Uploaded image for project: 'XWiki Platform'
  1. XWiki Platform
  2. XWIKI-12079

Unable to save a dashboard if a widget contains an HTML input called "form_token"

    Details

    • Type: Bug
    • Status: Open
    • Priority: Minor
    • Resolution: Unresolved
    • Affects Version/s: 6.4.4
    • Fix Version/s: None
    • Component/s: Dashboard
    • Labels:
      None
    • Difficulty:
      Unknown
    • Similar issues:

      Description

      The use-case is to have a widget inside the dashboard that allows the creation of a new blog post. That widget contains a form with:

      <input type="hidden" name="form_token" value="xxxxxxxx" />
      

      Problem: when the user press the button "save", dashboard.js gets the form token (to send with the ajax request) by getting the value of the "form_token" element. Since this input is represented twice (once by the standard edit template and once by the widget), the javascript fails to return the correct value (in the previous code,

      editForm['form_token']

      returns a list instead of an HTML element).

      I see 2 possible fixes:

      • The more simple one: dashboard.js should not rely on the "form_token" input but use the new xwiki-meta service instead.
      • More complicated: when we edit a dashboard, a widget should not be authorized to have some input elements that can interfere with the standard inputs of the 'edit' template. It may even be a security issue! We should introduce a kind of filter to remove any form object in the widget during the "edit" action.

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              gdelhumeau Guillaume Delhumeau
            • Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated:
                Date of First Response: