Send param in URL using OFBiz

Question

I want to end a param in URL in OFBiz, but I get this error from security

org.apache.ofbiz.webapp.event.EventHandlerException: Found URL parameter [twCompagneDeRecrutementId] 
passed to secure (https) request-map with uri [showCompagne] with an event that calls service [showCompagne]; 
this is not allowed for security reasons! The data should be encrypted by making it part of the request body (a form field) instead of the request URL. 
Moreover it would be kind if you could create a Jira sub-task of https://issues.apache.org/jira/browse/OFBIZ-2330 (check before if a sub-task for this error does not exist). If you are not sure how to create a Jira issue please have a look before at http://cwiki.apache.org/confluence/x/JIB2

This is my ftl

<#if listCompagne??>

            <#list listCompagne as newCompagne>

            <div style="display:flex; width:100%;">
                         <div style="padding:6px; width:24%;"><label>${newCompagne.nom}</label></div> 
                         <div style="padding:6px; width:24%;"><label>${newCompagne.dateDebut ?date}</label></div> 
                         <div style="padding:6px; width:24%;"><label>${newCompagne.dateFin ?date}</label></div>
                         <input type="hidden" value="${newCompagne.twCompagneDeRecrutementId}"/> 
     <div style="padding:6px; width:20%;"> <a class="btn btn-outline-danger btn-block " href="<@ofbizUrl>showCompagne?twCompagneDeRecrutementId=${newCompagne.twCompagneDeRecrutementId}</@ofbizUrl>">afficher</a>
</div>  



           </div>  
           </#list>

Ori Marko · Answer 1 · 2017-12-07T09:18:04.253

1

I don't use ofbiz , but you should send parameter in body instead of in query.

In your case I would add a form and submit it using hidden form input, form should be unique per iteration using index

 <form action="<@ofbizUrl>showCompagne?</@ofbizUrl>" id="afficher${newCompagne?index}" method="post" style="display: none;">
 <input type="hidden" name="twCompagneDeRecrutementId" value="${newCompagne.twCompagneDeRecrutementId}" />
  </form>
 <a class="btn btn-outline-danger btn-block " 
 href="javascript:;" onclick="javascript:
document.getElementById('afficher${newCompagne?index}').submit()">afficher</a>

edited Dec 07 '17 at 09:18

answered Dec 07 '17 at 09:09

Ori Marko

56,308
23
131
233

1

This is the right way to do it. As sugested in the error message, there are plenty examples at https://issues.apache.org/jira/browse/OFBIZ-2330. Just look for one done for a Freemarker template – JacquesLeRoux Dec 07 '17 at 12:17

score -2 · Accepted Answer · answered Dec 07 '17 at 09:20

-2

the solution is to go to url.properties and change parameters.url.encrypt to no

answered Dec 07 '17 at 09:20

hind

11
5

For securiy reason (the reason the error message popups) I don"t recommend to "change parameters.url.encrypt to no" – JacquesLeRoux Dec 07 '17 at 12:18
how i can do that. – hind Dec 07 '17 at 14:06
I think I answered you above, quoting myself: <> – JacquesLeRoux Dec 08 '17 at 05:28

Send param in URL using OFBiz

2 Answers2