security #token : - handling the creation menu item area which content is added after the end of the loading of the HTLM page

- adding a rule to prevent from the token validation on some of REST WEB services
- removing location.href use on sensible functionalities :
  . deleting resource from resource manager component
  . deleting reservation from resource manager component
- fixing :
  . kmax components which didn't work with security tokens (renaming also "nodeName" ids in "nodeNameValue" because of a jQuery bug)
  . adding to favorite from a publication
  . thumbnail management on publication header
  . subscription to forum application
  . technical navigation error after saving the content of webPages component
  . navigation problem on process manager application
- upgrading subscription UI response on blog component

Author: SilverYoCha

blog/blog-war/src/main/java/com/silverpeas/blog/control/BlogSessionController.java

@@ -78,6 +78,7 @@
 import org.codehaus.jackson.xc.JaxbAnnotationIntrospector;
 import org.silverpeas.node.web.NodeEntity;
 import org.silverpeas.search.indexEngine.model.IndexManager;
+import org.silverpeas.util.NotifierUtil;
 
 import static com.silverpeas.pdc.model.PdcClassification.aPdcClassificationOfContent;
 
@@ -344,10 +345,12 @@ public Collection<PostDetail> getResultSearch(String word) {
 
   public synchronized void addUserSubscription() throws RemoteException {
     getBlogService().addSubscription(getUserId(), getComponentId());
+    NotifierUtil.addSuccess(getString("blog.addSubscriptionOk"));
   }
 
   public synchronized void removeUserSubscription() throws RemoteException {
     getBlogService().removeSubscription(getUserId(), getComponentId());
+    NotifierUtil.addSuccess(getString("blog.removeSubscriptionOk"));
   }
 
   public synchronized boolean isUserSubscribed() throws RemoteException {

blog/blog-war/src/main/webapp/blog/jsp/accueil.jsp

@@ -101,13 +101,11 @@ function sendData() {
 }
 
 function addSubscription() {
-  window.alert("<%=resource.getString("blog.addSubscriptionOk")%>");
   window.document.subscriptionForm.action = "AddSubscription";
   window.document.subscriptionForm.submit();
 }
 
 function removeSubscription() {
-  window.alert("<%=resource.getString("blog.removeSubscriptionOk")%>");
   window.document.subscriptionForm.action = "RemoveSubscription";
   window.document.subscriptionForm.submit();
 }

forums/forums-war/src/main/java/org/silverpeas/servlets/ForumsRequestRouter.java

@@ -66,7 +66,7 @@ public String getDestination(String function, ForumsSessionController forumsSC,
     try {
       if ((function.startsWith("Main")) || (function.startsWith("main"))) {
         String forumId = request.getParameter("forumId");
-        if (forumId != null && Integer.parseInt(forumId) > 0) {
+        if (StringUtil.isInteger(forumId) && Integer.parseInt(forumId) > 0) {
           return ROOT_DEST + ActionUrl.getUrl("viewForum", "main", Integer.parseInt(forumId));
         }
         destination = ROOT_DEST + "main.jsp";

gallery/gallery-war/src/main/webapp/gallery/jsp/viewAlbum.jsp

@@ -169,7 +169,7 @@
 
         function addFavorite(m_sAbsolute,m_context,name,description,url)
         {
-          urlWindow = m_sAbsolute + m_context + "/RmyLinksPeas/jsp/CreateLinkFromComponent?Name="+name+"&Description="+description+"&Url="+url+"&Visible=true";
+          urlWindow = m_sAbsolute + m_context + "/RmyLinksPeas/jsp/AddLinkFromComponent?Name="+name+"&Description="+description+"&Url="+url+"&Visible=true";
           windowName = "albumWindow";
           larg = "550";
           haut = "250";

kmelia/kmelia-war/src/main/webapp/kmelia/jsp/javaScript/navigation.js

@@ -6,7 +6,7 @@ var exportComponentWindow = window;
 
 function addFavorite(name, description, url)
 {
-  urlWindow = getWebContext() + "/RmyLinksPeas/jsp/CreateLinkFromComponent?Name=" + name + "&Description=" + description + "&Url=" + url + "&Visible=true";
+  urlWindow = getWebContext() + "/RmyLinksPeas/jsp/AddLinkFromComponent?Name=" + name + "&Description=" + description + "&Url=" + url + "&Visible=true";
   windowName = "favoriteWindow";
   larg = "550";
   haut = "250";

