Requested-With
+# header name value pair coupled with the submission of a custom header name value pair for each request.
+# The name of the custom header is the value of the token name property and the value of the header is
+# always the unique per-session token value. This custom header is analogous to the HTTP parameter name
+# value pairs submitted via traditional GET and POST requests. If the X-Requested-With header was sent
+# in the HTTP request, then CSRFGuard will look for the presence and ensure the validity of the unique
+# per-session token in the custom header name value pair. Note that verification of these headers takes
+# precedence over verification of the CSRF token supplied as an HTTP parameter. More specifically,
+# CSRFGuard does not verify the presence of the CSRF token if the Ajax support property is enabled and
+# the corresponding X-Requested-With and custom headers are embedded within the request. The following
+# configuration snippet instructs OWASP CSRFGuard to support Ajax requests by verifying the presence and
+# correctness of the X-Requested-With and custom headers:
+#
+# org.owasp.csrfguard.Ajax=true
+org.owasp.csrfguard.Ajax=true
+
+# The default behavior of CSRFGuard is to protect all pages. Pages marked as unprotected will not be protected.
+# If the Protect property is enabled, this behavior is reversed. Pages must be marked as protected to be protected.
+# All other pages will not be protected. This is useful when the CsrfGuardFilter is aggressively mapped (ex: /*),
+# but you only want to protect a few pages.
+#
+# org.owasp.csrfguard.Protect=true
+
+# Unprotected Pages:
+#
+# The unprotected pages property (org.owasp.csrfguard.unprotected.*) defines a series of pages that
+# should not be protected by CSRFGuard. Such configurations are useful when the CsrfGuardFilter is
+# aggressively mapped (ex: /*). The syntax of the property name is org.owasp.csrfguard.unprotected.[PageName],
+# where PageName is some arbitrary identifier that can be used to reference a resource. The syntax of
+# defining the uri of unprotected pages is the same as the syntax used by the JavaEE container for uri mapping.
+# Specifically, CSRFGuard will identify the first match (if any) between the requested uri and an unprotected
+# page in order of declaration. Match criteria is as follows:
+#
+# Case 1: exact match between request uri and unprotected page
+# Case 2: longest path prefix match, beginning / and ending /*
+# Case 3: extension match, beginning *.
+# Case 4: if the value starts with ^ and ends with $, it will be evaulated as a regex.  Note that before the
+#   regex is compiled, any common variables will be substituted (e.g. %servletContext%)
+# Default: requested resource must be validated by CSRFGuard
+#
+# The following code snippet illustrates the four use cases over four examples. The first two examples
+# (Tag and JavaScriptServlet) look for direct URI matches. The third example (Html) looks for all resources
+# ending in a .html extension. The next example (Public) looks for all resources prefixed with the URI path /MySite/Public/*.
+# The last example looks for resources that end in Public.do
+#
+# org.owasp.csrfguard.unprotected.Tag=%servletContext%/tag.jsp
+# org.owasp.csrfguard.unprotected.JavaScriptServlet=%servletContext%/JavaScriptServlet
+# org.owasp.csrfguard.unprotected.Html=*.html
+# org.owasp.csrfguard.unprotected.Public=%servletContext%/Public/*
+# regex example starts with ^ and ends with $, and the %servletContext% is evaluated before the regex
+# org.owasp.csrfguard.unprotected.PublicServlet=^%servletContext%/.*Public\.do$
+
+#org.owasp.csrfguard.unprotected.Default=%servletContext%/
+#org.owasp.csrfguard.unprotected.Upload=%servletContext%/upload.html
+org.owasp.csrfguard.unprotected.JavaScriptServlet=%servletContext%/control/JavaScriptServlet
+#org.owasp.csrfguard.unprotected.Ajax=%servletContext%/ajax.html
+#org.owasp.csrfguard.unprotected.Error=%servletContext%/error.html
+#org.owasp.csrfguard.unprotected.Error=%servletContext%/error.jsp
+#org.owasp.csrfguard.unprotected.Index=%servletContext%/index.html
+#org.owasp.csrfguard.unprotected.JavaScript=%servletContext%/javascript.html
+#org.owasp.csrfguard.unprotected.Tag=%servletContext%/tag.jsp
+#org.owasp.csrfguard.unprotected.Redirect=%servletContext%/redirect.jsp
+#org.owasp.csrfguard.unprotected.Forward=%servletContext%/forward.jsp
+#org.owasp.csrfguard.unprotected.Session=%servletContext%/session.jsp
+org.owasp.csrfguard.unprotected.Session=%servletContext%/favicon.ico
+org.owasp.csrfguard.unprotected.Session=%servletContext%/control/login/*
+org.owasp.csrfguard.unprotected.Index=%servletContext%/index.jsp
+
+# Actions: Responding to Attacks
+#
+# The actions directive (org.owasp.csrfguard.action.*) gives the user the ability to specify one or more
+# actions that should be invoked when a CSRF attack is detected. Every action must implement the
+# org.owasp.csrfguard.action.IAction interface either directly or indirectly through the
+# org.owasp.csrfguard.action.AbstractAction helper class. Many actions accept parameters that can be specified
+# along with the action class declaration. These parameters are consumed at runtime and impact the behavior of
+# the associated action.
