I quickly used regex S/R. I wrongly put the 2 orderview (I removed a lot more) but thought the other were real actions as they have
Edit as prefix in their names. Actually I did not check if they were calling an event. I just did and you are right.
Anyway it does not hurt, and it's finally a good thing that I did not find any real issues :o). I think I should not care anymore.
Because if we let some get through they will be detected and signaled as to be reported as a child of OFBIZ-2330 (even if they
don't use FTL, but I did not check that either, I suppose it's right since for one year now we got any new issue)
One worry less, great!
Jacques
Scott Gray wrote:
On second look there were no targets in this commit that needed to be secured.
Regards
Scott
On 7/06/2010, at 7:18 PM, Scott Gray wrote:
Quite a few of those links don't actually look like they needed to be secured
i.e. there is no event attached to that uri,
orderview for example.
Regards
Scott
HotWax Media
http://www.hotwaxmedia.com
On 7/06/2010, at 7:02 PM, [email protected] wrote:
Author: jleroux
Date: Mon Jun 7 07:02:02 2010
New Revision: 952119
URL: http://svn.apache.org/viewvc?rev=952119&view=rev
Log:
Secure some targets. Note that they have been introduced since OFBIZ-2243 has
been closed.
Please committers use only target with parameter attribute (not in URL) for
link and hyperlink fields when there is an action
(ie DB modification)
Modified:
ofbiz/trunk/applications/accounting/widget/InvoiceForms.xml
ofbiz/trunk/applications/accounting/widget/PaymentGatewayConfigForms.xml
ofbiz/trunk/applications/order/widget/ordermgr/OrderEntryForms.xml
ofbiz/trunk/applications/party/widget/partymgr/CommunicationEventForms.xml
ofbiz/trunk/applications/product/widget/catalog/ProductForms.xml
ofbiz/trunk/applications/product/widget/facility/ShipmentGatewayConfigForms.xml
ofbiz/trunk/specialpurpose/projectmgr/widget/forms/ProjectForms.xml
Modified: ofbiz/trunk/applications/accounting/widget/InvoiceForms.xml
URL:
http://svn.apache.org/viewvc/ofbiz/trunk/applications/accounting/widget/InvoiceForms.xml?rev=952119&r1=952118&r2=952119&view=diff
==============================================================================
---
ofbiz/trunk/applications/accounting/widget/InvoiceForms.xml (original) +++
ofbiz/trunk/applications/accounting/widget/InvoiceForms.xml Mon Jun 7 07:02:02
2010 @@ -215,7 +215,12 @@ under the License.
<field name="paymentId"><hyperlink target="paymentOverview?paymentId=${paymentId}"
description="${paymentId}"/></field>
<field name="amount"><display type="currency"
currency="${currencyUomId}"/></field>
<field name="origAmount"><display type="currency"
currency="${origCurrencyUomId}"/></field>
- <field name="acctgTransId"><hyperlink description="${acctgTransId}"
target="EditAcctgTrans?acctgTransId=${acctgTransId}&organizationPartyId=${organizationPartyId}"/></field>
+ <field
name="acctgTransId"> + <hyperlink description="${acctgTransId}"
target="EditAcctgTrans">
+ <parameter param-name="acctgTransId"
from-field="acctgTransId"/>
+ <parameter param-name="organizationPartyId"
from-field="organizationPartyId"/>
+ </hyperlink>
+ </field>
<field name="acctgTransTypeId"
title="${uiLabelMap.FormFieldTitle_acctgTransType}"><display-entity
entity-name="AcctgTransType"/></field> <field name="glJournalId"
title="${uiLabelMap.FormFieldTitle_glJournal}"><display-entity
entity-name="GlJournal"
description="${glJournalName}"/></field> <field name="glAccountTypeId"
title="${uiLabelMap.FormFieldTitle_glAccountType}"><display-entity
entity-name="GlAccountType"/></field>
Modified:
ofbiz/trunk/applications/accounting/widget/PaymentGatewayConfigForms.xml
URL:
http://svn.apache.org/viewvc/ofbiz/trunk/applications/accounting/widget/PaymentGatewayConfigForms.xml?rev=952119&r1=952118&r2=952119&view=diff
==============================================================================
---
ofbiz/trunk/applications/accounting/widget/PaymentGatewayConfigForms.xml
(original) +++
ofbiz/trunk/applications/accounting/widget/PaymentGatewayConfigForms.xml Mon
Jun 7 07:02:02 2010 @@ -50,7 +50,9 @@ under the
License. <auto-fields-entity entity-name="PaymentGatewayConfig"
default-field-type="display"/>
<field name="paymentGatewayConfigId"><hidden/></field>
<field name="description"
title="${uiLabelMap.AccountingPaymentGatewayConfigDescription}">
- <hyperlink description="${description}"
target="EditPaymentGatewayConfig?paymentGatewayConfigId=${paymentGatewayConfigId}"/>
+ <hyperlink
description="${description}" target="EditPaymentGatewayConfig"> +
<parameter param-name="paymentGatewayConfigId"
from-field="paymentGatewayConfigId"/> + </hyperlink>
</field>
<field name="paymentGatewayConfigTypeId"
title="${uiLabelMap.AccountingPaymentGatewayConfigTypeId}">
<display-entity entity-name="PaymentGatewayConfigType"
key-field-name="paymentGatewayConfigTypeId"
description="${description}"/> @@ -385,7 +387,9 @@ under the License.