kmelia/kmelia-war/src/main/webapp/kmelia/jsp/kmax.jsp

@@ -91,8 +91,12 @@ function search() {
     timeCriteria = "X";
     timeCriteriaUsed = 0;
 	<% if (kmeliaScc.isTimeAxisUsed()) { %>
-	    timeCriteria = document.axisForm.elements[document.axisForm.length - 1].value;
-	    timeCriteriaUsed = 1;
+      // -2 instead of -1 because of security tokens
+      // before, it was :
+      //  - document.axisForm.elements[document.axisForm.length - 1].value
+      //  - timeCriteriaUsed = 1;
+	    timeCriteria = document.axisForm.elements[document.axisForm.length - 2].value;
+	    timeCriteriaUsed = 2;
 	<% } %>
 	for (var i=0; i<document.axisForm.length - timeCriteriaUsed; i++) {
     	if (document.axisForm.elements[i].value.length != 0) {

kmelia/kmelia-war/src/main/webapp/kmelia/jsp/kmax_addPositionToAxis.jsp

@@ -120,7 +120,7 @@ out.println(board.printBefore());
 			<%=I18NHelper.getFormLine(resources, null, kmeliaScc.getLanguage())%>
 		  <TR><TD class="txtlibform"><%=kmeliaScc.getString("ComponentTitle")%> :</TD>
 		      <TD><input type="hidden" name="AxisId" value="<%=axisId%>">
-		      	<input type="text" id="nodeName" name="Name" value="" size="60" maxlength="60"> <img border="0" src="<%=mandatoryField%>" width="5" height="5"></TD></TR>
+			<input type="text" id="nodeNameValue" name="Name" value="" size="60" maxlength="60"> <img border="0" src="<%=mandatoryField%>" width="5" height="5"></TD></TR>
 		  <TR><TD class="txtlibform"><%=kmeliaScc.getString("ComponentDescription")%> :</TD>
 		      <TD><input type="text" id="nodeDesc" name="Description" value="" size="60" maxlength="200"></TD></TR>
 		  <TR><TD colspan="2">( <img border="0" src="<%=mandatoryField%>" width="5" height="5"> = <%=kmeliaScc.getString("ChampsObligatoires")%> )</TD></TR>

kmelia/kmelia-war/src/main/webapp/kmelia/jsp/kmax_addPositionToPosition.jsp

@@ -126,7 +126,7 @@ out.println(board.printBefore());
 		<TABLE cellPadding="5" cellSpacing="0" border="0">
 			<%=I18NHelper.getFormLine(resources, null, kmeliaScc.getLanguage())%>
 		  <TR><TD class="txtlibform"><%=kmeliaScc.getString("ComponentTitle")%> :</TD>
-		      <TD><input type="hidden" name="AxisId" value="<%=axisId%>"><input type="text" id="nodeName" name="Name" value="" size="60" maxlength="60"> <img border="0" src="<%=mandatoryField%>" width="5" height="5"></TD></TR>
+		      <TD><input type="hidden" name="AxisId" value="<%=axisId%>"><input type="text" id="nodeNameValue" name="Name" value="" size="60" maxlength="60"> <img border="0" src="<%=mandatoryField%>" width="5" height="5"></TD></TR>
 		  <TR><TD class="txtlibform"><%=kmeliaScc.getString("ComponentDescription")%> :</TD>
 		      <TD><input type="text" id="nodeDesc" name="Description" value="" size="60" maxlength="200"></TD></TR>
 		  <TR><TD colspan="2">( <img border="0" src="<%=mandatoryField%>" width="5" height="5"> = <%=kmeliaScc.getString("ChampsObligatoires")%> )</TD></TR>

kmelia/kmelia-war/src/main/webapp/kmelia/jsp/kmax_axisManager.jsp

@@ -264,7 +264,7 @@ function positionDelete() {
 
 function showTranslation(lang)
 {
-	showFieldTranslation('nodeName', 'name_'+lang);
+	showFieldTranslation('nodeNameValue', 'name_'+lang);
 	showFieldTranslation('nodeDesc', 'desc_'+lang);
 }
 

