EditProductPriceRules.ftl

mor Sun, 02 Aug 2009 23:58:05 -0700

Author: mor
Date: Mon Aug  3 06:57:37 2009
New Revision: 800223

URL: http://svn.apache.org/viewvc?rev=800223&view=rev
Log:
Securing URLs in ftl. Hand merged changes from r800022, r800031 along with the 
improvments in r800218 and r800221. Issue reported in OFBIZ-2467 & OFBIZ-2725.


Modified:
    
ofbiz/branches/release09.04/applications/party/webapp/partymgr/party/profileblocks/ContentList.ftl
    
ofbiz/branches/release09.04/applications/product/webapp/catalog/price/EditProductPriceRules.ftl

Modified: 
ofbiz/branches/release09.04/applications/party/webapp/partymgr/party/profileblocks/ContentList.ftl
URL: 
http://svn.apache.org/viewvc/ofbiz/branches/release09.04/applications/party/webapp/partymgr/party/profileblocks/ContentList.ftl?rev=800223&r1=800222&r2=800223&view=diff
==============================================================================
--- 
ofbiz/branches/release09.04/applications/party/webapp/partymgr/party/profileblocks/ContentList.ftl
 (original)
+++ 
ofbiz/branches/release09.04/applications/party/webapp/partymgr/party/profileblocks/ContentList.ftl
 Mon Aug  3 06:57:37 2009
@@ -39,7 +39,13 @@
                 <#if (content.contentName?has_content)>
                     <a 
href="<@ofbizUrl>img/${content.contentName}?imgId=${content.dataResourceId}</@ofbizUrl>">${uiLabelMap.CommonView}</a>
                 </#if>
-                <a 
href="<@ofbizUrl>removePartyContent/viewprofile?contentId=${pContent.contentId}&partyId=${pContent.partyId}&partyContentTypeId=${pContent.partyContentTypeId}&fromDate=${pContent.fromDate}</@ofbizUrl>">${uiLabelMap.CommonRemove}</a>
+                <form name="removePartyContent_${pContent_index}" 
method="post" action="<@ofbizUrl>removePartyContent/viewprofile</@ofbizUrl>">
+                  <input type="hidden" name="contentId" 
value="${pContent.contentId}">
+                  <input type="hidden" name="partyId" 
value="${pContent.partyId}">
+                  <input type="hidden" name="partyContentTypeId" 
value="${pContent.partyContentTypeId}">
+                  <input type="hidden" name="fromDate" 
value="${pContent.fromDate}">
+                  <a 
href="javascript:document.removePartyContent_${pContent_index}.submit()">${uiLabelMap.CommonRemove}</a>
+                </form>
               </td>
             </tr>
           </#list>

Modified: 
ofbiz/branches/release09.04/applications/product/webapp/catalog/price/EditProductPriceRules.ftl
URL: 
http://svn.apache.org/viewvc/ofbiz/branches/release09.04/applications/product/webapp/catalog/price/EditProductPriceRules.ftl?rev=800223&r1=800222&r2=800223&view=diff
==============================================================================
--- 
ofbiz/branches/release09.04/applications/product/webapp/catalog/price/EditProductPriceRules.ftl
 (original)
+++ 
ofbiz/branches/release09.04/applications/product/webapp/catalog/price/EditProductPriceRules.ftl
 Mon Aug  3 06:57:37 2009
@@ -108,8 +108,11 @@
                             </form>
                         </td>
                         <td align="center">
-                          <a 
href="<@ofbizUrl>deleteProductPriceCond?productPriceRuleId=${productPriceCond.productPriceRuleId}&productPriceCondSeqId=${productPriceCond.productPriceCondSeqId}</@ofbizUrl>"
 class="buttontext">
-                          ${uiLabelMap.CommonDelete}</a>
+                         <form 
name="deleteProductPriceCond_${productPriceCond_index}" method="post" 
action="<@ofbizUrl>deleteProductPriceCond</@ofbizUrl>">
+                           <input type="hidden" name="productPriceRuleId" 
value="${productPriceCond.productPriceRuleId}">
+                           <input type="hidden" name="productPriceCondSeqId" 
value="${productPriceCond.productPriceCondSeqId}">
+                           <a 
href="javascript:document.deleteProductPriceCond_${productPriceCond_index}.submit()"
 class="buttontext">${uiLabelMap.CommonDelete}</a>
+                         </form>
                         </td>
                       </tr>
                       <#-- toggle the row color -->
@@ -176,8 +179,11 @@
                             </form>
                         </td>
                         <td align="center">
-                          <a 
href="<@ofbizUrl>deleteProductPriceAction?productPriceRuleId=${productPriceAction.productPriceRuleId}&productPriceActionSeqId=${productPriceAction.productPriceActionSeqId}</@ofbizUrl>"
 class="buttontext">
-                          ${uiLabelMap.CommonDelete}</a>
+                          <form 
name="deleteProductPriceAction_${productPriceAction_index}" method="post" 
action="<@ofbizUrl>deleteProductPriceAction</@ofbizUrl>">
+                            <input type="hidden" name="productPriceRuleId" 
value="${productPriceAction.productPriceRuleId}">
+                            <input type="hidden" 
name="productPriceActionSeqId" 
value="${productPriceAction.productPriceActionSeqId}">
+                            <a 
href="javascript:document.deleteProductPriceAction_${productPriceAction_index}.submit()"
 class="buttontext">${uiLabelMap.CommonDelete}</a>
+                          </form>
                         </td>
                       </tr>
                       <#-- toggle the row color -->

svn commit: r800223 - in /ofbiz/branches/release09.04/applications: party/webapp/partymgr/party/profileblocks/ContentList.ftl product/webapp/catalog/price/EditProductPriceRules.ftl

Reply via email to