Index: openacs-4/packages/xowiki/xowiki.info
===================================================================
RCS file: /usr/local/cvsroot/openacs-4/packages/xowiki/xowiki.info,v
diff -u -r1.153.2.13 -r1.153.2.14
--- openacs-4/packages/xowiki/xowiki.info 23 May 2016 16:40:32 -0000 1.153.2.13
+++ openacs-4/packages/xowiki/xowiki.info 25 May 2016 19:33:46 -0000 1.153.2.14
@@ -10,7 +10,7 @@
t
xowiki
-
+
Gustaf Neumann
A xotcl-based enterprise wiki system with multiple object types
2015-10-04
@@ -55,7 +55,7 @@
BSD-Style
2
-
+
@@ -64,7 +64,7 @@
-
+
Index: openacs-4/packages/xowiki/tcl/bootstrap-procs.tcl
===================================================================
RCS file: /usr/local/cvsroot/openacs-4/packages/xowiki/tcl/bootstrap-procs.tcl,v
diff -u -r1.3.2.7 -r1.3.2.8
--- openacs-4/packages/xowiki/tcl/bootstrap-procs.tcl 23 May 2016 16:40:32 -0000 1.3.2.7
+++ openacs-4/packages/xowiki/tcl/bootstrap-procs.tcl 25 May 2016 19:33:46 -0000 1.3.2.8
@@ -228,7 +228,7 @@
html::button -type "submit" -class "btn btn-sm btn-primary" -id "js-upload-submit" {
html::t ${:text}
}
- :CSRFToken
+ ::html::CSRFToken
}
}
}
Index: openacs-4/packages/xowiki/tcl/folder-procs.tcl
===================================================================
RCS file: /usr/local/cvsroot/openacs-4/packages/xowiki/tcl/folder-procs.tcl,v
diff -u -r1.33.2.5 -r1.33.2.6
--- openacs-4/packages/xowiki/tcl/folder-procs.tcl 23 Mar 2016 11:57:25 -0000 1.33.2.5
+++ openacs-4/packages/xowiki/tcl/folder-procs.tcl 25 May 2016 19:33:46 -0000 1.33.2.6
@@ -546,7 +546,7 @@
# We have to use the global variable for the time being due to
# scoping in "-columns"
set ::__xowiki_with_publish_status [expr {$publish_status ne "ready"}]
- set ::__xowiki_folder_link [$package_id make_link $current_folder bulk-delete]
+ set ::__xowiki_folder_link [$package_id make_link $current_folder bulk-delete {__csrf_token [::security::csrf::token]}]
switch [$package_id get_parameter PreferredCSSToolkit yui] {
bootstrap {set tableWidgetClass ::xowiki::BootstrapTable}
Index: openacs-4/packages/xowiki/tcl/menu-procs.tcl
===================================================================
RCS file: /usr/local/cvsroot/openacs-4/packages/xowiki/tcl/menu-procs.tcl,v
diff -u -r1.8.2.3 -r1.8.2.4
--- openacs-4/packages/xowiki/tcl/menu-procs.tcl 23 Mar 2016 11:57:25 -0000 1.8.2.3
+++ openacs-4/packages/xowiki/tcl/menu-procs.tcl 25 May 2016 19:33:46 -0000 1.8.2.4
@@ -18,7 +18,7 @@
#
::xo::tdom::Class create MenuComponent \
-superclass ::xo::tdom::Object
-
+
MenuComponent instproc js_name {} {
return [::xowiki::Includelet js_name [self]]
}
Index: openacs-4/packages/xowiki/tcl/xowiki-www-procs.tcl
===================================================================
RCS file: /usr/local/cvsroot/openacs-4/packages/xowiki/tcl/xowiki-www-procs.tcl,v
diff -u -r1.327.2.18 -r1.327.2.19
--- openacs-4/packages/xowiki/tcl/xowiki-www-procs.tcl 23 May 2016 16:40:32 -0000 1.327.2.18
+++ openacs-4/packages/xowiki/tcl/xowiki-www-procs.tcl 25 May 2016 19:33:46 -0000 1.327.2.19
@@ -19,6 +19,7 @@
#
Page instproc www-bulk-delete {} {
my instvar package_id
+ ::security::csrf::validate
if {![my exists_form_parameter "objects"]} {
my msg "nothing to delete"
@@ -806,6 +807,7 @@
#
# we have to valiate and save the form data
#
+ security::csrf::validate
lassign [my get_form_data $form_fields] validation_errors category_ids
if {$validation_errors != 0} {
@@ -972,6 +974,7 @@
::html::input -type hidden -name __object_name -value [my name]
::html::input -type hidden -name __form_action -value save-form-data
::html::input -type hidden -name __current_revision_id -value [my revision_id]
+ ::html::CSRFToken
}
# insert automatic form fields on top
foreach att $field_names {
@@ -1497,11 +1500,11 @@
#my log "--after notifications [info exists notification_image]"
set master [$context_package_id get_parameter "master" 1]
- #if {[my exists_query_parameter "edit_return_url"]} {
- # set return_url [my query_parameter "edit_return_url"]
- #}
- #my log "--after options master=$master"
-
+ if {![string is boolean -strict $master]} {
+ ad_page_contract_handle_datasource_error "value of master is not boolean"
+ ad_script_abort
+ }
+
if {$master} {
set context [list $title]
#my msg "$context_package_id title=[$context_package_id instance_name] - $title"
Index: openacs-4/packages/xowiki/tcl/yui-procs.tcl
===================================================================
RCS file: /usr/local/cvsroot/openacs-4/packages/xowiki/tcl/yui-procs.tcl,v
diff -u -r1.5.2.1 -r1.5.2.2
--- openacs-4/packages/xowiki/tcl/yui-procs.tcl 23 Mar 2016 11:57:25 -0000 1.5.2.1
+++ openacs-4/packages/xowiki/tcl/yui-procs.tcl 25 May 2016 19:33:46 -0000 1.5.2.2
@@ -481,6 +481,9 @@
if {[$field istype HiddenField]} continue
if {[$field istype BulkAction]} {
set label ""
+ if {[info exists ::__csrf_token]} {
+ append label \n ""
+ }
set sortable false
} else {
set label [lang::util::localize [$field label]]