kmelia/kmelia-war/src/main/webapp/kmelia/jsp/kmax_axisReport.jsp

@@ -264,7 +264,7 @@ String displayAxisManageView(KmeliaSessionController kmeliaScc, GraphicElementFa
 	            result.append("<tr>");
 					result.append("<td width=\"20%\" class=\"txtlibform\">"+kmeliaScc.getString("AxisTitle")+" : </td>");
 					result.append("<td>"); 
-						result.append("<input type=\"text\" id=\"nodeName\" name=\"Name\" value=\""+Encode.javaStringToHtmlString(axis.getName(translation))+"\" size=\"61\" maxlength=\"50\">&nbsp;<img alt=\"\" src=\""+mandatoryFieldSrc+"\" border=\"0\"  width=\"5px\"  height=\"5px\" />");
+						result.append("<input type=\"text\" id=\"nodeNameValue\" name=\"Name\" value=\""+Encode.javaStringToHtmlString(axis.getName(translation))+"\" size=\"61\" maxlength=\"50\">&nbsp;<img alt=\"\" src=\""+mandatoryFieldSrc+"\" border=\"0\"  width=\"5px\"  height=\"5px\" />");
 					result.append("</td>");
 					result.append("<td>&nbsp;</td>");
 					result.append("<td>&nbsp;</td>");
@@ -338,7 +338,7 @@ String displayComponentManageView(KmeliaSessionController kmelia, GraphicElement
             result.append("<tr>"); 
 				result.append("<td width=\"20%\" class=\"txtlibform\">"+kmelia.getString("ComponentTitle")+" : </td>");
 				result.append("<td>"); 
-					result.append("<input type=\"text\" id=\"nodeName\" name=\"Name\" value=\""+Encode.javaStringToHtmlString(nodeDetail.getName(translation))+"\" size=\"61\" maxlength=\"50\">&nbsp;<img alt=\"  \" src=\""+mandatoryFieldSrc+"\" border=\"0\"  width=\"5px\" height=\"5px\" />");
+					result.append("<input type=\"text\" id=\"nodeNameValue\" name=\"Name\" value=\""+Encode.javaStringToHtmlString(nodeDetail.getName(translation))+"\" size=\"61\" maxlength=\"50\">&nbsp;<img alt=\"  \" src=\""+mandatoryFieldSrc+"\" border=\"0\"  width=\"5px\" height=\"5px\" />");
 				result.append("</td>");
 				result.append("<td>&nbsp;</td>");
 				result.append("<td>&nbsp;</td>");

kmelia/kmelia-war/src/main/webapp/kmelia/jsp/kmax_portlet.jsp

@@ -87,8 +87,12 @@ function search() {
     timeCriteria = "X";
     timeCriteriaUsed = 0;
 	<% if (kmeliaScc.isTimeAxisUsed()) { %>
-	    timeCriteria = document.axisForm.elements[document.axisForm.length - 1].value;
-	    timeCriteriaUsed = 1;
+      // -2 instead of -1 because of security tokens
+      // before, it was :
+      //  - document.axisForm.elements[document.axisForm.length - 1].value
+      //  - timeCriteriaUsed = 1;
+      timeCriteria = document.axisForm.elements[document.axisForm.length - 2].value;
+	    timeCriteriaUsed = 2;
 	<% } %>
 	for (var i=0; i<document.axisForm.length - timeCriteriaUsed; i++) {
     	if (document.axisForm.elements[i].value.length != 0) {

kmelia/kmelia-war/src/main/webapp/kmelia/jsp/kmax_viewCombination.jsp

@@ -84,7 +84,10 @@ out.println(gef.getLookStyleSheet());
 	function search() {
 	    z = "";
 	    nbSelectedAxis = 0;
-	    for (var i=0; i<document.axisForm.length; i++) {
+      // -1 because of security tokens
+      // before, it was :
+      //  - i < document.axisForm.length
+	    for (var i=0; i<(document.axisForm.length-1); i++) {
 	        if (document.axisForm.elements[i].value.length != 0) {
 	            if (nbSelectedAxis != 0)
 	                z += ",";

