Hi Froilan,

This is a fix for a vulnerability OutSystems has resealed two months ago, which was inside a publicly exposed Popup_Upload page available in the RichWidgets module.

More information on the issue can be found in this forum post.

https://www.outsystems.com/forums/discussion/41206/richwidget-popup-upload-security/

Enabling the PopupUpload_UseToken Site Property will enforce a token mechanism security layer for this Popup_Upload screen. This way, no file will be saved on the server without a valid upload token.

Hope this helps.

Regards,

Nordin

We have this issue when pressing a button using enter key then suddenly the page redirects the popup upload page. This happens when that site property is set to true. setting it to false the issue don't happen.

please advise. 

Hi Froilan,

I'm not sure I understand. 

Can you share more specific details of your issue. Also some screenshots or an example OML that replicates this behavior would help.

Thanks,

Nordin

Hi Nordin,

Let me rephrase and here's the detailed explanation of the issue.

In our page we are using Search control under Webpatterns and have text input inside.

During runtime, when i typed/enter a value I want to search and press Enter key (keyboard), the page gets redirected to the popup upload page as you can see in the screenshot below.

This only happens when the site property PopupUpload_UseToken is set to TRUE.

I noticed as well that this is only happening when a page has no default button/link that has been set.

Does anyone here know how this is happening? 

Hi Froilan,

Sorry for the late reply. This one somehow must have slipped my mind!

There should be a button that is associated with a Popup_Editor widget somewhere on that page. 

Hitting the Enter-key will trigger the one button/link that is set as Default and if this happens to be the one button/link that is bound to a Popup_Editor widget, it could result in a redirect to the Popup_Upload webscreen of the RichWidgets module.

You could open a clone of the RichWidgets module and review the logic yourself. When the Site Property PopupUpload_UseToken is set to True, it will use the Popup_Editor_WithToken Web Block.

The Popup_Editor_WithToken Web Block in its turn contains some Javascript that clicks on the Open Popup Upload Button whichs redirect the user to the Popup_Upload webscreen.

Hope this helps!

Regards,

Nordin

You're most welcome!