diff options
author | Andrew Dolgov <[email protected]> | 2020-09-15 16:03:09 +0300 |
---|---|---|
committer | Andrew Dolgov <[email protected]> | 2020-09-15 16:03:09 +0300 |
commit | aeaafefa07b31c99efd27653ad22f4040572d441 (patch) | |
tree | 705ce20168cc34331f91e82e0788dfedb4deff05 /js | |
parent | e670ac2ee5f859a974035fd27471e3b456aed24d (diff) |
don't pass csrf token as a GET parameter to Article
Diffstat (limited to 'js')
-rw-r--r-- | js/Article.js | 27 |
1 files changed, 24 insertions, 3 deletions
diff --git a/js/Article.js b/js/Article.js index 1e6488184..e2284b190 100644 --- a/js/Article.js +++ b/js/Article.js @@ -131,16 +131,37 @@ const Article = { }); }, openInNewWindow: function (id) { - const w = window.open(""); - /* global __csrf_token */ + const w = window.open(""); if (w) { w.opener = null; - w.location = "backend.php?op=article&method=redirect&id=" + id + "&csrf_token=" + __csrf_token; + + const form = document.createElement("form"); + + form.setAttribute("method", "post"); + form.setAttribute("action", App.getInitParam("self_url_prefix") + "/backend.php"); + + /* global __csrf_token */ + + const params = { "op": "article", "method": "redirect", "id": id, "csrf_token": __csrf_token }; + + for (const [k,v] of Object.entries(params)) { + const field = document.createElement("input"); + + field.setAttribute("name", k); + field.setAttribute("value", v); + field.setAttribute("type", "hidden"); + + form.appendChild(field); + } + + w.document.body.appendChild(form); + form.submit(); Headlines.toggleUnread(id, 0); } + }, render: function (article) { App.cleanupMemory("content-insert"); |