- backend: require CSRF token to be passed via POST

- do not leak CSRF token via GET request in feed debugger - rework Article/redirect to use POST
author: Andrew Dolgov <[email protected]> 2020-09-15 16:12:53 +0300
committer: Andrew Dolgov <[email protected]> 2020-09-15 16:12:53 +0300
commit: 8080c525fd453bfba9c35f01a08013e148bb2144 (patch)
tree: d17bf661dfebf3d2ea16c78d821dbb78f07bf0d3 /js/FeedTree.js
parent: aeaafefa07b31c99efd27653ad22f4040572d441 (diff)
1 files changed, 3 insertions, 2 deletions
diff --git a/js/FeedTree.js b/js/FeedTree.js
index 74c29d2f7..c61d8a50f 100755
--- a/js/FeedTree.js
+++ b/js/FeedTree.js
@@ -101,8 +101,9 @@ define(["dojo/_base/declare", "dojo/dom-construct", "dojo/_base/array", "dojo/co
 					menu.addChild(new dijit.MenuItem({
 						label: __("Debug feed"),
 						onClick: function() {
-							window.open("backend.php?op=feeds&method=update_debugger&feed_id=" + this.getParent().row_id +
-								"&csrf_token=" + App.getInitParam("csrf_token"));
+							/* global __csrf_token */
+							App.postOpenWindow("backend.php", {op: "feeds", method: "update_debugger",
+								feed_id: this.getParent().row_id, csrf_token: __csrf_token});
 						}}));
 				}
author	Andrew Dolgov <[email protected]>	2020-09-15 16:12:53 +0300
committer	Andrew Dolgov <[email protected]>	2020-09-15 16:12:53 +0300
commit	8080c525fd453bfba9c35f01a08013e148bb2144 (patch)
tree	d17bf661dfebf3d2ea16c78d821dbb78f07bf0d3 /js/FeedTree.js
parent	aeaafefa07b31c99efd27653ad22f4040572d441 (diff)