+#
+# The syntax for defining and configuring CSRFGuard actions is relatively straight forward. Let us assume we wish
+# to redirect the user to a default page when a CSRF attack is detected. A redirect action already exists within
+# the CSRFGuard bundle and is available via the class name org.owasp.csrfguard.actions.Redirect. In order to enable
+# this action, we capture the following declaration in the Owasp.CsrfGuard.properties file:
+#
+# syntax: org.owasp.csrfguard.action.[actionName]=[className]
+# example: org.owasp.csrfguard.action.class.Redirect=org.owasp.csrfguard.actions.Redirect
+#
+# The aforementioned directive declares an action called "Redirect" (i.e. [actionName]) referencing the Java class
+# "org.owasp.csrfguard.actions.Redirect" (i.e. [className]). Anytime a CSRF attack is detected, the Redirect action
+# will be executed. You may be asking yourself, "but how do I specify where the user is redirected?"; this is where
+# action parameters come into play. In order to specify the redirect location, we capture the following declaration
+# in the Owasp.CsrfGuard.properties file:
+#
+# syntax: org.owasp.csrfguard.action.[actionName].[parameterName]=[parameterValue]
+# example: org.owasp.csrfguard.action.Redirect.ErrorPage=%servletContext%/error.html
+#
+# The aforementioned directive declares an action parameter called "ErrorPage" (i.e. [parameterName]) with the value
+# of "%servletContext%/error.html" (i.e. [parameterValue]) for the action "Redirect" (i.e. [actionName]). The
+# Redirect action expects the "ErrorPage" parameter to be defined and will redirect the user to this location when
+# an attack is detected.
+#
+#org.owasp.csrfguard.action.Empty=org.owasp.csrfguard.action.Empty
+org.owasp.csrfguard.action.Log=org.owasp.csrfguard.action.Log
+org.owasp.csrfguard.action.Log.Message=potential cross-site request forgery (CSRF) attack thwarted (user:%user%, ip:%remote_ip%, method:%request_method%, uri:%request_uri%, error:%exception_message%)
+#org.owasp.csrfguard.action.Invalidate=org.owasp.csrfguard.action.Invalidate
+#org.owasp.csrfguard.action.Redirect=org.owasp.csrfguard.action.Redirect
+#org.owasp.csrfguard.action.Redirect.Page=%servletContext%/error.html
+#org.owasp.csrfguard.action.RequestAttribute=org.owasp.csrfguard.action.RequestAttribute
+#org.owasp.csrfguard.action.RequestAttribute.AttributeName=Owasp_CsrfGuard_Exception_Key
+#org.owasp.csrfguard.action.Rotate=org.owasp.csrfguard.action.Rotate
+org.owasp.csrfguard.action.SessionAttribute=org.owasp.csrfguard.action.SessionAttribute
+org.owasp.csrfguard.action.SessionAttribute.AttributeName=Owasp_CsrfGuard_Exception_Key
+#org.owasp.csrfguard.action.Error=org.owasp.csrfguard.action.Error
+#org.owasp.csrfguard.action.Error.Code=403
+#org.owasp.csrfguard.action.Error.Message=Security violation.