kmelia/kmelia-war/src/main/webapp/kmelia/jsp/publication.jsp

@@ -414,7 +414,7 @@
           var name = encodeURIComponent($("#breadCrumb").text() + " > " + $(".publiName").text());
           var description = encodeURIComponent("<%=EncodeHelper.javaStringToJsString(pubDetail.getDescription(language))%>");
           var url = "<%=URLManager.getSimpleURL(URLManager.URL_PUBLI, pubDetail.getPK().getId())%>";
-          urlWindow = "<%=m_context%>/RmyLinksPeas/jsp/CreateLinkFromComponent?Name="+name+"&Description="+description+"&Url="+url+"&Visible=true";
+          urlWindow = "<%=m_context%>/RmyLinksPeas/jsp/AddLinkFromComponent?Name="+name+"&Description="+description+"&Url="+url+"&Visible=true";
 
 		  if (!favoriteWindow.closed && favoriteWindow.name== "favoriteWindow") {
             favoriteWindow.close();

kmelia/kmelia-war/src/main/webapp/kmelia/jsp/publicationManager.jsp

@@ -590,7 +590,7 @@
 
         function addFavorite(name,description,url)
         {
-        	urlWindow = "<%=m_context%>/RmyLinksPeas/jsp/CreateLinkFromComponent?Name="+name+"&Description="+description+"&Url="+url+"&Visible=true";
+		urlWindow = "<%=m_context%>/RmyLinksPeas/jsp/AddLinkFromComponent?Name="+name+"&Description="+description+"&Url="+url+"&Visible=true";
             windowName = "favoriteWindow";
         	larg = "550";
         	haut = "250";
@@ -636,7 +636,7 @@
         }
 
         function deleteThumbnail() {
-        	location.href="<%=httpServerBase + m_context%>/Thumbnail/jsp/thumbnailManager.jsp?Action=Delete<%=standardParamaters%>";
+          jQuery('#genericForm').attr('action', "<%=httpServerBase + m_context%>/Thumbnail/jsp/thumbnailManager.jsp?Action=Delete<%=standardParamaters%>").submit();
         }
 
         function closeThumbnailDialog() {
@@ -1015,5 +1015,6 @@
       document.pubForm.Name.focus();
      });
   </script>
+<form id="genericForm" action="" method="POST"></form>
 </body>
 </html>

kmelia/kmelia-war/src/main/webapp/kmelia/jsp/updateTopicNew.jsp

@@ -142,7 +142,7 @@
 
             function showTranslation(lang)
             {
-              showFieldTranslation('nodeName', 'name_'+lang);
+              showFieldTranslation('nodeNameValue', 'name_'+lang);
               showFieldTranslation('nodeDesc', 'desc_'+lang);
             }
 
@@ -186,7 +186,7 @@
                 <%=I18NHelper.getFormLine(resources, node, translation)%>
                 <tr>
                   <td class="txtlibform"><fmt:message key="TopicTitle"/> :</td>
-                  <td><input type="text" name="Name" id="nodeName" value="<%=EncodeHelper.javaStringToHtmlString(name)%>" size="60" maxlength="50">&nbsp;<img border="0" alt="mandatory" src="<c:out value="${mandatoryFieldUrl}" />" width="5" height="5"/></td>
+                  <td><input type="text" name="Name" id="nodeNameValue" value="<%=EncodeHelper.javaStringToHtmlString(name)%>" size="60" maxlength="50">&nbsp;<img border="0" alt="mandatory" src="<c:out value="${mandatoryFieldUrl}" />" width="5" height="5"/></td>
                 </tr>
                 <c:choose>
                   <c:when test="${true eq requestScope.IsLink}">

newsedito/newsedito-war/src/main/webapp/newsEdito/jsp/newsEdito.jsp

@@ -159,7 +159,7 @@ function viewFavorits()
 
 function addFavorite(m_sAbsolute,m_context,name,description,url)
 	{
-  		urlWindow = m_sAbsolute + m_context + "/RmyLinksPeas/jsp/CreateLinkFromComponent?Name="+name+"&Description="+description+"&Url="+url+"&Visible=true";
+		urlWindow = m_sAbsolute + m_context + "/RmyLinksPeas/jsp/AddLinkFromComponent?Name="+name+"&Description="+description+"&Url="+url+"&Visible=true";
 	    windowName = "favoritWindow";
 		larg = "550";
 		haut = "250";

process-manager/process-manager-war/src/main/java/com/silverpeas/processManager/servlets/SessionSafeFunctionHandler.java

