Thanks Jacques Regards Scott
On 7/06/2010, at 9:15 PM, Jacques Le Roux wrote: > Ha well, I did not thought about that, thanks! > > I revert... > > Jacques > > Scott Gray wrote: >> Hi Jacques, >> >> In a small way it does hurt because whenever we use "post" instead of "get" >> the user will be prompted "do you want to submit the >> form again?" when they click the back button on the browser to go back to >> one of those screens. >> >> But yeah I wouldn't rely on searching alone unless you are willing to check >> each target before altering it. >> >> Regards >> Scott >> >> On 7/06/2010, at 7:44 PM, Jacques Le Roux wrote: >> >>> I quickly used regex S/R. I wrongly put the 2 orderview (I removed a lot >>> more) but thought the other were real actions as they >>> have Edit as prefix in their names. Actually I did not check if they were >>> calling an event. I just did and you are right. >>> >>> Anyway it does not hurt, and it's finally a good thing that I did not find >>> any real issues :o). I think I should not care >>> anymore. Because if we let some get through they will be detected and >>> signaled as to be reported as a child of OFBIZ-2330 >>> (even if they don't use FTL, but I did not check that either, I suppose >>> it's right since for one year now we got any new issue) >>> >>> One worry less, great! >>> >>> Jacques >>> >>> Scott Gray wrote: >>>> On second look there were no targets in this commit that needed to be >>>> secured. >>>> >>>> Regards >>>> Scott >>>> >>>> On 7/06/2010, at 7:18 PM, Scott Gray wrote: >>>> >>>>> Quite a few of those links don't actually look like they needed to be >>>>> secured i.e. there is no event attached to that uri, >>>>> orderview for example. >>>>> >>>>> Regards >>>>> Scott >>>>> >>>>> HotWax Media >>>>> http://www.hotwaxmedia.com >>>>> >>>>> On 7/06/2010, at 7:02 PM, jler...@apache.org wrote: >>>>> >>>>>> Author: jleroux >>>>>> Date: Mon Jun 7 07:02:02 2010 >>>>>> New Revision: 952119 >>>>>> >>>>>> URL: http://svn.apache.org/viewvc?rev=952119&view=rev >>>>>> Log: >>>>>> Secure some targets. Note that they have been introduced since >>>>>> OFBIZ-2243 has been closed. >>>>>> Please committers use only target with parameter attribute (not in URL) >>>>>> for link and hyperlink fields when there is an action >>>>>> (ie DB modification) >>>>>> >>>>>> Modified: >>>>>> ofbiz/trunk/applications/accounting/widget/InvoiceForms.xml >>>>>> ofbiz/trunk/applications/accounting/widget/PaymentGatewayConfigForms.xml >>>>>> ofbiz/trunk/applications/order/widget/ordermgr/OrderEntryForms.xml >>>>>> ofbiz/trunk/applications/party/widget/partymgr/CommunicationEventForms.xml >>>>>> ofbiz/trunk/applications/product/widget/catalog/ProductForms.xml >>>>>> ofbiz/trunk/applications/product/widget/facility/ShipmentGatewayConfigForms.xml >>>>>> ofbiz/trunk/specialpurpose/projectmgr/widget/forms/ProjectForms.xml >>>>>> >>>>>> Modified: ofbiz/trunk/applications/accounting/widget/InvoiceForms.xml >>>>>> URL: >>>>>> http://svn.apache.org/viewvc/ofbiz/trunk/applications/accounting/widget/InvoiceForms.xml?rev=952119&r1=952118&r2=952119&view=diff >>>>>> ============================================================================== >>>>>> --- >>>>>> ofbiz/trunk/applications/accounting/widget/InvoiceForms.xml (original) >>>>>> +++ >>>>>> ofbiz/trunk/applications/accounting/widget/InvoiceForms.xml