[TASK] Protect Ajax calls of core extensions 54/28654/3
authorHelmut Hummel <helmut.hummel@typo3.org>
Sun, 23 Mar 2014 00:13:30 +0000 (01:13 +0100)
committerMarkus Klein <klein.t3@mfc-linz.at>
Sun, 23 Mar 2014 13:17:09 +0000 (14:17 +0100)
All core extensions need to benefit from
the new Ajax API and will be CSRF protected by that.

Resolves: #57196
Releases: 6.2
Change-Id: I8f6f45fc9426a0e9ae15e61670f52b7cf9f461af
Reviewed-on: https://review.typo3.org/28654
Reviewed-by: Markus Klein
Tested-by: Markus Klein
16 files changed:
typo3/sysext/opendocs/Resources/Public/JavaScript/opendocs.js
typo3/sysext/opendocs/ext_tables.php
typo3/sysext/perm/ext_tables.php
typo3/sysext/perm/mod1/perm.js
typo3/sysext/recycler/Classes/Controller/RecyclerModuleController.php
typo3/sysext/recycler/ext_localconf.php
typo3/sysext/recycler/res/js/t3_recycler.js
typo3/sysext/rtehtmlarea/Classes/Extension/Spellchecker.php
typo3/sysext/rtehtmlarea/ext_localconf.php
typo3/sysext/t3editor/ext_tables.php
typo3/sysext/t3editor/res/jslib/t3editor.js
typo3/sysext/t3editor/res/jslib/ts_codecompletion/descriptionPlugin.js
typo3/sysext/t3editor/res/jslib/ts_codecompletion/tscodecompletion.js
typo3/sysext/t3editor/res/jslib/ts_codecompletion/tsref.js
typo3/sysext/taskcenter/ext_tables.php
typo3/sysext/taskcenter/res/tasklist.js

index 45e13fe..157019c 100644 (file)
@@ -29,7 +29,6 @@
  *
  */
 var OpenDocs = Class.create({
-       ajaxScript: 'ajax.php',
        menu: null,
        toolbarItemIcon: null,
 
@@ -45,7 +44,6 @@ var OpenDocs = Class.create({
                        );
                        TYPO3BackendToolbarManager.positionMenu('tx-opendocs-menu');
                        this.toolbarItemIcon = $$('#tx-opendocs-menu .toolbar-item span.t3-icon')[0];
-                       this.ajaxScript      = top.TS.PATH_typo3 + this.ajaxScript; // can't be initialized earlier
 
                        Event.observe($$('#tx-opendocs-menu .toolbar-item')[0], 'click', this.toggleMenu);
                        this.menu = $$('#tx-opendocs-menu .toolbar-item-menu')[0];
@@ -83,10 +81,7 @@ var OpenDocs = Class.create({
 
