diff options
Diffstat (limited to 'classes')
-rwxr-xr-x | classes/handler/public.php | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/classes/handler/public.php b/classes/handler/public.php index 135cdcbc7..7f8d01ad0 100755 --- a/classes/handler/public.php +++ b/classes/handler/public.php @@ -728,6 +728,7 @@ class Handler_Public extends Handler { if ($_SESSION["uid"]) { $feed_url = trim(clean($_REQUEST["feed_url"])); + $csrf_token = clean($_REQUEST["csrf_token"]); header('Content-Type: text/html; charset=utf-8'); ?> @@ -774,10 +775,11 @@ class Handler_Public extends Handler { <div class='content'> <?php - if (!$feed_url) { + if (!$feed_url || $csrf_token != $_SESSION["csrf_token"]) { ?> <form method="post"> <input type="hidden" name="op" value="subscribe"> + <?php print_hidden("csrf_token", $_SESSION["csrf_token"]) ?> <fieldset> <label>Feed or site URL:</label> <input style="width: 300px" dojoType="dijit.form.ValidationTextBox" required="1" name="feed_url"> @@ -820,6 +822,7 @@ class Handler_Public extends Handler { print "<form action='public.php'>"; print "<input type='hidden' name='op' value='subscribe'>"; + print_hidden("csrf_token", $_SESSION["csrf_token"]); print "<fieldset>"; print "<label style='display : inline'>" . __("Multiple feed URLs found:") . "</label>"; |