svn commit: r800223 - in /ofbiz/branches/release09.04/applications: party/webapp/partymgr/party/profileblocks/ContentList.ftl product/webapp/catalog/price/EditProductPriceRules.ftl

Author: mor
Date: Mon Aug  3 06:57:37 2009
New Revision: 800223

URL: http://svn.apache.org/viewvc?rev=800223&view=rev
Log:
Securing URLs in ftl. Hand merged changes from r800022, r800031 along with the improvments in r800218 and r800221. Issue reported in OFBIZ-2467 & OFBIZ-2725.

Modified:
    ofbiz/branches/release09.04/applications/party/webapp/partymgr/party/profileblocks/ContentList.ftl
    ofbiz/branches/release09.04/applications/product/webapp/catalog/price/EditProductPriceRules.ftl

Modified: ofbiz/branches/release09.04/applications/party/webapp/partymgr/party/profileblocks/ContentList.ftl
URL: http://svn.apache.org/viewvc/ofbiz/branches/release09.04/applications/party/webapp/partymgr/party/profileblocks/ContentList.ftl?rev=800223&r1=800222&r2=800223&view=diff
==============================================================================
--- ofbiz/branches/release09.04/applications/party/webapp/partymgr/party/profileblocks/ContentList.ftl (original)
+++ ofbiz/branches/release09.04/applications/party/webapp/partymgr/party/profileblocks/ContentList.ftl Mon Aug  3 06:57:37 2009
@@ -39,7 +39,13 @@
                 <#if (content.contentName?has_content)>
                     <a href="<@ofbizUrl>img/${content.contentName}?imgId=${content.dataResourceId}</@ofbizUrl>">${uiLabelMap.CommonView}</a>
                 </#if>
-                <a href="<@ofbizUrl>removePartyContent/viewprofile?contentId=${pContent.contentId}&partyId=${pContent.partyId}&partyContentTypeId=${pContent.partyContentTypeId}&fromDate=${pContent.fromDate}</@ofbizUrl>">${uiLabelMap.CommonRemove}</a>
+                <form name="removePartyContent_${pContent_index}" method="post" action="<@ofbizUrl>removePartyContent/viewprofile</@ofbizUrl>">
+                  <input type="hidden" name="contentId" value="${pContent.contentId}">
+                  <input type="hidden" name="partyId" value="${pContent.partyId}">
+                  <input type="hidden" name="partyContentTypeId" value="${pContent.partyContentTypeId}">
+                  <input type="hidden" name="fromDate" value="${pContent.fromDate}">
+                  <a href="javascript:document.removePartyContent_${pContent_index}.submit()">${uiLabelMap.CommonRemove}</a>
+                </form>
               </td>
             </tr>
           </#list>

Modified: ofbiz/branches/release09.04/applications/product/webapp/catalog/price/EditProductPriceRules.ftl
URL: http://svn.apache.org/viewvc/ofbiz/branches/release09.04/applications/product/webapp/catalog/price/EditProductPriceRules.ftl?rev=800223&r1=800222&r2=800223&view=diff
==============================================================================
--- ofbiz/branches/release09.04/applications/product/webapp/catalog/price/EditProductPriceRules.ftl (original)
+++ ofbiz/branches/release09.04/applications/product/webapp/catalog/price/EditProductPriceRules.ftl Mon Aug  3 06:57:37 2009
@@ -108,8 +108,11 @@
                             </form>
                         </td>
                         <td align="center">
-                          <a href="<@ofbizUrl>deleteProductPriceCond?productPriceRuleId=${productPriceCond.productPriceRuleId}&productPriceCondSeqId=${productPriceCond.productPriceCondSeqId}</@ofbizUrl>" class="buttontext">
-                          ${uiLabelMap.CommonDelete}</a>
+                         <form name="deleteProductPriceCond_${productPriceCond_index}" method="post" action="<@ofbizUrl>deleteProductPriceCond</@ofbizUrl>">
+                           <input type="hidden" name="productPriceRuleId" value="${productPriceCond.productPriceRuleId}">
+                           <input type="hidden" name="productPriceCondSeqId" value="${productPriceCond.productPriceCondSeqId}">
+                           <a href="javascript:document.deleteProductPriceCond_${productPriceCond_index}.submit()" class="buttontext">${uiLabelMap.CommonDelete}</a>
+                         </form>
                         </td>
                       </tr>
                       <#-- toggle the row color -->
@@ -176,8 +179,11 @@
                             </form>
                         </td>
                         <td align="center">
-                          <a href="<@ofbizUrl>deleteProductPriceAction?productPriceRuleId=${productPriceAction.productPriceRuleId}&productPriceActionSeqId=${productPriceAction.productPriceActionSeqId}</@ofbizUrl>" class="buttontext">
-                          ${uiLabelMap.CommonDelete}</a>
+                          <form name="deleteProductPriceAction_${productPriceAction_index}" method="post" action="<@ofbizUrl>deleteProductPriceAction</@ofbizUrl>">
+                            <input type="hidden" name="productPriceRuleId" value="${productPriceAction.productPriceRuleId}">
+                            <input type="hidden" name="productPriceActionSeqId" value="${productPriceAction.productPriceActionSeqId}">
+                            <a href="javascript:document.deleteProductPriceAction_${productPriceAction_index}.submit()" class="buttontext">${uiLabelMap.CommonDelete}</a>
+                          </form>
                         </td>
                       </tr>
                       <#-- toggle the row color -->