<auto-fields-entity entity-name="PaymentGatewayConfigType"
default-field-type="display"/>
<field name="paymentGatewayConfigTypeId"><hidden/></field>
<field name="description"
title="${uiLabelMap.AccountingPaymentGatewayConfigTypeDescription}">
- <hyperlink description="${description}"
target="EditPaymentGatewayConfigType?paymentGatewayConfigTypeId=${paymentGatewayConfigTypeId}"/>
+ <hyperlink
description="${description}" target="EditPaymentGatewayConfigType"> + <parameter
param-name="paymentGatewayConfigTypeId"
from-field="paymentGatewayConfigTypeId"/> + </hyperlink>
</field>
</form>
Modified: ofbiz/trunk/applications/order/widget/ordermgr/OrderEntryForms.xml
URL:
http://svn.apache.org/viewvc/ofbiz/trunk/applications/order/widget/ordermgr/OrderEntryForms.xml?rev=952119&r1=952118&r2=952119&view=diff
==============================================================================
---
ofbiz/trunk/applications/order/widget/ordermgr/OrderEntryForms.xml (original)
+++
ofbiz/trunk/applications/order/widget/ordermgr/OrderEntryForms.xml Mon Jun 7
07:02:02 2010 @@ -199,7 +199,9 @@ under the
License. <form name="LookupAssociatedProducts" type="multi" use-row-submit="true"
list-name="productList" title=""
target="BulkAddProducts" paginate-target="LookupAssociatedProducts"
default-title-style="tableheadtext"
default-widget-style="inputBox" default-tooltip-style="tabletext"> <field
name="productId"
title="${uiLabelMap.ProductProductId}" widget-style="buttontext"> - <hyperlink
description="${productId}"
target="/catalog/control/EditProductInventoryItems?productId=${productId}"
target-type="inter-app"/> + <hyperlink
description="${productId}" target="/catalog/control/EditProductInventoryItems"
target-type="inter-app"> + <parameter
param-name="productId" from-field="productId"/> + </hyperlink>
</field>
<field name="brandName"
title="${uiLabelMap.ProductBrandName}"><display/></field>
<field name="internalName"><display/></field>
Modified:
ofbiz/trunk/applications/party/widget/partymgr/CommunicationEventForms.xml
URL:
http://svn.apache.org/viewvc/ofbiz/trunk/applications/party/widget/partymgr/CommunicationEventForms.xml?rev=952119&r1=952118&r2=952119&view=diff
==============================================================================
---
ofbiz/trunk/applications/party/widget/partymgr/CommunicationEventForms.xml
(original) +++
ofbiz/trunk/applications/party/widget/partymgr/CommunicationEventForms.xml Mon
Jun 7 07:02:02 2010 @@ -287,7 +287,9 @@ under
the License. <field name="communicationEventId"><display/></field>
<field name="contactListId" use-when="contactListId!=null">
<display-entity entity-name="ContactList"
description="${contactListName}">
- <sub-hyperlink
target="/marketing/control/EditContactList?contactListId=${communicationEvent.contactListId}"
description="[${communicationEvent.contactListId}]" target-type="inter-app"/> +
<sub-hyperlink
target="/marketing/control/EditContactList"
description="[${communicationEvent.contactListId}]" target-type="inter-app"> +
<parameter param-name="contactListId" from-field="communicationEvent.contactListId"/>
+ </sub-hyperlink>
</display-entity>
</field>
<field name="partyIdFrom" use-when=""my"==void"
title="${uiLabelMap.PartyPartyFrom}">
@@ -470,7 +472,9 @@ under the License.
</service>
</actions>
<field name="orderId" title="${uiLabelMap.FormFieldTitle_orderId}">
- <hyperlink target="/ordermgr/control/orderview?orderId=${orderId}"
description="${orderId}"
target-type="inter-app"/> + <hyperlink target="/ordermgr/control/orderview"
description="${orderId}"
target-type="inter-app"> + <parameter param-name="orderId"
from-field="orderId"/>
+ </hyperlink>
</field>
<field name="communicationEventId">
<hyperlink description="${communicationEventId}"
target="ViewCommunicationEvent">
@@ -1022,7 +1026,9 @@ under the License.
