summaryrefslogtreecommitdiff
path: root/js/Article.js
diff options
context:
space:
mode:
authorAndrew Dolgov <[email protected]>2020-09-15 16:12:53 +0300
committerAndrew Dolgov <[email protected]>2020-09-15 16:12:53 +0300
commit8080c525fd453bfba9c35f01a08013e148bb2144 (patch)
treed17bf661dfebf3d2ea16c78d821dbb78f07bf0d3 /js/Article.js
parentaeaafefa07b31c99efd27653ad22f4040572d441 (diff)
- backend: require CSRF token to be passed via POST
- do not leak CSRF token via GET request in feed debugger - rework Article/redirect to use POST
Diffstat (limited to 'js/Article.js')
-rw-r--r--js/Article.js34
1 files changed, 4 insertions, 30 deletions
diff --git a/js/Article.js b/js/Article.js
index e2284b190..174015a61 100644
--- a/js/Article.js
+++ b/js/Article.js
@@ -131,37 +131,11 @@ const Article = {
});
},
openInNewWindow: function (id) {
+ /* global __csrf_token */
+ App.postOpenWindow("backend.php",
+ { "op": "article", "method": "redirect", "id": id, "csrf_token": __csrf_token });
- const w = window.open("");
-
- if (w) {
- w.opener = null;
-
- const form = document.createElement("form");
-
- form.setAttribute("method", "post");
- form.setAttribute("action", App.getInitParam("self_url_prefix") + "/backend.php");
-
- /* global __csrf_token */
-
- const params = { "op": "article", "method": "redirect", "id": id, "csrf_token": __csrf_token };
-
- for (const [k,v] of Object.entries(params)) {
- const field = document.createElement("input");
-
- field.setAttribute("name", k);
- field.setAttribute("value", v);
- field.setAttribute("type", "hidden");
-
- form.appendChild(field);
- }
-
- w.document.body.appendChild(form);
- form.submit();
-
- Headlines.toggleUnread(id, 0);
- }
-
+ Headlines.toggleUnread(id, 0);
},
render: function (article) {
App.cleanupMemory("content-insert");
generated by cgit v1.2.3 (git 2.25.1) at 2024-06-28 01:47:58 +0000