This is another weird one... why is the action set in the JavaScript?
It makes the javascript unnecessarily complex as the action should be
defined on the form element.
In general there is no need for the href to contain anything other than:
"javascript:document.${formName}.submit()"
In other words, the need for the action setting
(document.addCommonToCartForm.action='<@ofbizUrl>cancelOrderItem</
@ofbizUrl>';) should be checked and removed.
-David
On Apr 6, 2009, at 12:55 AM, jler...@apache.org wrote:
Author: jleroux
Date: Mon Apr 6 06:55:07 2009
New Revision: 762224
URL: http://svn.apache.org/viewvc?rev=762224&view=rev
Log:
A patch from Ashish Nagar "Secure URLs in Freemarker templates
files" https://issues.apache.org/jira/browse/OFBIZ-2260
Modified:
ofbiz/trunk/specialpurpose/ecommerce/webapp/ecommerce/order/
orderitems.ftl
Modified: ofbiz/trunk/specialpurpose/ecommerce/webapp/ecommerce/
order/orderitems.ftl
URL:
http://svn.apache.org/viewvc/ofbiz/trunk/specialpurpose/ecommerce/webapp/ecommerce/order/orderitems.ftl?rev=762224&r1=762223&r2=762224&view=diff
=
=
=
=
=
=
=
=
======================================================================
--- ofbiz/trunk/specialpurpose/ecommerce/webapp/ecommerce/order/
orderitems.ftl (original)
+++ ofbiz/trunk/specialpurpose/ecommerce/webapp/ecommerce/order/
orderitems.ftl Mon Apr 6 06:55:07 2009
@@ -186,7 +186,7 @@
</select>
<b>${uiLabelMap.CommonComments}</b>
<input class="inputBox" type="text" name="icm_$
{orderItem.orderItemSeqId}" value="" size="30" maxlength="60"/></
div></td>
- <td colspan="4" align="right"><a
href
=
"javascript:document
.addCommonToCartForm
.method
=
'post
';document.addCommonToCartForm.action='<@ofbizUrl>cancelOrderItem</
@ofbizUrl>';document.addCommonToCartForm.submit()"
class="buttontext">${uiLabelMap.CommonCancel}</a>
+ <td colspan="4" align="right"><a
href
=
"javascript:document
.addCommonToCartForm.action='<@ofbizUrl>cancelOrderItem</
@ofbizUrl>';document.addCommonToCartForm.submit()"
class="buttontext">${uiLabelMap.CommonCancel}</a>
<input type="hidden" name="orderItemSeqId"
value="${orderItem.orderItemSeqId}"/>
</td>
</tr>