diff options
| author | Andrew Dolgov <[email protected]> | 2020-09-15 15:35:50 +0300 |
|---|---|---|
| committer | Andrew Dolgov <[email protected]> | 2020-09-15 15:35:50 +0300 |
| commit | e670ac2ee5f859a974035fd27471e3b456aed24d (patch) | |
| tree | dd92ce56ba6448328c6c1caa95c32adc33165cef | |
| parent | 7e50c6c4b5995da117cd57cc26032140b0008c48 (diff) | |
require CSRF token for Article/redirect
| -rwxr-xr-x | classes/article.php | 2 | ||||
| -rw-r--r-- | js/Article.js | 4 |
2 files changed, 4 insertions, 2 deletions
diff --git a/classes/article.php b/classes/article.php index 998528fe8..9c664a8f6 100755 --- a/classes/article.php +++ b/classes/article.php @@ -2,7 +2,7 @@ class Article extends Handler_Protected { function csrf_ignore($method) { - $csrf_ignored = array("redirect", "editarticletags"); + $csrf_ignored = array("editarticletags"); return array_search($method, $csrf_ignored) !== false; } diff --git a/js/Article.js b/js/Article.js index e7946776e..1e6488184 100644 --- a/js/Article.js +++ b/js/Article.js @@ -133,9 +133,11 @@ const Article = { openInNewWindow: function (id) { const w = window.open(""); + /* global __csrf_token */ + if (w) { w.opener = null; - w.location = "backend.php?op=article&method=redirect&id=" + id; + w.location = "backend.php?op=article&method=redirect&id=" + id + "&csrf_token=" + __csrf_token; Headlines.toggleUnread(id, 0); } |