admin/Facilitor
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

FSN#22720 FOX#24 Cross Site Request Forgery voorkomen

Browse Source 
svn path=/Website/trunk/; revision=17140
This commit is contained in:
Erik Groener
2013-03-12 09:22:45 +00:00
parent c7494bad23
commit 31fb8256c6
15 changed files with 109 additions and 52 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
APPL/FAC/fac_delete.asp
View File

@@ -20,6 +20,7 @@ DOCTYPE_Disable = 1;
<!--#include file="../Shared/json2.js" -->
<%
protectRequest.validateToken();
// TODO: Nauwkeuriger controleren
var autfunction="WEB_PRSSYS";
var authParams = user.checkAutorisation(autfunction);

31
APPL/FAC/fac_fiattering_list.asp
View File

@@ -90,8 +90,11 @@ FCLTHeader.Requires({ plugins: ["jQuery"] });
{
function bes_approve(bes_key_array, mld_key_array, goed_key_array)
{
var data = { bes_key: bes_key_array.join(",")
};
<% protectRequest.dataToken("data"); %>
$.post("../bes/bes_approve.asp",
{ bes_key: bes_key_array.join(",") },
data,
function(json, textStatus)
{
if (mld_key_array.length > 0)
@@ -106,8 +109,11 @@ FCLTHeader.Requires({ plugins: ["jQuery"] });
function mld_approve(mld_key_array, goed_key_array)
{
var data = { opdr_key: mld_key_array.join(",")
};
<% protectRequest.dataToken("data"); %>
$.post("../mld/opdr_approve.asp",
{ opdr_key: mld_key_array.join(",") },
data,
function(json, textStatus)
{
if (goed_key_array.length > 0)
@@ -120,8 +126,11 @@ FCLTHeader.Requires({ plugins: ["jQuery"] });
function goed_approve(goed_key_array)
{
var data = { opdr_key: goed_key_array.join(",")
};
<% protectRequest.dataToken("data"); %>
$.post("../mld/opdr_goedkeur.asp",
{ opdr_key: goed_key_array.join(",") },
data,
FcltCallbackRefresh,
"json");
}
@@ -153,13 +162,18 @@ FCLTHeader.Requires({ plugins: ["jQuery"] });
if (json.success)
{
if (json.afwijsArray.length > 0)
{
var data = { opdr_key: json.afwijsArray.join(","),
opdr_opm: L("lcl_mld_opdr_alternatief")
};
<% protectRequest.dataToken("data"); %>
$.post("../mld/opdr_reject_offer.asp?submit=1",
{ opdr_key: json.afwijsArray.join(","),
opdr_opm: L("lcl_mld_opdr_alternatief") },
data,
function(json1, textStatus1)
{
showVervolgOpdracht(json1, textStatus1)
});
}
else
showVervolgOpdracht(json, textStatus);
}
@@ -223,14 +237,19 @@ FCLTHeader.Requires({ plugins: ["jQuery"] });
{ callback: function(json, textStatus)
{
if (opdr_key_array.length > 0)
{
// Reden is al bekend. Direct submitten.
var data = { opmerk: json.opmerk
};
<% protectRequest.dataToken("data"); %>
$.post("../mld/opdr_reject.asp?submit=1&opdr_key=" + opdr_key_array.join(","),
{ opmerk: json.opmerk },
data,
function()
{
window.location.reload();
},
"html");
}
else
FcltCallbackRefresh(json, textStatus);
}}

13
APPL/FAC/fac_kenmerkdomein.asp
View File

@@ -118,11 +118,14 @@ else
{
if (confirm(L("lcl_R_U_sure")))
{
$.post("fac_delete.asp",
{ key: <%=domein_key%>,
level: "KD"},
FcltCallbackClose,
"json");
var data = { key: <%=domein_key%>,
level: "KD"
};
<% protectRequest.dataToken("data"); %>
$.post("fac_delete.asp",
data,
FcltCallbackClose,
"json");
}
}

