Quite a few of those links don't actually look like they needed to be secured i.e. there is no event attached to that uri, orderview for example.
Regards Scott HotWax Media http://www.hotwaxmedia.com On 7/06/2010, at 7:02 PM, [email protected] wrote: > Author: jleroux > Date: Mon Jun 7 07:02:02 2010 > New Revision: 952119 > > URL: http://svn.apache.org/viewvc?rev=952119&view=rev > Log: > Secure some targets. Note that they have been introduced since OFBIZ-2243 has > been closed. > Please committers use only target with parameter attribute (not in URL) for > link and hyperlink fields when there is an action (ie DB modification) > > Modified: > ofbiz/trunk/applications/accounting/widget/InvoiceForms.xml > ofbiz/trunk/applications/accounting/widget/PaymentGatewayConfigForms.xml > ofbiz/trunk/applications/order/widget/ordermgr/OrderEntryForms.xml > ofbiz/trunk/applications/party/widget/partymgr/CommunicationEventForms.xml > ofbiz/trunk/applications/product/widget/catalog/ProductForms.xml > > ofbiz/trunk/applications/product/widget/facility/ShipmentGatewayConfigForms.xml > ofbiz/trunk/specialpurpose/projectmgr/widget/forms/ProjectForms.xml > > Modified: ofbiz/trunk/applications/accounting/widget/InvoiceForms.xml > URL: > http://svn.apache.org/viewvc/ofbiz/trunk/applications/accounting/widget/InvoiceForms.xml?rev=952119&r1=952118&r2=952119&view=diff > ============================================================================== > --- ofbiz/trunk/applications/accounting/widget/InvoiceForms.xml (original) > +++ ofbiz/trunk/applications/accounting/widget/InvoiceForms.xml Mon Jun 7 > 07:02:02 2010 > @@ -215,7 +215,12 @@ under the License. > <field name="paymentId"><hyperlink > target="paymentOverview?paymentId=${paymentId}" > description="${paymentId}"/></field> > <field name="amount"><display type="currency" > currency="${currencyUomId}"/></field> > <field name="origAmount"><display type="currency" > currency="${origCurrencyUomId}"/></field> > - <field name="acctgTransId"><hyperlink description="${acctgTransId}" > target="EditAcctgTrans?acctgTransId=${acctgTransId}&organizationPartyId=${organizationPartyId}"/></field> > + <field name="acctgTransId"> > + <hyperlink description="${acctgTransId}" target="EditAcctgTrans"> > + <parameter param-name="acctgTransId" > from-field="acctgTransId"/> > + <parameter param-name="organizationPartyId" > from-field="organizationPartyId"/> > + </hyperlink> > + </field> > <field name="acctgTransTypeId" > title="${uiLabelMap.FormFieldTitle_acctgTransType}"><display-entity > entity-name="AcctgTransType"/></field> > <field name="glJournalId" > title="${uiLabelMap.FormFieldTitle_glJournal}"><display-entity > entity-name="GlJournal" description="${glJournalName}"/></field> > <field name="glAccountTypeId" > title="${uiLabelMap.FormFieldTitle_glAccountType}"><display-entity > entity-name="GlAccountType"/></field> > > Modified: > ofbiz/trunk/applications/accounting/widget/PaymentGatewayConfigForms.xml > URL: > http://svn.apache.org/viewvc/ofbiz/trunk/applications/accounting/widget/PaymentGatewayConfigForms.xml?rev=952119&r1=952118&r2=952119&view=diff > ============================================================================== > --- ofbiz/trunk/applications/accounting/widget/PaymentGatewayConfigForms.xml > (original) > +++ ofbiz/trunk/applications/accounting/widget/PaymentGatewayConfigForms.xml > Mon Jun 7 07:02:02 2010 > @@ -50,7 +50,9 @@ under the License. > <auto-fields-entity entity-name="PaymentGatewayConfig" > default-field-type="display"/> > <field name="paymentGatewayConfigId"><hidden/></field> > <field name="description" > title="${uiLabelMap.AccountingPaymentGatewayConfigDescription}"> > - <hyperlink description="${description}" > target="EditPaymentGatewayConfig?paymentGatewayConfigId=${paymentGatewayConfigId}"/> > + <hyperlink description="${description}" > target="EditPaymentGatewayConfig"> > + <parameter param-name="paymentGatewayConfigId" > from-field="paymentGatewayConfigId"/> > + </hyperlink> > </field> > <field name="paymentGatewayConfigTypeId" > title="${uiLabelMap.AccountingPaymentGatewayConfigTypeId}"> > <display-entity entity-name="PaymentGatewayConfigType" > key-field-name="paymentGatewayConfigTypeId" description="${description}"/> > @@ -385,7 +387,9 @@ under the License. > <auto-fields-entity entity-name="PaymentGatewayConfigType" > default-field-type="display"/> > <field name="paymentGatewayConfigTypeId"><hidden/></field> > <field name="description" > title="${uiLabelMap.AccountingPaymentGatewayConfigTypeDescription}"> > - <hyperlink