diff options
author | Andrew Dolgov <[email protected]> | 2020-09-15 16:12:53 +0300 |
---|---|---|
committer | Andrew Dolgov <[email protected]> | 2020-09-15 16:12:53 +0300 |
commit | 8080c525fd453bfba9c35f01a08013e148bb2144 (patch) | |
tree | d17bf661dfebf3d2ea16c78d821dbb78f07bf0d3 /js/App.js | |
parent | aeaafefa07b31c99efd27653ad22f4040572d441 (diff) |
- backend: require CSRF token to be passed via POST
- do not leak CSRF token via GET request in feed debugger
- rework Article/redirect to use POST
Diffstat (limited to 'js/App.js')
-rw-r--r-- | js/App.js | 35 |
1 files changed, 32 insertions, 3 deletions
@@ -126,7 +126,33 @@ const App = { return callOriginal(options); } ); - }, + }, + postOpenWindow: function(target, params) { + const w = window.open(""); + + if (w) { + w.opener = null; + + const form = document.createElement("form"); + + form.setAttribute("method", "post"); + form.setAttribute("action", App.getInitParam("self_url_prefix") + "/" + target); + + for (const [k,v] of Object.entries(params)) { + const field = document.createElement("input"); + + field.setAttribute("name", k); + field.setAttribute("value", v); + field.setAttribute("type", "hidden"); + + form.appendChild(field); + } + + w.document.body.appendChild(form); + form.submit(); + } + + }, urlParam: function(param) { return String(window.location.href).parseQuery()[param]; }, @@ -986,8 +1012,11 @@ const App = { }; this.hotkey_actions["feed_debug_update"] = () => { if (!Feeds.activeIsCat() && parseInt(Feeds.getActive()) > 0) { - window.open("backend.php?op=feeds&method=update_debugger&feed_id=" + Feeds.getActive() + - "&csrf_token=" + this.getInitParam("csrf_token")); + //window.open("backend.php?op=feeds&method=update_debugger&feed_id=" + Feeds.getActive()); + + /* global __csrf_token */ + App.postOpenWindow("backend.php", {op: "feeds", method: "update_debugger", feed_id: Feeds.getActive(), csrf_token: __csrf_token}); + } else { alert("You can't debug this kind of feed."); } |