Uploaded image for project: 'XWiki Platform'
  1. XWiki Platform
  2. XWIKI-12079

Unable to save a dashboard if a widget contains an HTML input called "form_token"

    XMLWordPrintable

Details

    • Bug
    • Resolution: Unresolved
    • Minor
    • None
    • 6.4.4
    • Dashboard
    • None
    • Unknown

    Description

      The use-case is to have a widget inside the dashboard that allows the creation of a new blog post. That widget contains a form with:

      <input type="hidden" name="form_token" value="xxxxxxxx" />
      

      Problem: when the user press the button "save", dashboard.js gets the form token (to send with the ajax request) by getting the value of the "form_token" element. Since this input is represented twice (once by the standard edit template and once by the widget), the javascript fails to return the correct value (in the previous code,

      editForm['form_token']

      returns a list instead of an HTML element).

      I see 2 possible fixes:

      • The more simple one: dashboard.js should not rely on the "form_token" input but use the new xwiki-meta service instead.
      • More complicated: when we edit a dashboard, a widget should not be authorized to have some input elements that can interfere with the standard inputs of the 'edit' template. It may even be a security issue! We should introduce a kind of filter to remove any form object in the widget during the "edit" action.

      Attachments

        Activity

          People

            Unassigned Unassigned
            gdelhumeau Guillaume Delhumeau
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated: