diff options
author | Andrew Dolgov <[email protected]> | 2020-09-15 16:12:53 +0300 |
---|---|---|
committer | Andrew Dolgov <[email protected]> | 2020-09-15 16:12:53 +0300 |
commit | 8080c525fd453bfba9c35f01a08013e148bb2144 (patch) | |
tree | d17bf661dfebf3d2ea16c78d821dbb78f07bf0d3 /js/Article.js | |
parent | aeaafefa07b31c99efd27653ad22f4040572d441 (diff) |
- backend: require CSRF token to be passed via POST
- do not leak CSRF token via GET request in feed debugger
- rework Article/redirect to use POST
Diffstat (limited to 'js/Article.js')
-rw-r--r-- | js/Article.js | 34 |
1 files changed, 4 insertions, 30 deletions
diff --git a/js/Article.js b/js/Article.js index e2284b190..174015a61 100644 --- a/js/Article.js +++ b/js/Article.js @@ -131,37 +131,11 @@ const Article = { }); }, openInNewWindow: function (id) { + /* global __csrf_token */ + App.postOpenWindow("backend.php", + { "op": "article", "method": "redirect", "id": id, "csrf_token": __csrf_token }); - const w = window.open(""); - - if (w) { - w.opener = null; - - const form = document.createElement("form"); - - form.setAttribute("method", "post"); - form.setAttribute("action", App.getInitParam("self_url_prefix") + "/backend.php"); - - /* global __csrf_token */ - - const params = { "op": "article", "method": "redirect", "id": id, "csrf_token": __csrf_token }; - - for (const [k,v] of Object.entries(params)) { - const field = document.createElement("input"); - - field.setAttribute("name", k); - field.setAttribute("value", v); - field.setAttribute("type", "hidden"); - - form.appendChild(field); - } - - w.document.body.appendChild(form); - form.submit(); - - Headlines.toggleUnread(id, 0); - } - + Headlines.toggleUnread(id, 0); }, render: function (article) { App.cleanupMemory("content-insert"); |