From cbcb10a272ef8c46360da301e1bbbd4979d6f106 Mon Sep 17 00:00:00 2001
From: Andrew Dolgov <noreply@fakecake.org>
Date: Tue, 15 Sep 2020 16:28:09 +0300
Subject: Feeds: load quickaddfeed and search dialogs via XHR w/ CSRF
 protection

---
 js/Feeds.js | 77 ++++++++++++++++++++++++++++++++-----------------------------
 1 file changed, 40 insertions(+), 37 deletions(-)

(limited to 'js/Feeds.js')

diff --git a/js/Feeds.js b/js/Feeds.js
index a12021566..49b5e0c2d 100644
--- a/js/Feeds.js
+++ b/js/Feeds.js
@@ -552,47 +552,50 @@ const	Feeds = {
 			return tree.model.store.getValue(nuf, 'bare_id');
 	},
 	search: function() {
-		const query = "backend.php?op=feeds&method=search&param=" +
-			encodeURIComponent(Feeds.getActive() + ":" + Feeds.activeIsCat());
-
 		if (dijit.byId("searchDlg"))
 			dijit.byId("searchDlg").destroyRecursive();
 
-		const dialog = new dijit.Dialog({
-			id: "searchDlg",
-			title: __("Search"),
-			style: "width: 600px",
-			execute: function () {
-				if (this.validate()) {
-					Feeds._search_query = this.attr('value');
-
-					// disallow empty queries
-					if (!Feeds._search_query.query)
-						Feeds._search_query = false;
-
-					this.hide();
-					Feeds.reloadCurrent();
-				}
-			},
-			href: query
-		});
-
-		const tmph = dojo.connect(dialog, 'onLoad', function () {
-			dojo.disconnect(tmph);
-
-			if (Feeds._search_query) {
-				if (Feeds._search_query.query)
-					dijit.byId('search_query')
-						.attr('value', Feeds._search_query.query);
-
-				if (Feeds._search_query.search_language)
-					dijit.byId('search_language')
-						.attr('value', Feeds._search_query.search_language);
-			}
-
-		});
+		xhrPost("backend.php",
+					{op: "feeds", method: "search",
+						param: Feeds.getActive() + ":" + Feeds.activeIsCat()},
+					(transport) => {
+						const dialog = new dijit.Dialog({
+							id: "searchDlg",
+							content: transport.responseText,
+							title: __("Search"),
+							style: "width: 600px",
+							execute: function () {
+								if (this.validate()) {
+									Feeds._search_query = this.attr('value');
+
+									// disallow empty queries
+									if (!Feeds._search_query.query)
+										Feeds._search_query = false;
+
+									this.hide();
+									Feeds.reloadCurrent();
+								}
+							},
+						});
+
+						const tmph = dojo.connect(dialog, 'onLoad', function () {
+							dojo.disconnect(tmph);
+
+							if (Feeds._search_query) {
+								if (Feeds._search_query.query)
+									dijit.byId('search_query')
+										.attr('value', Feeds._search_query.query);
+
+								if (Feeds._search_query.search_language)
+									dijit.byId('search_language')
+										.attr('value', Feeds._search_query.search_language);
+							}
+
+						});
+
+						dialog.show();
+					});
 
-		dialog.show();
 	},
 	updateRandom: function() {
 		console.log("in update_random_feed");
-- 
cgit v1.2.3