                new Ajax.Updater(
                        this.menu,
-                       this.ajaxScript, {
-                               parameters: {
-                                       ajaxID: 'OpendocsController::renderMenu'
-                               },
+                       top.TS.PATH_typo3 + TYPO3.settings.ajaxUrls['OpendocsController::renderMenu'], {
                                onComplete: function(xhr) {
                                        this.toolbarItemIcon.src = origToolbarItemIcon;
                                }.bind(this)
@@ -121,9 +116,8 @@ var OpenDocs = Class.create({
        closeDocument: function(md5sum) {
                new Ajax.Updater(
                        this.menu,
-                       this.ajaxScript, {
+                       top.TS.PATH_typo3 + TYPO3.settings.ajaxUrls['OpendocsController::closeDocument'], {
                                parameters: {
-                                       ajaxID: 'OpendocsController::closeDocument',
                                        md5sum: md5sum
                                },
                                onComplete: function() {
index f3c96ca..7c96df8 100644 (file)
@@ -7,8 +7,8 @@ if (TYPO3_MODE === 'BE') {
        // Register toolbar item
        $GLOBALS['TYPO3_CONF_VARS']['typo3/backend.php']['additionalBackendItems'][] = $opendocsPath . 'registerToolbarItem.php';
        // Register AJAX calls
-       $GLOBALS['TYPO3_CONF_VARS']['BE']['AJAX']['OpendocsController::renderMenu'] = 'TYPO3\\CMS\\Opendocs\\Controller\\OpendocsController->renderAjax';
-       $GLOBALS['TYPO3_CONF_VARS']['BE']['AJAX']['OpendocsController::closeDocument'] = 'TYPO3\\CMS\\Opendocs\\Controller\\OpendocsController->closeDocument';
+       \TYPO3\CMS\Core\Utility\ExtensionManagementUtility::registerAjaxHandler('OpendocsController::renderMenu', 'TYPO3\\CMS\\Opendocs\\Controller\\OpendocsController->renderAjax');
+       \TYPO3\CMS\Core\Utility\ExtensionManagementUtility::registerAjaxHandler('OpendocsController::closeDocument', 'TYPO3\\CMS\\Opendocs\\Controller\\OpendocsController->closeDocument');
        // Register update signal to update the number of open documents
        $GLOBALS['TYPO3_CONF_VARS']['SC_OPTIONS']['t3lib/class.t3lib_befunc.php']['updateSignalHook']['OpendocsController::updateNumber'] = 'TYPO3\\CMS\\Opendocs\\Controller\\OpendocsController->updateNumberOfOpenDocsHook';
 }
index c561064..b216d32 100644 (file)
@@ -9,5 +9,5 @@ if (TYPO3_MODE === 'BE') {
                '',
                \TYPO3\CMS\Core\Utility\ExtensionManagementUtility::extPath($_EXTKEY) . 'mod1/'
        );
-       $GLOBALS['TYPO3_CONF_VARS']['BE']['AJAX']['PermissionAjaxController::dispatch'] = 'TYPO3\\CMS\\Perm\\Controller\\PermissionAjaxController->dispatch';
+       \TYPO3\CMS\Core\Utility\ExtensionManagementUtility::registerAjaxHandler('PermissionAjaxController::dispatch', 'TYPO3\\CMS\\Perm\\Controller\\PermissionAjaxController->dispatch');
 }
index 8e38941..d3f90dd 100644 (file)
@@ -59,27 +59,26 @@ function jumpToUrl(URL)     { window.location.href = URL; }
 // Methods for AJAX permission manipulation
 var WebPermissions = {
 
-    thisScript: 'ajax.php',
-       ajaxID: 'PermissionAjaxController::dispatch',
+    thisScript: TYPO3.settings.ajaxUrls['PermissionAjaxController::dispatch'],
 
                // set the permission bits through an ajax call
        setPermissions: function(page, bits, mode, who, permissions) {
                new Ajax.Updater($(page + '_' + who), this.thisScript, {
-                       parameters: { ajaxID: this.ajaxID, page: page, permissions: permissions, mode: mode, who: who, bits: bits }
+                       parameters: { page: page, permissions: permissions, mode: mode, who: who, bits: bits }
                });
        },
 
                // load the selector for selecting the owner of a page by executing an ajax call
        showChangeOwnerSelector: function(page, ownerUid, elementID, username) {
                new Ajax.Updater($(elementID), this.thisScript, {
-                       parameters: { ajaxID: this.ajaxID, action: 'show_change_owner_selector', page: page, ownerUid: ownerUid, username: username }
+                       parameters: { action: 'show_change_owner_selector', page: page, ownerUid: ownerUid, username: username }
                });
        },
 
                // Set the new owner of a page by executing an ajax call
        changeOwner: function(page, ownerUid, elementID) {
                new Ajax.Updater($(elementID), this.thisScript, {
-                       parameters: { ajaxID: this.ajaxID, action: 'change_owner', page: page, ownerUid: ownerUid, newOwnerUid: $('new_page_owner').value }
+                       parameters: { action: 'change_owner', page: page, ownerUid: ownerUid, newOwnerUid: $('new_page_owner').value }
                });
        },
 
@@ -92,14 +91,14 @@ var WebPermissions = {
                // Load the selector by executing an ajax call
        showChangeGroupSelector: function(page, groupUid, elementID, groupname) {
                new Ajax.Updater($(elementID), this.thisScript, {
-                       parameters: { ajaxID: this.ajaxID, action: 'show_change_group_selector', page: page, groupUid: groupUid, groupname: groupname }
+                       parameters: { action: 'show_change_group_selector', page: page, groupUid: groupUid, groupname: groupname }
                });
        },
 
                // Set the new group by executing an ajax call
        changeGroup: function(page, groupUid, elementID) {
                new Ajax.Updater($(elementID), this.thisScript, {
-                       parameters: { ajaxID: this.ajaxID, action: 'change_group', page: page, groupUid: groupUid, newGroupUid: $('new_page_group').value }
+                       parameters: { action: 'change_group', page: page, groupUid: groupUid, newGroupUid: $('new_page_group').value }
                });
        },
 
@@ -112,7 +111,7 @@ var WebPermissions = {
                // set or remove the edit lock by executing an ajax call
        toggleEditLock: function(page, editLockState) {
                new Ajax.Updater($('el_' + page), this.thisScript, {
-                       parameters: { ajaxID: this.ajaxID, action: 'toggle_edit_lock', page: page, editLockState: editLockState }
+                       parameters: { action: 'toggle_edit_lock', page: page, editLockState: editLockState }
                });
        }
 };
index e9d9570..9f08373 100644 (file)
@@ -172,7 +172,6 @@ class RecyclerModuleController extends \TYPO3\CMS\Backend\Module\BaseScriptClass
                        'tableDefault' => 'pages',
                        'renderTo' => 'recyclerContent',
                        'isSSL' => \TYPO3\CMS\Core\Utility\GeneralUtility::getIndpEnv('TYPO3_SSL'),
-                       'ajaxController' => $this->doc->backPath . 'ajax.php?ajaxID=RecyclerAjaxController::init',
                        'deleteDisable' => $this->allowDelete ? 0 : 1,
                        'depthSelection' => $this->getDataFromSession('depthSelection', 0),
                        'tableSelection' => $this->getDataFromSession('tableSelection', 'pages'),
index f36a4ee..7000c66 100644 (file)
@@ -3,5 +3,5 @@ if (!defined('TYPO3_MODE')) {
        die('Access denied.');
 }
 if (TYPO3_MODE === 'BE') {
-       $GLOBALS['TYPO3_CONF_VARS']['BE']['AJAX']['RecyclerAjaxController::init'] = 'TYPO3\\CMS\\Recycler\\Controller\\RecyclerAjaxController->init';
+       \TYPO3\CMS\Core\Utility\ExtensionManagementUtility::registerAjaxHandler('RecyclerAjaxController::init', 'TYPO3\\CMS\\Recycler\\Controller\\RecyclerAjaxController->init');
 }
index 6991479..61a7641 100644 (file)
@@ -73,7 +73,7 @@ Recycler.MainStore = new Ext.data.Store({
                direction: "ASC"
        },
        groupField: 'table',
-       url: TYPO3.settings.Recycler.ajaxController + '&cmd=getDeletedRecords',
+       url: TYPO3.settings.ajaxUrls['RecyclerAjaxController::init'] + '&cmd=getDeletedRecords',
        baseParams: {
                depth: TYPO3.settings.Recycler.depthSelection,
                startUid: TYPO3.settings.Recycler.startUid,
@@ -87,7 +87,7 @@ Recycler.MainStore = new Ext.data.Store({
  * Simple table store
  ****************************************************/
 Recycler.TableStore = new Ext.data.Store({
-       url: TYPO3.settings.Recycler.ajaxController + '&startUid=' + TYPO3.settings.Recycler.startUid + '&cmd=getTables' + '&depth=' + TYPO3.settings.Recycler.depthSelection,
+       url: TYPO3.settings.ajaxUrls['RecyclerAjaxController::init'] + '&startUid=' + TYPO3.settings.Recycler.startUid + '&cmd=getTables' + '&depth=' + TYPO3.settings.Recycler.depthSelection,
        reader: new Ext.data.ArrayReader({}, [
                {name: 'table', type: 'string'},
                {name: 'records', type: 'int'},
@@ -165,7 +165,7 @@ Recycler.ConfirmWindow = Ext.extend(Ext.Window, {
                                                        tcemainData[i] = [this.records[i].data.table, this.records[i].data.uid];
                                                }
                                                Ext.Ajax.request({
-                                                       url: TYPO3.settings.Recycler.ajaxController + '&cmd=' + this.command,
+                                                       url: TYPO3.settings.ajaxUrls['RecyclerAjaxController::init'] + '&cmd=' + this.command,
                                                        params: {
                                                                'data': Ext.encode(tcemainData),
                                                                'recursive': this.getComponent('recursiveCheck').getValue()
index 52c91ed..a9d15c4 100644 (file)
@@ -23,6 +23,8 @@ namespace TYPO3\CMS\Rtehtmlarea\Extension;
  *
  *  This copyright notice MUST APPEAR in all copies of the script!
  ***************************************************************/
+use TYPO3\CMS\Backend\Utility\BackendUtility;
+
 /**
  * Spell Checker plugin for htmlArea RTE
  *
@@ -97,7 +99,7 @@ class Spellchecker extends \TYPO3\CMS\Rtehtmlarea\RteHtmlAreaApi {
                        RTEarea[' . $RTEcounter . '].buttons.' . $button . '.spellCheckerMode = "' . $spellCheckerMode . '";
                        RTEarea[' . $RTEcounter . '].buttons.' . $button . '.enablePersonalDicts = ' . ($enablePersonalDicts ? 'true' : 'false') . ';';
                        $registerRTEinJavascriptString .= '
-                       RTEarea[' . $RTEcounter . '].buttons.' . $button . '.path = "' . ($this->htmlAreaRTE->is_FE() || $this->htmlAreaRTE->isFrontendEditActive() ? ($GLOBALS['TSFE']->absRefPrefix ? $GLOBALS['TSFE']->absRefPrefix : '') . 'index.php?eID=rtehtmlarea_spellchecker' : $this->htmlAreaRTE->backPath . 'ajax.php?ajaxID=rtehtmlarea::spellchecker') . '";';
+                       RTEarea[' . $RTEcounter . '].buttons.' . $button . '.path = "' . ($this->htmlAreaRTE->is_FE() || $this->htmlAreaRTE->isFrontendEditActive() ? ($GLOBALS['TSFE']->absRefPrefix ? $GLOBALS['TSFE']->absRefPrefix : '') . 'index.php?eID=rtehtmlarea_spellchecker' : $this->htmlAreaRTE->backPath . BackendUtility::getAjaxUrl('rtehtmlarea::spellchecker')) . '";';
                }
                return $registerRTEinJavascriptString;
        }
index e6bc6a1..5dcabf7 100644 (file)
@@ -173,7 +173,7 @@ $TYPO3_CONF_VARS['EXTCONF'][$_EXTKEY]['plugins']['Language']['disableInFE'] = 0;
 