+
+# Token Name
+#
+# The token name property (org.owasp.csrfguard.TokenName) defines the name of the HTTP parameter
+# to contain the value of the OWASP CSRFGuard token for each request. The following configuration
+# snippet sets the CSRFGuard token parameter name to the value OWASP_CSRFTOKEN:
+#
+# org.owasp.csrfguard.TokenName=OWASP_CSRFTOKEN
+org.owasp.csrfguard.TokenName=OWASP_CSRFTOKEN
+
+# Session Key
+#
+# The session key property (org.owasp.csrfguard.SessionKey) defines the string literal used to save
+# and lookup the CSRFGuard token from the session. This value is used by the filter and the tag
+# libraries to retrieve and set the token value in the session. Developers can use this key to
+# programmatically lookup the token within their own code. The following configuration snippet sets
+# the session key to the value OWASP_CSRFTOKEN:
+#
+# org.owasp.csrfguard.SessionKey=OWASP_CSRFTOKEN
+org.owasp.csrfguard.SessionKey=OWASP_CSRFTOKEN
+
+# Token Length
+#
+# The token length property (org.owasp.csrfguard.TokenLength) defines the number of characters that
+# should be found within the CSRFGuard token. Note that characters are delimited by dashes (-) in groups
+# of four. For cosmetic reasons, users are encourage to ensure the token length is divisible by four.
+# The following configuration snippet sets the token length property to 32 characters:
+#
+# org.owasp.csrfguard.TokenLength=32
+org.owasp.csrfguard.TokenLength=32
+
+# Pseudo-random Number Generator
+#
+# The pseudo-random number generator property (org.owasp.csrfguard.PRNG) defines what PRNG should be used
+# to generate the OWASP CSRFGuard token. Always ensure this value references a cryptographically strong
+# pseudo-random number generator algorithm. The following configuration snippet sets the pseudo-random number
+# generator to SHA1PRNG:
+#
+# org.owasp.csrfguard.PRNG=SHA1PRNG
+org.owasp.csrfguard.PRNG=SHA1PRNG
+
+# Pseudo-random Number Generator Provider
+
+# The pseudo-random number generator provider property (org.owasp.csrfguard.PRNG.Provider) defines which
+# provider's implementation of org.owasp.csrfguard.PRNG we should utilize. The following configuration
+# snippet instructs the JVM to leverage SUN's implementation of the algorithm denoted by the
+# org.owasp.csrfguard.PRNG property:
+
+# org.owasp.csrfguard.PRNG.Provider=SUN
+org.owasp.csrfguard.PRNG.Provider=SUN
+
+# If not specifying the print config option in the web.xml, you can specify it here, to print the config
+# on startup
+org.owasp.csrfguard.Config.Print = true
+
+###########################
+## Javascript servlet settings if not set in web.xml
+## https://www.owasp.org/index.php/CSRFGuard_3_Token_Injection
+###########################
+
+# leave this blank and blank in web.xml and it will read from META-INF/csrfguard.js from the jarfile
+# Denotes the location of the JavaScript template file that should be consumed and dynamically
+# augmented by the JavaScriptServlet class. The default value is WEB-INF/Owasp.CsrfGuard.js.
+# Use of this property and the existence of the specified template file is required.
+#org.owasp.csrfguard.JavascriptServlet.sourceFile = WEB-INF/Owasp.CsrfGuard.js
+org.owasp.csrfguard.JavascriptServlet.sourceFile = WEB-INF/Owasp.CsrfGuard.js
+
+# Boolean value that determines whether or not the dynamic JavaScript code should be strict
+# with regards to what links it should inject the CSRF prevention token. With a value of true,
+# the JavaScript code will only place the token in links that point to the same exact domain
+# from which the HTML originated. With a value of false, the JavaScript code will place the
+# token in links that not only point to the same exact domain from which the HTML originated,
+# but sub-domains as well.
+org.owasp.csrfguard.JavascriptServlet.domainStrict = true
+
+# Allows the developer to specify the value of the Cache-Control header in the HTTP response
+# when serving the dynamic JavaScript file. The default value is private, maxage=28800.
+# Caching of the dynamic JavaScript file is intended to minimize traffic and improve performance.
+# Note that the Cache-Control header is always set to "no-store" when either the "Rotate"
+# "TokenPerPage" options is set to true in Owasp.CsrfGuard.properties.