29
APPL/FAC/fac_show_adres.asp
View File

@@ -49,8 +49,8 @@ var sql,oRs;
+ " FROM mld_adres "
+ " WHERE mld_adres_key = " + adr_key;
oRs=Oracle.Execute(sql);
if (oRs.eof)
{
@@ -97,14 +97,17 @@ oRs = Oracle.Execute(sql);
if (FcltMgr.startEdit(window))
window.location.href = "fac_edit_adres.asp?adr_key=<%=adr_key%>";
}
function fac_delete()
{
if (confirm(L("lcl_fac_del_txt_adres")))
{
$.post("fac_delete.asp",
{ key: <%=adr_key%>,
level: "AD"},
var data = { key: <%=adr_key%>,
level: "AD"
};
<% protectRequest.dataToken("data"); %>
$.post("fac_delete.asp",
data,
FcltCallbackClose,
"json");
}
@@ -122,7 +125,7 @@ if (authparams.PRSwritelevel<9)
var buttons = [ {title: L("lcl_change"), action: "fac_change()", icon: "wijzigen.png" },
{title: L("lcl_delete"), action: "fac_delete()", icon: "delete.png" }
];
}
}
IFRAMER_HEADER(L("lcl_adres_frame_algemeen"), buttons);
%>
@@ -131,18 +134,18 @@ IFRAMER_HEADER(L("lcl_adres_frame_algemeen"), buttons);
<%
BLOCK_START("facAlg", L("lcl_fac_adres_nawblock"));
FCLTplaatsselector( authparams.ALGreadlevel,{ locatiekey: alg_loc_key,
startlevel: 2,
startlevel: 2,
eindlevel: 2,
readonly: true,
whenEmpty: L("lcl_search_generic")
});
ROFIELDTR("fld", L("lcl_prs_address_naam"), mld_adr_nm);
ROFIELDTR("fld", L("lcl_prs_address_naam"), mld_adr_nm);
ROFIELDTR("fld", L("lcl_prs_address_gebouw_ruimte"), mld_adr_geb_rui);
ROFIELDTR("fld", L("lcl_prs_address_bezoek_adres"), mld_adr_bez_adr);
ROFIELDTR("fld", L("lcl_prs_address_bezoek_postcode"), mld_adr_bez_pcd);
ROFIELDTR("fld", L("lcl_prs_address_bezoek_plaats"), mld_adr_bez_pla);
ROFIELDTR("fld", L("lcl_prs_address_bezoek_land"), mld_adr_bez_lnd);
ROFIELDTR("fld", L("lcl_prs_address_phone"), mld_adr_tel);
ROFIELDTR("fld", L("lcl_prs_address_phone"), mld_adr_tel);
ROFIELDTR("fld", L("lcl_prs_address_fax"), mld_adr_fax);
%>
<tr>
@@ -152,11 +155,11 @@ BLOCK_START("facAlg", L("lcl_fac_adres_nawblock"));
<tr>
<td class="label"><label><%=L("lcl_prs_address_opdrachtadres")%>:</label></td>
<td><input class="fldalgbez" type="checkbox" id="mld_adr_opd_adr" name="mld_adr_opd_adr" value="<%=mld_adr_opd_adr%>" <%= mld_adr_opd_adr==1 ? " checked " : "" %>disabled></td>
</tr>
</tr>
<tr>
<td class="label"><label><%=L("lcl_prs_address_afleveradres")%>:</label></td>
<td><input class="fldalgbez" type="checkbox" id="mld_adr_afl_adr" name="mld_adr_afl_adr" value="<%=mld_adr_afl_adr%>" <%= mld_adr_afl_adr==1 ? " checked " : "" %>disabled></td>
</tr>
</tr>
<%
BLOCK_END();
@@ -164,7 +167,7 @@ BLOCK_START("facBez", L("lcl_fac_adres_postblock"));
ROFIELDTR("fld", L("lcl_prs_address_post_adres"), mld_adr_pst_adr);
ROFIELDTR("fld", L("lcl_prs_address_post_postcode"), mld_adr_pst_pcd);
ROFIELDTR("fld", L("lcl_prs_address_post_plaats"), mld_adr_pst_pla);
ROFIELDTR("fld", L("lcl_prs_address_post_land"), mld_adr_pst_lnd);
ROFIELDTR("fld", L("lcl_prs_address_post_land"), mld_adr_pst_lnd);
BLOCK_END();
BLOCK_START("facCnt", L("lcl_prs_bedrijf_contactblock"));

8
APPL/FAC/fac_show_api.asp
View File

@@ -52,10 +52,12 @@ if (oRs.Eof)
{
if (confirm(L("lcl_fac_del_txt_api")))
{
var data = { key: <%=api_key%>
, level: "AP"
};
<% protectRequest.dataToken("data"); %>
$.post("fac_delete.asp"
, { key: <%=api_key%>
, level: "AP"
}
, data
, FcltCallbackClose
, "json"
);

7
APPL/FAC/fac_show_bookmark.asp
View File

@@ -68,9 +68,12 @@ oRs.close();
{
if (confirm(L("lcl_R_U_sure")))
{
var data = { key: "<%=safe.jsstring(bkm_id)%>",
level: "BM"
};
<% protectRequest.dataToken("data"); %>
$.post("fac_delete.asp",
{ key: "<%=safe.jsstring(bkm_id)%>",
level: "BM" },
data,
FcltCallbackClose,
"json");
}