Mon Jun 7 >>>>>> 07:02:02 2010 @@ -215,7 +215,12 @@ under the License. >>>>>> <field name="paymentId"><hyperlink >>>>>> target="paymentOverview?paymentId=${paymentId}" >>>>>> description="${paymentId}"/></field> >>>>>> <field name="amount"><display type="currency" >>>>>> currency="${currencyUomId}"/></field> >>>>>> <field name="origAmount"><display type="currency" >>>>>> currency="${origCurrencyUomId}"/></field> >>>>>> - <field name="acctgTransId"><hyperlink >>>>>> description="${acctgTransId}" >>>>>> target="EditAcctgTrans?acctgTransId=${acctgTransId}&organizationPartyId=${organizationPartyId}"/></field> >>>>>> + <field >>>>>> name="acctgTransId"> + <hyperlink >>>>>> description="${acctgTransId}" target="EditAcctgTrans"> >>>>>> + <parameter param-name="acctgTransId" >>>>>> from-field="acctgTransId"/> >>>>>> + <parameter param-name="organizationPartyId" >>>>>> from-field="organizationPartyId"/> >>>>>> + </hyperlink> >>>>>> + </field> >>>>>> <field name="acctgTransTypeId" >>>>>> title="${uiLabelMap.FormFieldTitle_acctgTransType}"><display-entity >>>>>> entity-name="AcctgTransType"/></field> <field name="glJournalId" >>>>>> title="${uiLabelMap.FormFieldTitle_glJournal}"><display-entity >>>>>> entity-name="GlJournal" >>>>>> description="${glJournalName}"/></field> <field name="glAccountTypeId" >>>>>> title="${uiLabelMap.FormFieldTitle_glAccountType}"><display-entity >>>>>> entity-name="GlAccountType"/></field> >>>>>> >>>>>> Modified: >>>>>> ofbiz/trunk/applications/accounting/widget/PaymentGatewayConfigForms.xml >>>>>> URL: >>>>>> http://svn.apache.org/viewvc/ofbiz/trunk/applications/accounting/widget/PaymentGatewayConfigForms.xml?rev=952119&r1=952118&r2=952119&view=diff >>>>>> ============================================================================== >>>>>> --- >>>>>> ofbiz/trunk/applications/accounting/widget/PaymentGatewayConfigForms.xml >>>>>> (original) +++ >>>>>> ofbiz/trunk/applications/accounting/widget/PaymentGatewayConfigForms.xml >>>>>> Mon Jun 7 07:02:02 2010 @@ -50,7 +50,9 @@ under the >>>>>> License. <auto-fields-entity entity-name="PaymentGatewayConfig" >>>>>> default-field-type="display"/> >>>>>> <field name="paymentGatewayConfigId"><hidden/></field> >>>>>> <field name="description" >>>>>> title="${uiLabelMap.AccountingPaymentGatewayConfigDescription}"> >>>>>> - <hyperlink description="${description}" >>>>>> target="EditPaymentGatewayConfig?paymentGatewayConfigId=${paymentGatewayConfigId}"/> >>>>>> + <hyperlink >>>>>> description="${description}" target="EditPaymentGatewayConfig"> + >>>>>> <parameter >>>>>> param-name="paymentGatewayConfigId" >>>>>> from-field="paymentGatewayConfigId"/> + </hyperlink> >>>>>> </field> >>>>>> <field name="paymentGatewayConfigTypeId" >>>>>> title="${uiLabelMap.AccountingPaymentGatewayConfigTypeId}"> >>>>>> <display-entity entity-name="PaymentGatewayConfigType" >>>>>> key-field-name="paymentGatewayConfigTypeId" >>>>>> description="${description}"/> @@ -385,7 +387,9 @@ under the License. >>>>>> <auto-fields-entity entity-name="PaymentGatewayConfigType" >>>>>> default-field-type="display"/> >>>>>> <field name="paymentGatewayConfigTypeId"><hidden/></field> >>>>>> <field name="description" >>>>>> title="${uiLabelMap.AccountingPaymentGatewayConfigTypeDescription}"> >>>>>> - <hyperlink description="${description}" >>>>>> target="EditPaymentGatewayConfigType?paymentGatewayConfigTypeId=${paymentGatewayConfigTypeId}"/> >>>>>> + <hyperlink >>>>>> description="${description}" target="EditPaymentGatewayConfigType"> + >>>>>> <parameter param-name="paymentGatewayConfigTypeId" >>>>>> from-field="paymentGatewayConfigTypeId"/> + </hyperlink> >>>>>> </field> >>>>>> </form> >>>>>> >>>>>> >>>>>> Modified: >>>>>> ofbiz/trunk/applications/order/widget/ordermgr/OrderEntryForms.xml >>>>>> URL: >>>>>> http://svn.apache.org/viewvc/ofbiz/trunk/applications/order/widget/ordermgr/OrderEntryForms.xml?rev=952119&r1=952118&r2=952119&view=diff >>>>>> ============================================================================== >>>>>> --- >>>>>> ofbiz/trunk/applications/order/widget/ordermgr/OrderEntryForms.xml >>>>>> (original) +++ >>>>>> ofbiz/trunk/applications/order/widget/ordermgr/OrderEntryForms.xml Mon >>>>>> Jun 7 07:02:02 2010 @@ -199,7 +199,9 @@ under the >>>>>> License. <form name="LookupAssociatedProducts" type="multi" >>>>>> use-row-submit="true" list-name="productList" title="" >>>>>> target="BulkAddProducts" paginate-target="LookupAssociatedProducts" >>>>>> default-title-style="tableheadtext" >>>>>> default-widget-style="inputBox" default-tooltip-style="tabletext"> >>>>>> <field name="productId" >>>>>> title="${uiLabelMap.ProductProductId}" widget-style="buttontext"> - >>>>>> <hyperlink description="${productId}" >>>>>> target="/catalog/control/EditProductInventoryItems?productId=${productId}" >>>>>> target-type="inter-app"/> + <hyperlink >>>>>> description="${productId}" >>>>>> target="/catalog/control/EditProductInventoryItems" >>>>>> target-type="inter-app"> + <parameter >>>>>> param-name="productId" from-field="productId"/> + </hyperlink> >>>>>> </field> >>>>>> <field name="brandName" >>>>>> title="${uiLabelMap.ProductBrandName}"><display/></field> >>>>>> <field name="internalName"><display/></field> >>>>>> >>>>>> Modified: >>>>>> ofbiz/trunk/applications/party/widget/partymgr/CommunicationEventForms.xml >>>>>> URL: >>>>>> http://svn.apache.org/viewvc/ofbiz/trunk/applications/party/widget/partymgr/CommunicationEventForms.xml?rev=952119&r1=952118&r2=952119&view=diff >>>>>> ============================================================================== >>>>>> --- >>>>>> ofbiz/trunk/applications/party/widget/partymgr/CommunicationEventForms.xml >>>>>> (original) +++ >>>>>> ofbiz/trunk/applications/party/widget/partymgr/CommunicationEventForms.xml >>>>>> Mon Jun 7 07:02:02 2010 @@ -287,7 +287,9 @@ under >>>>>> the License. <field name="communicationEventId"><display/></field> >>>>>> <field name="contactListId" use-when="contactListId!=null"> >>>>>> <display-entity entity-name="ContactList" >>>>>> description="${contactListName}"> >>>>>> - <sub-hyperlink >>>>>> target="/marketing/control/EditContactList?contactListId=${communicationEvent.contactListId}" >>>>>> description="[${communicationEvent.contactListId}]" >>>>>> target-type="inter-app"/> + <sub-hyperlink >>>>>> target="/marketing/control/EditContactList" >>>>>> description="[${communicationEvent.contactListId}]" >>>>>> target-type="inter-app"> + >>>>>> <parameter param-name="contactListId" >>>>>> from-field="communicationEvent.contactListId"/> + >>>>>> </sub-hyperlink> >>>>>> </display-entity> >>>>>> </field> >>>>>> <field