Use HTTP POST for logout (#7489)

* Use HTTP POST for logout To avoid potential CSRF risks * Fixed button font issue * Minor whitespace
author: Alexandre Alapetite <alexandre@alapetite.fr> 2025-04-05 23:15:37 +0200
committer: GitHub <noreply@github.com> 2025-04-05 23:15:37 +0200
commit: d858053a7c70b3fee0fe407420ff8bd1466d5de2 (patch)
tree: 68e6237aff1f290361e21024a2a35476a6a88888 /app/layout/simple.phtml
parent: 711a14fd9ccea0a5b3c68dfa20fc34e558823f40 (diff)
1 files changed, 6 insertions, 4 deletions
diff --git a/app/layout/simple.phtml b/app/layout/simple.phtml
index a79d102af..2a14682c9 100644
--- a/app/layout/simple.phtml
+++ b/app/layout/simple.phtml
@@ -60,13 +60,15 @@
 
 		<div class="item"></div>
 
+		<form id="post-csrf" method="post">
+			<input type="hidden" name="_csrf" value="<?= FreshRSS_Auth::csrfToken() ?>" />
+		</form>
+
 		<?php if (FreshRSS_Auth::accessNeedsAction()): ?>
 			<div class="item configure">
 			<?php if (FreshRSS_Auth::hasAccess()): ?>
-				<a class="signout" href="<?= Minz_Url::display(['c' => 'auth', 'a' => 'logout'], 'html', 'root') ?>">
-					<?= _i('logout') ?><?= _t('gen.auth.logout') ?>
-					(<?= htmlspecialchars(Minz_User::name() ?? '', ENT_NOQUOTES, 'UTF-8') ?>)
-				</a>
+				<button class="as-link signout" form="post-csrf" formaction="<?=
+					_url('auth', 'logout') ?>"><?= _t('gen.auth.logout'); ?><?= _i('logout') ?></button>
 			<?php else: ?>
 				<a class="signin" href="<?= Minz_Url::display(['c' => 'auth', 'a' => 'login'], 'html', 'root') ?>">
 					<?= _i('login') ?><?= _t('gen.auth.login') ?>
author	Alexandre Alapetite <alexandre@alapetite.fr>	2025-04-05 23:15:37 +0200
committer	GitHub <noreply@github.com>	2025-04-05 23:15:37 +0200
commit	d858053a7c70b3fee0fe407420ff8bd1466d5de2 (patch)
tree	68e6237aff1f290361e21024a2a35476a6a88888 /app/layout/simple.phtml
parent	711a14fd9ccea0a5b3c68dfa20fc34e558823f40 (diff)