11
APPL/FAC/fac_show_faq.asp
View File

@@ -114,8 +114,11 @@ user.auth_required_or_abort(authparamsFAQUSE || authparamsFAQFOF || authparamsFA
{
if (confirm(L("lcl_R_U_sure")))
{
var data = { faq_key: <%=faq_key%>
};
<% protectRequest.dataToken("data"); %>
$.post("faq_delete.asp",
{ faq_key: <%=faq_key%>},
data,
FcltCallbackClose,
"json");
}
@@ -134,8 +137,8 @@ user.auth_required_or_abort(authparamsFAQUSE || authparamsFAQFOF || authparamsFA
var buttons = [];
if (canWriteFAQFOF || canWriteFAQBOF)
{
var buttons = [ {title: L("lcl_do_amelding_hint"), action: "faq_newmld()", icon: "doemelding.png" },
{title: L("lcl_change"), action: "faq_change()", icon: "wijzigen.png" },
var buttons = [ {title: L("lcl_change"), action: "faq_change()", icon: "wijzigen.png" },
{title: L("lcl_do_amelding_hint"), action: "faq_newmld()", icon: "doemelding.png" },
{title: L("lcl_delete"), action: "faq_delete()", icon: "delete.png" }
];
}
@@ -186,7 +189,7 @@ user.auth_required_or_abort(authparamsFAQUSE || authparamsFAQFOF || authparamsFA
<% generateFlexKenmerkCode ({ faq_key: faq_key,
reado : true,
flexcolumns: S("faq_flexcolumns")
}); %>
}); %>
</td>
</tr>
<%

13
APPL/FAC/fac_show_menu.asp
View File

@@ -163,11 +163,16 @@ function fncolGroep(oRsvalue)
{
var menu_key = <%=menu_key%>;
if (confirm(L("lcl_fac_del_txt_menu")))
{
var data = { key: <%=menu_key%>,
level: "FM"
};
<% protectRequest.dataToken("data"); %>
$.post("fac_delete.asp",
{ key: <%=menu_key%>,
level: "FM" },
FcltCallbackClose,
"json");
data,
FcltCallbackClose,
"json");
}
}
</script>
</head>

9
APPL/FAC/fac_show_widget.asp
View File

@@ -72,10 +72,13 @@ var widget_key = getQParamInt("widget_key");
{
if (confirm(L("lcl_R_U_sure")))
{
var data = { widget_key: <%=widget_key%>
};
<% protectRequest.dataToken("data"); %>
$.post("widget_delete.asp",
{ widget_key: <%=widget_key%>},
FcltCallbackClose,
"json");
data,
FcltCallbackClose,
"json");
}
}
</script>

10
APPL/FAC/header.inc
View File

@@ -78,8 +78,14 @@ function generateHeader()
"json");
}
function changeLanguage(lang) {
$.post("./set_language.asp?lang="+lang, {}, FcltCallbackRefresh, "json");
function changeLanguage(lang)
{
var data = {};
<% protectRequest.dataToken("data"); %>
$.post("./set_language.asp?lang="+lang,
data,
FcltCallbackRefresh,
"json");
}
</script>

1
APPL/FAC/job_delete.asp
View File

@@ -18,6 +18,7 @@ DOCTYPE_Disable = 1;
<!--#include file="../Shared/common.inc"-->
<!--#include file="../Shared/json2.js" -->
<%
protectRequest.validateToken();
var autfunction = "WEB_MLDFOF";
var authparams = user.checkAutorisation(autfunction);

15
APPL/FAC/job_show_job.asp
View File

@@ -147,12 +147,15 @@ if (xmlnode == "opdracht")
{
if (confirm(L("lcl_job_del_txt_job")))
{
$.post("job_delete.asp",
{ key: <%=job_key%>,
level: "J"},
FcltCallbackClose,
"json");
}
var data = { key: <%=job_key%>,
level: "J"
};
<% protectRequest.dataToken("data"); %>
$.post("job_delete.asp",
data,
FcltCallbackClose,
"json");
}
}
function job_bes()
{

11
APPL/FAC/menu_sort.asp
View File

@@ -37,11 +37,14 @@ FCLTHeader.Requires({plugins:["jQuery"], js: ["jquery-ui.js"]})
var nextVolg = parseInt(next[0].volgnr);
var newVolg = String(((prevVolg+nextVolg)/2));
var thisKey = ui.item[0].menukey;
var data = { newVolg: newVolg,
menu_key: thisKey
};
<% protectRequest.dataToken("data"); %>
$.post("menu_sort_update.asp",
{ newVolg: newVolg,
menu_key: thisKey },
FcltCallback,
"json");
data,
FcltCallback,
"json");
ui.item[0].volgnr = newVolg;
ui.item.find("span").css("color", "red").text(newVolg);

1
APPL/FAC/set_language.asp
View File

@@ -16,6 +16,7 @@
<!--#include file="../Shared/common.inc"-->
<!-- #include file="../Shared/json2.js" -->
<%
protectRequest.validateToken();
var plang = getQParamSafe('lang');
for (i in S("language_toggles"))

1
APPL/FAC/widget_delete.asp
View File

@@ -17,6 +17,7 @@ DOCTYPE_Disable = 1;
<!--#include file="../Shared/common.inc"-->
<!--#include file="../Shared/json2.js" -->
<%
protectRequest.validateToken();
var widget_key = getFParamInt( "widget_key", -1 );
var authparams = user.checkAutorisation("WEB_PRSSYS");