 // Spell checking configuration
 $TYPO3_CONF_VARS['FE']['eID_include']['rtehtmlarea_spellchecker'] = 'EXT:' . $_EXTKEY . '/pi1/class.tx_rtehtmlarea_pi1.php';
-$TYPO3_CONF_VARS['BE']['AJAX']['rtehtmlarea::spellchecker'] = 'TYPO3\\CMS\\Rtehtmlarea\\Controller\\SpellCheckingController->main';
+\TYPO3\CMS\Core\Utility\ExtensionManagementUtility::registerAjaxHandler('rtehtmlarea::spellchecker', 'TYPO3\\CMS\\Rtehtmlarea\\Controller\\SpellCheckingController->main');
 
 $TYPO3_CONF_VARS['EXTCONF'][$_EXTKEY]['plugins']['SpellChecker'] = array();
 $TYPO3_CONF_VARS['EXTCONF'][$_EXTKEY]['plugins']['SpellChecker']['objectReference'] = '&TYPO3\\CMS\\Rtehtmlarea\\Extension\\Spellchecker';
index 2ec0eeb..4b322b8 100644 (file)
@@ -5,11 +5,11 @@ if (!defined('TYPO3_MODE')) {
 
 if (TYPO3_MODE === 'BE') {
        // Register AJAX handlers:
-       $TYPO3_CONF_VARS['BE']['AJAX']['T3Editor::saveCode'] = 'TYPO3\\CMS\\T3editor\\T3editor->ajaxSaveCode';
-       $TYPO3_CONF_VARS['BE']['AJAX']['T3Editor::getPlugins'] = 'TYPO3\\CMS\\T3editor\\T3editor->getPlugins';
-       $TYPO3_CONF_VARS['BE']['AJAX']['T3Editor_TSrefLoader::getTypes'] = 'TYPO3\\CMS\\T3editor\\TypoScriptReferenceLoader->processAjaxRequest';
-       $TYPO3_CONF_VARS['BE']['AJAX']['T3Editor_TSrefLoader::getDescription'] = 'TYPO3\\CMS\\T3editor\\TypoScriptReferenceLoader->processAjaxRequest';
-       $TYPO3_CONF_VARS['BE']['AJAX']['CodeCompletion::loadTemplates'] = 'TYPO3\\CMS\\T3editor\\CodeCompletion->processAjaxRequest';
+       \TYPO3\CMS\Core\Utility\ExtensionManagementUtility::registerAjaxHandler('T3Editor::saveCode', 'TYPO3\\CMS\\T3editor\\T3editor->ajaxSaveCode');
+       \TYPO3\CMS\Core\Utility\ExtensionManagementUtility::registerAjaxHandler('T3Editor::getPlugins', 'TYPO3\\CMS\\T3editor\\T3editor->getPlugins');
+       \TYPO3\CMS\Core\Utility\ExtensionManagementUtility::registerAjaxHandler('T3Editor_TSrefLoader::getTypes', 'TYPO3\\CMS\\T3editor\\TypoScriptReferenceLoader->processAjaxRequest');
+       \TYPO3\CMS\Core\Utility\ExtensionManagementUtility::registerAjaxHandler('T3Editor_TSrefLoader::getDescription', 'TYPO3\\CMS\\T3editor\\TypoScriptReferenceLoader->getDescription');
+       \TYPO3\CMS\Core\Utility\ExtensionManagementUtility::registerAjaxHandler('CodeCompletion::loadTemplates', 'TYPO3\\CMS\\T3editor\\CodeCompletion->processAjaxRequest');
 
