Details
-
Bug
-
Resolution: Unresolved
-
Minor
-
None
-
6.4.4
-
None
-
Unknown
-
Description
The use-case is to have a widget inside the dashboard that allows the creation of a new blog post. That widget contains a form with:
<input type="hidden" name="form_token" value="xxxxxxxx" />
Problem: when the user press the button "save", dashboard.js gets the form token (to send with the ajax request) by getting the value of the "form_token" element. Since this input is represented twice (once by the standard edit template and once by the widget), the javascript fails to return the correct value (in the previous code,
editForm['form_token']
returns a list instead of an HTML element).
I see 2 possible fixes:
- The more simple one: dashboard.js should not rely on the "form_token" input but use the new xwiki-meta service instead.
- More complicated: when we edit a dashboard, a widget should not be authorized to have some input elements that can interfere with the standard inputs of the 'edit' template. It may even be a security issue! We should introduce a kind of filter to remove any form object in the widget during the "edit" action.