[jira] Commented: (OFBIZ-2260) Secure URLs in Freemarker templates files

Sun, 05 Apr 2009 13:25:37 -0700 

    [ 
https://issues.apache.org/jira/browse/OFBIZ-2260?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12695908#action_12695908
 ] 

Jacques Le Roux commented on OFBIZ-2260:
----------------------------------------

Hi Ashish,

I reviewed your patch and found only these errors

{code}
-                  <td colspan="4" align="right"><a 
href="javascript:document.addCommonToCartForm.method='post';document.addCommonToCartForm.action='<@ofbizUrl>cancelOrderItem?orderItemSeqId=${orderItem.orderItemSeqId}</@ofbizUrl>';document.addCommonToCartForm.submit()"
 class="buttontext">${uiLabelMap.CommonCancel}</a></td>
+               <td colspan="4" align="right"><a 
href="javascript:document.addCommonToCartForm.method='post';document.addCommonToCartForm.action='<@ofbizUrl>cancelOrderItem</@ofbizUrl>';document.addCommonToCartForm.submit()"
 class="buttontext">${uiLabelMap.CommonCancel}</a>
+                 <input type="hidden" name="orderItem.orderItemSeqId" 
value="${orderId}"/>
+               </td> 
{code}

{code}
-                  <a 
href="<@ofbizUrl>readmessage?communicationEventId=${communicationEvent.communicationEventId}</@ofbizUrl>"
 class="buttontext">${uiLabelMap.EcommerceRead}</a>
+                  <form name="readMessage" method="post" 
action="<@ofbizUrl>readmessage</@ofbizUrl>">
+                    <input type="hidden" name="communicationEventId" 
value="{communicationEvent.communicationEventId?if_exists}">
+                    <a href="javascript:document.readMessage.submit()" 
class="buttontext">${uiLabelMap.EcommerceRead}</a>
+                  </form>
                   <#if isSentMessage>
-                    <a 
href="<@ofbizUrl>newmessage?communicationEventId=${communicationEvent.communicationEventId}</@ofbizUrl>"
 class="buttontext">${uiLabelMap.PartyReply}</a>
+                    <form name="newMessage" method="post" 
action="<@ofbizUrl>newmessage</@ofbizUrl>">
+                      <input type="hidden" name="communicationEventId" 
value="{communicationEvent.communicationEventId?if_exists}">
+                      <a 
href="javascript:document.newMessage.submit()"class="buttontext">${uiLabelMap.PartyReply}</a>
{code}

I fixed them and commited in r762149 

I had also to merge 
specialpurpose/ecommerce/webapp/ecommerce/order/orderitems.ftl by hand, not 
sure exactly why

Thanks for your work! 

I keep this issue open as there are certainly more to do...

> Secure URLs in Freemarker templates files
> -----------------------------------------
>
>                 Key: OFBIZ-2260
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-2260
>             Project: OFBiz
>          Issue Type: Improvement
>          Components: ALL COMPONENTS
>    Affects Versions: Release Branch 4.0, Release Branch 9.3
>            Reporter: Jacques Le Roux
>            Assignee: Jacques Le Roux
>             Fix For: Release Branch 4.0, Release Branch 9.3
>
>         Attachments: OFBIZ-2256.patch, OFBIZ-2260.patch, OFBIZ-2260.patch
>
>
> Follow OFBIZ-2256 but for FTL files only

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

Reply via email to