description="${description}" > target="EditPaymentGatewayConfigType?paymentGatewayConfigTypeId=${paymentGatewayConfigTypeId}"/> > + <hyperlink description="${description}" > target="EditPaymentGatewayConfigType"> > + <parameter > param-name="paymentGatewayConfigTypeId" > from-field="paymentGatewayConfigTypeId"/> > + </hyperlink> > </field> > </form> > > > Modified: ofbiz/trunk/applications/order/widget/ordermgr/OrderEntryForms.xml > URL: > http://svn.apache.org/viewvc/ofbiz/trunk/applications/order/widget/ordermgr/OrderEntryForms.xml?rev=952119&r1=952118&r2=952119&view=diff > ============================================================================== > --- ofbiz/trunk/applications/order/widget/ordermgr/OrderEntryForms.xml > (original) > +++ ofbiz/trunk/applications/order/widget/ordermgr/OrderEntryForms.xml Mon > Jun 7 07:02:02 2010 > @@ -199,7 +199,9 @@ under the License. > <form name="LookupAssociatedProducts" type="multi" use-row-submit="true" > list-name="productList" title="" target="BulkAddProducts" > paginate-target="LookupAssociatedProducts" > default-title-style="tableheadtext" default-widget-style="inputBox" > default-tooltip-style="tabletext"> > <field name="productId" title="${uiLabelMap.ProductProductId}" > widget-style="buttontext"> > - <hyperlink description="${productId}" > target="/catalog/control/EditProductInventoryItems?productId=${productId}" > target-type="inter-app"/> > + <hyperlink description="${productId}" > target="/catalog/control/EditProductInventoryItems" target-type="inter-app"> > + <parameter param-name="productId" > from-field="productId"/> > + </hyperlink> > </field> > <field name="brandName" > title="${uiLabelMap.ProductBrandName}"><display/></field> > <field name="internalName"><display/></field> > > Modified: > ofbiz/trunk/applications/party/widget/partymgr/CommunicationEventForms.xml > URL: > http://svn.apache.org/viewvc/ofbiz/trunk/applications/party/widget/partymgr/CommunicationEventForms.xml?rev=952119&r1=952118&r2=952119&view=diff > ============================================================================== > --- > ofbiz/trunk/applications/party/widget/partymgr/CommunicationEventForms.xml > (original) > +++ > ofbiz/trunk/applications/party/widget/partymgr/CommunicationEventForms.xml > Mon Jun 7 07:02:02 2010 > @@ -287,7 +287,9 @@ under the License. > <field name="communicationEventId"><display/></field> > <field name="contactListId" use-when="contactListId!=null"> > <display-entity entity-name="ContactList" > description="${contactListName}"> > - <sub-hyperlink > target="/marketing/control/EditContactList?contactListId=${communicationEvent.contactListId}" > description="[${communicationEvent.contactListId}]" target-type="inter-app"/> > + <sub-hyperlink target="/marketing/control/EditContactList" > description="[${communicationEvent.contactListId}]" target-type="inter-app"> > + <parameter param-name="contactListId" > from-field="communicationEvent.contactListId"/> > + </sub-hyperlink> > </display-entity> > </field> > <field name="partyIdFrom" use-when=""my"==void" > title="${uiLabelMap.PartyPartyFrom}"> > @@ -470,7 +472,9 @@ under the License. > </service> > </actions> > <field name="orderId" title="${uiLabelMap.FormFieldTitle_orderId}"> > - <hyperlink > target="/ordermgr/control/orderview?orderId=${orderId}" > description="${orderId}" target-type="inter-app"/> > + <hyperlink target="/ordermgr/control/orderview" > description="${orderId}" target-type="inter-app"> > + <parameter param-name="orderId" from-field="orderId"/> > + </hyperlink> > </field> > <field name="communicationEventId"> > <hyperlink description="${communicationEventId}" > target="ViewCommunicationEvent"> > @@ -1022,7 +1026,9 @@ under the License. > <set field="orderTypeId" from-field="orderHeader.orderTypeId"/> > </row-actions> > <field name="orderId" title="${uiLabelMap.FormFieldTitle_orderId}" > widget-style="buttontext"> > - <hyperlink > target="/ordermgr/control/orderview?orderId=${orderId}" > description="${orderId}" target-type="inter-app"/> > + <hyperlink target="/ordermgr/control/orderview" > description="${orderId}" target-type="inter-app"> > + <parameter param-name="orderId" from-field="orderId"/> > + </hyperlink> > </field> > <field name="communicationEventId"><hidden/></field> > <field name="orderTypeId" title="${uiLabelMap.OrderOrderType}"> > > Modified: ofbiz/trunk/applications/product/widget/catalog/ProductForms.xml > URL: > http://svn.apache.org/viewvc/ofbiz/trunk/applications/product/widget/catalog/ProductForms.xml?rev=952119&r1=952118&r2=952119&view=diff > ============================================================================== > --- ofbiz/trunk/applications/product/widget/catalog/ProductForms.xml > (original) > +++ ofbiz/trunk/applications/product/widget/catalog/ProductForms.xml Mon Jun > 7 07:02:02 2010 > @@ -1997,7 +1997,9 @@ under the License. > > <form name="ListCommEvents" list-name="communicationEvents" type="list" > header-row-style="header-row" default-table-style="basic-table"> > <field name="communicationEventId" widget-style="buttontext"> > - <hyperlink description="${communicationEventId}" > target="/partymgr/control/EditCommunicationEvent?communicationEventId=${communicationEventId}" > target-type="inter-app"/> > + <hyperlink description="${communicationEventId}" > target="/partymgr/control/EditCommunicationEvent" target-type="inter-app"> > + <parameter param-name="communicationEventId" > from-field="communicationEventId"/> > + </hyperlink> > </field> > <field name="subject"><display/></field> > <field name="communicationEventTypeId"><display-entity > description="${description}" entity-name="CommunicationEventType" > key-field-name="communicationEventTypeId"/></field> > > Modified: > ofbiz/trunk/applications/product/widget/facility/ShipmentGatewayConfigForms.xml > URL: > http://svn.apache.org/viewvc/ofbiz/trunk/applications/product/widget/facility/ShipmentGatewayConfigForms.xml?rev=952119&r1=952118&r2=952119&view=diff > ============================================================================== > --- > ofbiz/trunk/applications/product/widget/facility/ShipmentGatewayConfigForms.xml > (original) > +++ > ofbiz/trunk/applications/product/widget/facility/ShipmentGatewayConfigForms.xml > Mon Jun 7 07:02:02 2010 > @@ -50,7 +50,9 @@ under the License. > <auto-fields-entity entity-name="ShipmentGatewayConfig" > default-field-type="display"/> > <field name="shipmentGatewayConfigId"><hidden/></field> > <field name="description" > title="${uiLabelMap.FacilityShipmentGatewayConfigDescription}"> > - <hyperlink description="${description}" > target="EditShipmentGatewayConfig?shipmentGatewayConfigId=${shipmentGatewayConfigId}"/> > + <hyperlink description="${description}" > target="EditShipmentGatewayConfig"> > + <parameter param-name="shipmentGatewayConfigId" > from-field="shipmentGatewayConfigId"/> > + </hyperlink> > </field> > <field name="shipmentGatewayConfTypeId" > title="${uiLabelMap.FacilityShipmentGatewayConfigTypeId}"> > <display-entity entity-name="ShipmentGatewayConfigType" > key-field-name="shipmentGatewayConfTypeId" description="${description}"/> > @@ -313,7 +315,9 @@ under the License. > <auto-fields-entity entity-name="ShipmentGatewayConfigType" > default-field-type="display"/> > <field name="shipmentGatewayConfTypeId"><hidden/></field> > <field name="description" > title="${uiLabelMap.FacilityShipmentGatewayConfigTypeDescription}"> > - <hyperlink description="${description}" > target="EditShipmentGatewayConfigType?shipmentGatewayConfTypeId=${shipmentGatewayConfTypeId}"/> > + <hyperlink description="${description}" > target="EditShipmentGatewayConfigType"> > + <parameter param-name="shipmentGatewayConfTypeId" > from-field="shipmentGatewayConfTypeId"/> > + </hyperlink> > </field> > </form> > > > Modified: ofbiz/trunk/specialpurpose/projectmgr/widget/forms/ProjectForms.xml > URL: > http://svn.apache.org/viewvc/ofbiz/trunk/specialpurpose/projectmgr/widget/forms/ProjectForms.xml?rev=952119&r1=952118&r2=952119&view=diff > ============================================================================== > --- ofbiz/trunk/specialpurpose/projectmgr/widget/forms/ProjectForms.xml > (original) > +++ ofbiz/trunk/specialpurpose/projectmgr/widget/forms/ProjectForms.xml Mon > Jun 7 07:02:02 2010 > @@ -340,7 +340,9 @@ > <field name="estimatedStartDate" > title="${uiLabelMap.WorkEffortEstimatedStartDate}"><date-time > type="date"/></field> > <field name="estimatedCompletionDate" > title="${uiLabelMap.WorkEffortEstimatedCompletionDate}"><date-time > type="date"/></field> > <field name="edit" title=" "> > - <hyperlink target="EditTask?workEffortId=${workEffortId}" > description="${uiLabelMap.CommonEdit}"/> > + <hyperlink target="EditTask" > description="${uiLabelMap.CommonEdit"}> > + <parameter param-name="workEffortId" > from-field="workEffortId}"/> > + </hyperlink> > </field> > <field name="submitButton" title="${uiLabelMap.CommonUpdate}"><submit > button-type="button"/></field> > </form> > >
smime.p7s
Description: S/MIME cryptographic signature