        // Add the t3editor wizard on the bodytext field of tt_content
        $TCA['tt_content']['columns']['bodytext']['config']['wizards']['t3editor'] = array(
index 9a7b35a..c27c0b3 100644 (file)
@@ -329,16 +329,15 @@ if (!Prototype.Browser.MobileSafari) {
                                Event.observe(document, 't3editor:save',
                                        function(event) {
                                                var params = Object.extend({
-                                                       ajaxID: "T3Editor::saveCode",
                                                        t3editor_savetype: T3editor.ajaxSavetype
                                                }, event.memo.parameters);
 
                                                new Ajax.Request(
-                                                       T3editor.URL_typo3 + "ajax.php", {
+                                                       T3editor.URL_typo3 + TYPO3.settings.ajaxUrls['T3Editor::saveCode'], {
                                                                parameters: params,
                                                                onComplete: function(ajaxrequest) {
                                                                        var wasSuccessful = ajaxrequest.status == 200
-                                                                       && ajaxrequest.headerJSON.result == true
+                                                                       && ajaxrequest.headerJSON.result == true;
                                                                        event.memo.t3editor.saveFunctionComplete(wasSuccessful,ajaxrequest.headerJSON);
                                                                }
                                                        }
index 29d234d..6295547 100644 (file)
@@ -1,4 +1,4 @@
-/***************************************************************
+/***************************************************************
 * Copyright notice
 *
 * (c) 2008-2010 Stephan Petzl <spetzl@gmx.at> and Christian Kartnig <office@hahnepeter.de>
@@ -70,7 +70,7 @@ var DescriptionPlugin = function() {
                        // first a container has to be built
                        descriptionBox.innerHTML  = '<div class="TSREF_type_label">Object-type: </div><div class="TSREF_type">'+type.typeId+'</div>';
                        descriptionBox.innerHTML += '<div class="TSREF_type_label">Property-type: </div><div class="TSREF_type">'+type.properties[proposalObj.word].value+'</div><br/>';
-                       descriptionBox.innerHTML += '<div class="TSREF_description_label">TSREF-description:</div><div id="TSREF_description"><img src="../../../gfx/spinner.gif" border="0" alt="one moment please..."/></div>';
+                       descriptionBox.innerHTML += '<div class="TSREF_description_label">TSREF-description:</div><div id="TSREF_description"><img src="gfx/spinner.gif" border="0" alt="one moment please..."/></div>';
                        var prop = type.properties[proposalObj.word];
                        // if there is another request for a description in the queue -> cancel it
 