+org.owasp.csrfguard.JavascriptServlet.cacheControl = private, maxage=28800
+
+# Allows the developer to specify a regular expression describing the required value of the
+# Referer header. Any attempts to access the servlet with a Referer header that does not
+# match the captured expression is discarded. Inclusion of referer header checking is to
+# help minimize the risk of JavaScript Hijacking attacks that attempt to steal tokens from
+# the dynamically generated JavaScript. While the primary defenses against JavaScript
+# Hijacking attacks are implemented within the dynamic JavaScript itself, referer header
+# checking is implemented to achieve defense in depth.
+org.owasp.csrfguard.JavascriptServlet.refererPattern = .*
+
+# Similar to javascript servlet referer pattern, but this will make sure the referer of the
+# javascript servlet matches the domain of the request.  If there is no referer (proxy strips it?)
+# then it will not fail.  Generally this is a good idea to be true.
+org.owasp.csrfguard.JavascriptServlet.refererMatchDomain = true
+
+# Boolean value that determines whether or not the dynamic JavaScript code should
+# inject the CSRF prevention token as a hidden field into HTML forms. The default
+# value is true. Developers are strongly discouraged from disabling this property
+# as most server-side state changing actions are triggered via a POST request.
+org.owasp.csrfguard.JavascriptServlet.injectIntoForms = true
+
+# if the token should be injected in GET forms (which will be on the URL)
+# if the HTTP method GET is unprotected, then this should likely be false
+org.owasp.csrfguard.JavascriptServlet.injectGetForms = true
+
+# if the token should be injected in the action in forms
+# note, if injectIntoForms is true, then this might not need to be true
+org.owasp.csrfguard.JavascriptServlet.injectFormAttributes = true
+
+
+# Boolean value that determines whether or not the dynamic JavaScript code should
+# inject the CSRF prevention token in the query string of src and href attributes.
+# Injecting the CSRF prevention token in a URL resource increases its general risk
+# of exposure to unauthorized parties. However, most JavaEE web applications respond
+# in the exact same manner to HTTP requests and their associated parameters regardless
+# of the HTTP method. The risk associated with not protecting GET requests in this
+# situation is perceived greater than the risk of exposing the token in protected GET
+# requests. As a result, the default value of this attribute is set to true. Developers
+# that are confident their server-side state changing controllers will only respond to
+# POST requests (i.e. discarding GET requests) are strongly encouraged to disable this property.
+org.owasp.csrfguard.JavascriptServlet.injectIntoAttributes = true
+
+
+org.owasp.csrfguard.JavascriptServlet.xRequestedWith = OWASP CSRFGuard Project
+
+###########################
+## Config overlay settings if you have the provider above set to ConfigurationOverlayProvider
+## This CSRF config provider uses Internet2 Configuration Overlays (documented on Internet2 wiki)
+## By default the configuration is read from the Owasp.CsrfGuard.properties
+## (which should not be edited), and the Owasp.CsrfGuard.overlay.properties overlays
+## the base settings.  See the Owasp.CsrfGuard.properties for the possible
+## settings that can be applied to the Owasp.CsrfGuard.overlay.properties
+###########################
+
+# comma separated config files that override each other (files on the right override the left)
+# each should start with file: or classpath:
+# e.g. classpath:Owasp.CsrfGuard.properties, file:c:/temp/myFile.properties
+org.owasp.csrfguard.configOverlay.hierarchy = classpath:Owasp.CsrfGuard.properties, classpath:Owasp.CsrfGuard.overlay.properties
+
+# seconds between checking to see if the config files are updated
+org.owasp.csrfguard.configOverlay.secondsBetweenUpdateChecks = 60
+
+
+###########################
+

Propchange: ofbiz/trunk/applications/product/webapp/catalog/WEB-INF/Owasp.CsrfGuard.properties
------------------------------------------------------------------------------
    svn:eol-style = native

Propchange: ofbiz/trunk/applications/product/webapp/catalog/WEB-INF/Owasp.CsrfGuard.properties
------------------------------------------------------------------------------
    svn:keywords = Date Rev Author URL Id

Propchange: ofbiz/trunk/applications/product/webapp/catalog/WEB-INF/Owasp.CsrfGuard.properties
------------------------------------------------------------------------------
    svn:mime-type = text/plain