[jira] [Closed] (OFBIZ-13364) Some widget form targets violate security checks

Thu, 19 Feb 2026 09:52:34 -0800 


     [ 
https://issues.apache.org/jira/browse/OFBIZ-13364?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Jacques Le Roux closed OFBIZ-13364.
-----------------------------------
    Fix Version/s: 24.09.06
       Resolution: Fixed

Damned, missed to put the link to this Jira in the commit title. Here are the 
infos:


{quote}
Fixed: Some widget form targets violate security checks (OFBIZ-)
ran into errors violating link security checks:

1) applications/content/widget/content/DataResourceForms.xml

form name="ListContentsAssociatedToDataResource"
hyperlink description="${contentId}" target="/EditContent"

should be hyperlink description="${contentId}" target="EditContent"

2)
applications/product/widget/catalog/FeatureForms.xml

hyperlink description="${uiLabelMap.ProductGoToFeatureCategory}
${productFeature.productFeatureCategoryId}"
target="/EditFeatureCategoryFeatures"

should be target="EditFeatureCategoryFeatures"

jleroux: I checked there are no other simple target values (w/o control in them)
starting with a /
I also noticed 11 paginate-target starting with a /. But as those are not URL
they are not checked, hence no 500 error

Thanks: Carsten Heinrigs
{quote}

Here are the commits links:
trunk: 
https://github.com/apache/ofbiz-framework/commit/46a8e3d859b7b4a369d738048c9578f5eebe0b1b
24.09: 
https://github.com/apache/ofbiz-framework/commit/21c8319e320afca128fbdb30c6070749599261ee


> Some widget form targets violate security checks
> ------------------------------------------------
>
>                 Key: OFBIZ-13364
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-13364
>             Project: OFBiz
>          Issue Type: Bug
>          Components: content, product/catalog
>    Affects Versions: 24.09.05
>            Reporter: Carsten Heinrigs
>            Assignee: Jacques Le Roux
>            Priority: Minor
>             Fix For: 24.09.06
>
>
> {color:#2e3436}ran into errors violating link security checks:{color}
> {color:#2e3436}1){color}
> {color:#2e3436} 
> applications/content/widget/content/DataResourceForms.xml{color}
> {color:#2e3436}form name="ListContentsAssociatedToDataResource"{color}
> {color:#2e3436}hyperlink description="${contentId}" 
> target="/EditContent"{color}
> {color:#2e3436}should be{color}
> {color:#2e3436}hyperlink description="${contentId}" 
> target="EditContent"{color}
>  
> 2)
> {color:#2e3436} applications/product/widget/catalog/FeatureForms.xml{color}
> {color:#2e3436}hyperlink 
> {color}{color:#2e3436}description="${uiLabelMap.ProductGoToFeatureCategory}{color}
> {color:#2e3436}${productFeature.productFeatureCategoryId}"{color}
> {color:#2e3436}target="/EditFeatureCategoryFeatures"{color}
> {color:#2e3436}should be{color}
> {color:#2e3436}target="EditFeatureCategoryFeatures"{color}



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to