@@ -40,7 +40,10 @@ final public String getDestination(String function, ProcessManagerSessionControl
     if (request.isContentInMultipart()) {
       try {
         items = new ArrayList<FileItem>();
-        items.addAll(request.getFileItems());
+        if (request.getAttribute("ALREADY_PROCESSED") == null) {
+          items.addAll(request.getFileItems());
+          request.setAttribute("ALREADY_PROCESSED", true);
+        }
       } catch (UtilException e) {
         SilverTrace.error("processManager", "SessionSafeFunctionHandler.getDestination()",
             "processManager.TOKENID_CHECK_FAILURE", e);

resources-manager/resources-manager-war/src/main/webapp/resourcesManager/jsp/resources.jsp

@@ -71,10 +71,10 @@
 <script type="text/javascript">
 function deleteResource(resourceId, name,categoryId) {
 	if (confirm("<%=resource.getString("resourcesManager.deleteResource")%>" + " " + name + " ?")) {
-		//location.href="DeleteRessource?resourceId="+resourceId+"&categoryId="+categoryId;
-    $('#resourceId').val(resourceId);
-    $('#categoryId').val(categoryId);
-    $('#resourceForm').submit();
+    var $form = $('#resourceForm');
+    $('#resourceId', $form).val(resourceId);
+    $('#categoryId', $form).val(categoryId);
+    $form.submit();
 	}
 }
 </script>

resources-manager/resources-manager-war/src/main/webapp/resourcesManager/jsp/viewReservation.jsp

@@ -71,9 +71,9 @@ if (!isOwner) {
 <script type="text/javascript">
 function deleteReservation(){
 	if(confirm("<%=resource.getString("resourcesManager.suppressionConfirmation")%>")){
-		//location.href="DeleteReservation?id="+<%=reservationId%>;
-    $('#id').val('<%=reservationId%>');
-    $('#reservationForm').attr('action', 'DeleteReservation').submit();
+    var $form = $('#reservationForm');
+    $('#id', $form).val('<%=reservationId%>');
+    $form.attr('action', 'DeleteReservation').submit();
 	}
 }
 

resources-manager/resources-manager-war/src/main/webapp/resourcesManager/jsp/viewReservations.jsp

@@ -46,9 +46,9 @@ ArrayLine arrayLine;
 	
 	function deleteReservation(reservationId, event) {
 		  if (confirm("Etes vous sûr de vouloir supprimer la réservation liée à l'évènement "+event+"?")) {
-        //location.href="DeleteReservation?id="+reservationId;
-        $('input[name="id"]').val(reservationId);
-        $('#ReservationDeletion').submit();
+        var $form = $('#ReservationDeletion');
+        $('#id', $form).val(reservationId);
+        $form.submit();
 		  }
 	}
 	

webpages/webpages-war/src/main/java/com/silverpeas/webpages/servlets/WebPagesRequestRouter.java

@@ -25,16 +25,18 @@
 import com.silverpeas.webpages.model.WebPagesException;
 import com.stratelia.silverpeas.peasCore.ComponentContext;
 import com.stratelia.silverpeas.peasCore.MainSessionController;
+import com.stratelia.silverpeas.peasCore.URLManager;
 import com.stratelia.silverpeas.peasCore.servlets.ComponentRequestRouter;
 import com.stratelia.silverpeas.silvertrace.SilverTrace;
-import java.net.URLEncoder;
-import java.util.List;
-import javax.servlet.http.HttpServletRequest;
 import org.apache.commons.fileupload.FileItem;
 import org.apache.commons.lang3.CharEncoding;
 import org.owasp.encoder.Encode;
 import org.silverpeas.servlet.HttpRequest;
 
+import javax.servlet.http.HttpServletRequest;
+import java.net.URLEncoder;
+import java.util.List;
+
 /**
  * @author sdevolder
  */
@@ -108,7 +110,8 @@ public String getDestination(String function, WebPagesSessionController webPages
           request.setAttribute("BrowseInfo", Encode.forHtml(webPagesSC.getComponentLabel()));
           request.setAttribute("ObjectId", webPagesSC.getComponentId());
           request.setAttribute("Language", webPagesSC.getLanguage());
-          request.setAttribute("ReturnUrl", webPagesSC.getComponentUrl() + "Preview");
+          request.setAttribute("ReturnUrl",
+              URLManager.getApplicationURL() + webPagesSC.getComponentUrl() + "Preview");
           request.setAttribute("UserId", webPagesSC.getUserId());
           request.setAttribute("IndexIt", "false");
           destination = "/wysiwyg/jsp/htmlEditor.jsp";