(ofbiz-framework) branch release24.09 updated: Fixed: Some widget form targets violate security checks (OFBIZ-)

jleroux Thu, 19 Feb 2026 09:39:25 -0800

This is an automated email from the ASF dual-hosted git repository.

jleroux pushed a commit to branch release24.09
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git



The following commit(s) were added to refs/heads/release24.09 by this push:
     new 21c8319e32 Fixed: Some widget form targets violate security checks 
(OFBIZ-)
21c8319e32 is described below

commit 21c8319e320afca128fbdb30c6070749599261ee
Author: Jacques Le Roux <[email protected]>
AuthorDate: Thu Feb 19 18:30:07 2026 +0100

    Fixed: Some widget form targets violate security checks (OFBIZ-)
    
    ran into errors violating link security checks:
    
    1) applications/content/widget/content/DataResourceForms.xml
    
    form name="ListContentsAssociatedToDataResource"
    hyperlink description="${contentId}" target="/EditContent"
    
    should be hyperlink description="${contentId}" target="EditContent"
    
    2)
    applications/product/widget/catalog/FeatureForms.xml
    
    hyperlink description="${uiLabelMap.ProductGoToFeatureCategory}
    ${productFeature.productFeatureCategoryId}"
    target="/EditFeatureCategoryFeatures"
    
    should be target="EditFeatureCategoryFeatures"
    
    jleroux: I checked there are no other simple target values (w/o control in 
them)
    starting with a /
    I also noticed 11 paginate-target starting with a /. But as those are not 
URL
    they are not checked, hence no 500 error
    
    Thanks: Carsten Heinrigs
---
 applications/content/widget/content/DataResourceForms.xml | 6 +++---
 applications/product/widget/catalog/FeatureForms.xml      | 4 ++--
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/applications/content/widget/content/DataResourceForms.xml 
b/applications/content/widget/content/DataResourceForms.xml
index 9ef9fc2b0b..19c3e9c196 100644
--- a/applications/content/widget/content/DataResourceForms.xml
+++ b/applications/content/widget/content/DataResourceForms.xml
@@ -18,7 +18,7 @@ specific language governing permissions and limitations
 under the License.
 -->
 
-<forms xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; 
+<forms xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
  xmlns="http://ofbiz.apache.org/Widget-Form"; 
xsi:schemaLocation="http://ofbiz.apache.org/Widget-Form 
http://ofbiz.apache.org/dtds/widget-form.xsd";>
     <!-- DataResource forms -->
     <form name="FindDataResource" target="findDataResource" type="single" 
default-map-name="parameters"
@@ -223,7 +223,7 @@ under the License.
         <field name="contentId"><hidden 
value="${parameters.contentId}"/></field>
         <field name="templateDataResource"><hidden 
value="${parameters.templateDataResource}"/></field>
     </form>
-    
+
     <form name="ListContentsAssociatedToDataResource" type="list" 
list-name="contentRecords" default-widget-style="display"
         odd-row-style="alternate-row" default-table-style="basic-table 
hover-bar">
         <actions>
@@ -233,7 +233,7 @@ under the License.
             </entity-and>
         </actions>
         <field name="contentId" widget-style="buttontext">
-            <hyperlink description="${contentId}" target="/EditContent" 
also-hidden="false">
+            <hyperlink description="${contentId}" target="EditContent" 
also-hidden="false">
                 <parameter param-name="contentId"/>
             </hyperlink>
         </field>
diff --git a/applications/product/widget/catalog/FeatureForms.xml 
b/applications/product/widget/catalog/FeatureForms.xml
index 4a21b1bebe..f79e313f24 100644
--- a/applications/product/widget/catalog/FeatureForms.xml
+++ b/applications/product/widget/catalog/FeatureForms.xml
@@ -18,7 +18,7 @@
     under the License.
 -->
 
-<forms xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; 
+<forms xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
         xmlns="http://ofbiz.apache.org/Widget-Form"; 
xsi:schemaLocation="http://ofbiz.apache.org/Widget-Form 
http://ofbiz.apache.org/dtds/widget-form.xsd";>
     <form name="EditProductFeature" type="single" 
target="updateProductFeature" title="" default-map-name="productFeature"
         header-row-style="header-row" default-table-style="basic-table">
@@ -48,7 +48,7 @@
             </drop-down>
         </field>
         <field 
use-when="productFeature!=null&amp;&amp;productFeature.getString(&quot;productFeatureCategoryId&quot;)!=null"
 name="categoryLink" title=" " widget-style="buttontext">
-            <hyperlink description="${uiLabelMap.ProductGoToFeatureCategory} 
${productFeature.productFeatureCategoryId}" 
target="/EditFeatureCategoryFeatures" target-type="intra-app" 
also-hidden="false">
+            <hyperlink description="${uiLabelMap.ProductGoToFeatureCategory} 
${productFeature.productFeatureCategoryId}" 
target="EditFeatureCategoryFeatures" target-type="intra-app" 
also-hidden="false">
                 <parameter param-name="productFeatureCategoryId" 
from-field="productFeature.productFeatureCategoryId"/>
             </hyperlink>
         </field>

(ofbiz-framework) branch release24.09 updated: Fixed: Some widget form targets violate security checks (OFBIZ-)

Reply via email to