<set field="orderTypeId" from-field="orderHeader.orderTypeId"/>
</row-actions>
<field name="orderId" title="${uiLabelMap.FormFieldTitle_orderId}"
widget-style="buttontext">
- <hyperlink target="/ordermgr/control/orderview?orderId=${orderId}"
description="${orderId}"
target-type="inter-app"/> + <hyperlink target="/ordermgr/control/orderview"
description="${orderId}"
target-type="inter-app"> + <parameter param-name="orderId"
from-field="orderId"/>
+ </hyperlink>
</field>
<field name="communicationEventId"><hidden/></field>
<field name="orderTypeId" title="${uiLabelMap.OrderOrderType}">
Modified: ofbiz/trunk/applications/product/widget/catalog/ProductForms.xml
URL:
http://svn.apache.org/viewvc/ofbiz/trunk/applications/product/widget/catalog/ProductForms.xml?rev=952119&r1=952118&r2=952119&view=diff
==============================================================================
---
ofbiz/trunk/applications/product/widget/catalog/ProductForms.xml (original) +++
ofbiz/trunk/applications/product/widget/catalog/ProductForms.xml Mon Jun 7
07:02:02 2010 @@ -1997,7 +1997,9 @@ under the
License.
<form name="ListCommEvents" list-name="communicationEvents" type="list"
header-row-style="header-row"
default-table-style="basic-table"> <field name="communicationEventId"
widget-style="buttontext">
- <hyperlink description="${communicationEventId}"
target="/partymgr/control/EditCommunicationEvent?communicationEventId=${communicationEventId}"
target-type="inter-app"/> +
<hyperlink description="${communicationEventId}"
target="/partymgr/control/EditCommunicationEvent" target-type="inter-app"> +
<parameter param-name="communicationEventId" from-field="communicationEventId"/> +
</hyperlink>
</field>
<field name="subject"><display/></field>
<field name="communicationEventTypeId"><display-entity
description="${description}" entity-name="CommunicationEventType"
key-field-name="communicationEventTypeId"/></field>
Modified:
ofbiz/trunk/applications/product/widget/facility/ShipmentGatewayConfigForms.xml
URL:
http://svn.apache.org/viewvc/ofbiz/trunk/applications/product/widget/facility/ShipmentGatewayConfigForms.xml?rev=952119&r1=952118&r2=952119&view=diff
==============================================================================
---
ofbiz/trunk/applications/product/widget/facility/ShipmentGatewayConfigForms.xml
(original) +++
ofbiz/trunk/applications/product/widget/facility/ShipmentGatewayConfigForms.xml
Mon Jun 7 07:02:02 2010 @@ -50,7 +50,9 @@
under the License. <auto-fields-entity entity-name="ShipmentGatewayConfig"
default-field-type="display"/>
<field name="shipmentGatewayConfigId"><hidden/></field>
<field name="description"
title="${uiLabelMap.FacilityShipmentGatewayConfigDescription}">
- <hyperlink description="${description}"
target="EditShipmentGatewayConfig?shipmentGatewayConfigId=${shipmentGatewayConfigId}"/>
+ <hyperlink
description="${description}" target="EditShipmentGatewayConfig"> +
<parameter
param-name="shipmentGatewayConfigId" from-field="shipmentGatewayConfigId"/> +
</hyperlink>
</field>
<field name="shipmentGatewayConfTypeId"
title="${uiLabelMap.FacilityShipmentGatewayConfigTypeId}">
<display-entity entity-name="ShipmentGatewayConfigType"
key-field-name="shipmentGatewayConfTypeId"
description="${description}"/> @@ -313,7 +315,9 @@ under the License.
<auto-fields-entity entity-name="ShipmentGatewayConfigType"
default-field-type="display"/>
<field name="shipmentGatewayConfTypeId"><hidden/></field>
<field name="description"
title="${uiLabelMap.FacilityShipmentGatewayConfigTypeDescription}">
- <hyperlink description="${description}"
target="EditShipmentGatewayConfigType?shipmentGatewayConfTypeId=${shipmentGatewayConfTypeId}"/>
+ <hyperlink
description="${description}" target="EditShipmentGatewayConfigType"> +
<parameter
param-name="shipmentGatewayConfTypeId" from-field="shipmentGatewayConfTypeId"/> +
</hyperlink>
</field>
</form>
Modified: ofbiz/trunk/specialpurpose/projectmgr/widget/forms/ProjectForms.xml
URL:
http://svn.apache.org/viewvc/ofbiz/trunk/specialpurpose/projectmgr/widget/forms/ProjectForms.xml?rev=952119&r1=952118&r2=952119&view=diff
==============================================================================
---
ofbiz/trunk/specialpurpose/projectmgr/widget/forms/ProjectForms.xml (original)
+++
ofbiz/trunk/specialpurpose/projectmgr/widget/forms/ProjectForms.xml Mon Jun 7
07:02:02 2010 @@ -340,7 +340,9 @@
<field name="estimatedStartDate"
title="${uiLabelMap.WorkEffortEstimatedStartDate}"><date-time type="date"/></field>
<field name="estimatedCompletionDate"
title="${uiLabelMap.WorkEffortEstimatedCompletionDate}"><date-time
type="date"/></field> <field name="edit" title=" ">
- <hyperlink target="EditTask?workEffortId=${workEffortId}"
description="${uiLabelMap.CommonEdit}"/>
+ <hyperlink target="EditTask"
description="${uiLabelMap.CommonEdit"}>
+ <parameter param-name="workEffortId"
from-field="workEffortId}"/>
+ </hyperlink>
</field>
<field name="submitButton" title="${uiLabelMap.CommonUpdate}"><submit
button-type="button"/></field>
</form>