index 3f06812..c44f8d7 100644 (file)
@@ -111,11 +111,9 @@ var TsCodeCompletion = function(codeMirror, outerdiv) {
         * );
         */
        function loadPluginArray() {
-               var urlParameters = '&ajaxID=T3Editor::getPlugins';
                new Ajax.Request(
-                       T3editor.URL_typo3 + 'ajax.php',
+                       T3editor.URL_typo3 + TYPO3.settings.ajaxUrls['T3Editor::getPlugins'],
                                {
-                               parameters: urlParameters,
                                method: 'get',
                                onSuccess: function(transport) {
                                        var loadedPlugins = eval('('+ transport.responseText +')');
@@ -160,9 +158,9 @@ var TsCodeCompletion = function(codeMirror, outerdiv) {
         * this function retrieves the JSON code by comitting a AJAX request
         */
        function loadExtTemplatesAsync() {
-               var urlParameters = '&ajaxID=CodeCompletion::loadTemplates&pageId=' + getGetVar('id');
+               var urlParameters = '&pageId=' + getGetVar('id');
                new Ajax.Request(
-                       T3editor.URL_typo3 + 'ajax.php',
+                       T3editor.URL_typo3 + TYPO3.settings.ajaxUrls['CodeCompletion::loadTemplates'],
                        {
                                method: 'get',
                                parameters: urlParameters,
index 9d5cbf0..e805099 100644 (file)
@@ -40,12 +40,10 @@ var TsRefProperty = function(parentType,name,value) {
        var descriptionCache = null;
        this.getDescription = function(callBack) {
                if(descriptionCache == null){
-                       var urlParameters = '&ajaxID=T3Editor_TSrefLoader::getDescription' +
-                               '&typeId=' + this.parentType +
-                               '&parameterName=' + this.name;
+                       var urlParameters = '&typeId=' + this.parentType + '&parameterName=' + this.name;
 
                        new Ajax.Request(
-                               T3editor.URL_typo3 + 'ajax.php',
+                               T3editor.URL_typo3 + TYPO3.settings.ajaxUrls['T3Editor_TSrefLoader::getDescription'],
                                {
                                        method: 'get',
                                        parameters: urlParameters,
@@ -89,12 +87,10 @@ var TsRef = function() {
        var doc;
 
        this.loadTsrefAsync = function() {
-               var urlParameters = '&ajaxID=T3Editor_TSrefLoader::getTypes';
                new Ajax.Request(
-                       T3editor.URL_typo3 + 'ajax.php',
+                       T3editor.URL_typo3 + TYPO3.settings.ajaxUrls['T3Editor_TSrefLoader::getTypes'],
                        {
                                method: 'get',
-                               parameters: urlParameters,
                                onSuccess: function(transport) {
                                        doc = eval('('+ transport.responseText +')');
                                        buildTree();
index af9a6cb..e69f195 100644 (file)
@@ -13,6 +13,6 @@ if (TYPO3_MODE === 'BE') {
                'top',
                \TYPO3\CMS\Core\Utility\ExtensionManagementUtility::extPath($_EXTKEY) . 'task/'
        );
-       $GLOBALS['TYPO3_CONF_VARS']['BE']['AJAX']['Taskcenter::saveCollapseState'] = 'TYPO3\\CMS\\Taskcenter\\TaskStatus->saveCollapseState';
-       $GLOBALS['TYPO3_CONF_VARS']['BE']['AJAX']['Taskcenter::saveSortingState'] = 'TYPO3\\CMS\\Taskcenter\\TaskStatus->saveSortingState';
+       \TYPO3\CMS\Core\Utility\ExtensionManagementUtility::registerAjaxHandler('Taskcenter::saveCollapseState', 'TYPO3\\CMS\\Taskcenter\\TaskStatus->saveCollapseState');
+       \TYPO3\CMS\Core\Utility\ExtensionManagementUtility::registerAjaxHandler('Taskcenter::saveSortingState', 'TYPO3\\CMS\\Taskcenter\\TaskStatus->saveSortingState');
 }
index 15b0e0d..a5fe378 100644 (file)
@@ -11,9 +11,9 @@ Event.observe(document, "dom:loaded", function(){
         },
 
         onUpdate: function(list) {
-                new Ajax.Request("ajax.php", {
+                new Ajax.Request(TYPO3.settings.ajaxUrls['Taskcenter::saveSortingState'], {
                         method: "post",
-                        parameters: { ajaxID :"Taskcenter::saveSortingState", data:  Sortable.serialize(list)}
+                        parameters: { data: Sortable.serialize(list)}
                 });
                        // activate link
                 Event.observe(window,"mouseup",function(){
@@ -39,8 +39,8 @@ Event.observe(document, "dom:loaded", function(){
                        Effect.BlindDown(item, {duration : 0.5});
                        state = 0;
                }
-               new Ajax.Request("ajax.php", {
-                       parameters : "ajaxID=Taskcenter::saveCollapseState&item=" + itemParent.id + "&state=" + state
+               new Ajax.Request(TYPO3.settings.ajaxUrls['Taskcenter::saveCollapseState'], {
+                       parameters : "item=" + itemParent.id + "&state=" + state
                });
        });
 });