name="partyIdFrom" use-when=""my"==void" >>>>>> title="${uiLabelMap.PartyPartyFrom}"> >>>>>> @@ -470,7 +472,9 @@ under the License. >>>>>> </service> >>>>>> </actions> >>>>>> <field name="orderId" title="${uiLabelMap.FormFieldTitle_orderId}"> >>>>>> - <hyperlink >>>>>> target="/ordermgr/control/orderview?orderId=${orderId}" >>>>>> description="${orderId}" >>>>>> target-type="inter-app"/> + <hyperlink >>>>>> target="/ordermgr/control/orderview" description="${orderId}" >>>>>> target-type="inter-app"> + <parameter >>>>>> param-name="orderId" from-field="orderId"/> >>>>>> + </hyperlink> >>>>>> </field> >>>>>> <field name="communicationEventId"> >>>>>> <hyperlink description="${communicationEventId}" >>>>>> target="ViewCommunicationEvent"> >>>>>> @@ -1022,7 +1026,9 @@ under the License. >>>>>> <set field="orderTypeId" from-field="orderHeader.orderTypeId"/> >>>>>> </row-actions> >>>>>> <field name="orderId" title="${uiLabelMap.FormFieldTitle_orderId}" >>>>>> widget-style="buttontext"> >>>>>> - <hyperlink >>>>>> target="/ordermgr/control/orderview?orderId=${orderId}" >>>>>> description="${orderId}" >>>>>> target-type="inter-app"/> + <hyperlink >>>>>> target="/ordermgr/control/orderview" description="${orderId}" >>>>>> target-type="inter-app"> + <parameter >>>>>> param-name="orderId" from-field="orderId"/> >>>>>> + </hyperlink> >>>>>> </field> >>>>>> <field name="communicationEventId"><hidden/></field> >>>>>> <field name="orderTypeId" title="${uiLabelMap.OrderOrderType}"> >>>>>> >>>>>> Modified: >>>>>> ofbiz/trunk/applications/product/widget/catalog/ProductForms.xml >>>>>> URL: >>>>>> http://svn.apache.org/viewvc/ofbiz/trunk/applications/product/widget/catalog/ProductForms.xml?rev=952119&r1=952118&r2=952119&view=diff >>>>>> ============================================================================== >>>>>> --- >>>>>> ofbiz/trunk/applications/product/widget/catalog/ProductForms.xml >>>>>> (original) +++ >>>>>> ofbiz/trunk/applications/product/widget/catalog/ProductForms.xml Mon Jun >>>>>> 7 07:02:02 2010 @@ -1997,7 +1997,9 @@ under the >>>>>> License. >>>>>> >>>>>> <form name="ListCommEvents" list-name="communicationEvents" type="list" >>>>>> header-row-style="header-row" >>>>>> default-table-style="basic-table"> <field >>>>>> name="communicationEventId" widget-style="buttontext"> >>>>>> - <hyperlink description="${communicationEventId}" >>>>>> target="/partymgr/control/EditCommunicationEvent?communicationEventId=${communicationEventId}" >>>>>> target-type="inter-app"/> + >>>>>> <hyperlink description="${communicationEventId}" >>>>>> target="/partymgr/control/EditCommunicationEvent" >>>>>> target-type="inter-app"> + >>>>>> <parameter param-name="communicationEventId" >>>>>> from-field="communicationEventId"/> + </hyperlink> >>>>>> </field> >>>>>> <field name="subject"><display/></field> >>>>>> <field name="communicationEventTypeId"><display-entity >>>>>> description="${description}" entity-name="CommunicationEventType" >>>>>> key-field-name="communicationEventTypeId"/></field> >>>>>> >>>>>> Modified: >>>>>> ofbiz/trunk/applications/product/widget/facility/ShipmentGatewayConfigForms.xml >>>>>> URL: >>>>>> http://svn.apache.org/viewvc/ofbiz/trunk/applications/product/widget/facility/ShipmentGatewayConfigForms.xml?rev=952119&r1=952118&r2=952119&view=diff >>>>>> ============================================================================== >>>>>> --- >>>>>> ofbiz/trunk/applications/product/widget/facility/ShipmentGatewayConfigForms.xml >>>>>> (original) +++ >>>>>> ofbiz/trunk/applications/product/widget/facility/ShipmentGatewayConfigForms.xml >>>>>> Mon Jun 7 07:02:02 2010 @@ -50,7 +50,9 @@ >>>>>> under the License. <auto-fields-entity >>>>>> entity-name="ShipmentGatewayConfig" default-field-type="display"/> >>>>>> <field name="shipmentGatewayConfigId"><hidden/></field> >>>>>> <field name="description" >>>>>> title="${uiLabelMap.FacilityShipmentGatewayConfigDescription}"> >>>>>> - <hyperlink description="${description}" >>>>>> target="EditShipmentGatewayConfig?shipmentGatewayConfigId=${shipmentGatewayConfigId}"/> >>>>>> + <hyperlink >>>>>> description="${description}" target="EditShipmentGatewayConfig"> + >>>>>> <parameter >>>>>> param-name="shipmentGatewayConfigId" >>>>>> from-field="shipmentGatewayConfigId"/> + </hyperlink> >>>>>> </field> >>>>>> <field name="shipmentGatewayConfTypeId" >>>>>> title="${uiLabelMap.FacilityShipmentGatewayConfigTypeId}"> >>>>>> <display-entity entity-name="ShipmentGatewayConfigType" >>>>>> key-field-name="shipmentGatewayConfTypeId" >>>>>> description="${description}"/> @@ -313,7 +315,9 @@ under the License. >>>>>> <auto-fields-entity entity-name="ShipmentGatewayConfigType" >>>>>> default-field-type="display"/> >>>>>> <field name="shipmentGatewayConfTypeId"><hidden/></field> >>>>>> <field name="description" >>>>>> title="${uiLabelMap.FacilityShipmentGatewayConfigTypeDescription}"> >>>>>> - <hyperlink description="${description}" >>>>>> target="EditShipmentGatewayConfigType?shipmentGatewayConfTypeId=${shipmentGatewayConfTypeId}"/> >>>>>> + <hyperlink >>>>>> description="${description}" target="EditShipmentGatewayConfigType"> + >>>>>> <parameter >>>>>> param-name="shipmentGatewayConfTypeId" >>>>>> from-field="shipmentGatewayConfTypeId"/> + </hyperlink> >>>>>> </field> >>>>>> </form> >>>>>> >>>>>> >>>>>> Modified: >>>>>> ofbiz/trunk/specialpurpose/projectmgr/widget/forms/ProjectForms.xml >>>>>> URL: >>>>>> http://svn.apache.org/viewvc/ofbiz/trunk/specialpurpose/projectmgr/widget/forms/ProjectForms.xml?rev=952119&r1=952118&r2=952119&view=diff >>>>>> ============================================================================== >>>>>> --- >>>>>> ofbiz/trunk/specialpurpose/projectmgr/widget/forms/ProjectForms.xml >>>>>> (original) +++ >>>>>> ofbiz/trunk/specialpurpose/projectmgr/widget/forms/ProjectForms.xml Mon >>>>>> Jun 7 07:02:02 2010 @@ -340,7 +340,9 @@ >>>>>> <field name="estimatedStartDate" >>>>>> title="${uiLabelMap.WorkEffortEstimatedStartDate}"><date-time >>>>>> type="date"/></field> >>>>>> <field name="estimatedCompletionDate" >>>>>> title="${uiLabelMap.WorkEffortEstimatedCompletionDate}"><date-time >>>>>> type="date"/></field> <field name="edit" title=" "> >>>>>> - <hyperlink target="EditTask?workEffortId=${workEffortId}" >>>>>> description="${uiLabelMap.CommonEdit}"/> >>>>>> + <hyperlink target="EditTask" >>>>>> description="${uiLabelMap.CommonEdit"}> >>>>>> + <parameter param-name="workEffortId" >>>>>> from-field="workEffortId}"/> >>>>>> + </hyperlink> >>>>>> </field> >>>>>> <field name="submitButton" >>>>>> title="${uiLabelMap.CommonUpdate}"><submit button-type="button"/></field> >>>>>> </form> > >
smime.p7s
Description: S/MIME cryptographic signature
