diff options
| author |  Alexandre Alapetite <alexandre@alapetite.fr>
| 2025-04-05 23:15:37 +0200 |
|---|---|---|
| committer |  GitHub <noreply@github.com>
| 2025-04-05 23:15:37 +0200 |
| commit | d858053a7c70b3fee0fe407420ff8bd1466d5de2 (patch) | |
| tree | 68e6237aff1f290361e21024a2a35476a6a88888 /app/layout/header.phtml | |
| parent | 711a14fd9ccea0a5b3c68dfa20fc34e558823f40 (diff) | |
Use HTTP POST for logout (#7489)
* Use HTTP POST for logout
To avoid potential CSRF risks
* Fixed button font issue
* Minor whitespace
Diffstat (limited to 'app/layout/header.phtml')
| -rw-r--r-- | app/layout/header.phtml | 7 |
1 files changed, 6 insertions, 1 deletions
diff --git a/app/layout/header.phtml b/app/layout/header.phtml index b152ed78a..1e4290f98 100644 --- a/app/layout/header.phtml +++ b/app/layout/header.phtml @@ -50,6 +50,9 @@ <?php if (FreshRSS_Auth::hasAccess()) { ?> <nav class="item configure"> + <form id="post-csrf" method="post"> + <input type="hidden" name="_csrf" value="<?= FreshRSS_Auth::csrfToken() ?>" /> + </form> <div class="dropdown"> <div id="dropdown-configure" class="dropdown-target"></div> <a class="btn dropdown-toggle" href="#dropdown-configure"><?= _i('configure') ?></a> @@ -63,7 +66,9 @@ <ul> <li class="item"><a href="<?= _url('user', 'profile') ?>"><?= _t('gen.menu.user_profile') ?></a></li> <?php if (FreshRSS_Auth::accessNeedsAction()): ?> - <li class="item"><a class="signout" href="<?= _url('auth', 'logout') ?>"><?= _t('gen.auth.logout'); ?><?= _i('logout') ?></a></li> + <li class="item"> + <button class="as-link signout" form="post-csrf" formaction="<?= _url('auth', 'logout') ?>"><?= _t('gen.auth.logout'); ?><?= _i('logout') ?></button> + </li> <?php else: ?> <li class="item"><span class="signout">(<?= htmlspecialchars(Minz_User::name() ?? '', ENT_NOQUOTES, 'UTF-8') ?>)</span></li> <?php endif; ?> |