aboutsummaryrefslogtreecommitdiff
path: root/app/views/helpers
diff options
context:
space:
mode:
authorGravatar Alexandre Alapetite <alexandre@alapetite.fr> 2016-08-13 17:49:31 +0200
committerGravatar Alexandre Alapetite <alexandre@alapetite.fr> 2016-08-13 17:49:31 +0200
commite6fd34bdda5d067a9e74714aaae10c89ed998a46 (patch)
tree1a82e54e636f856983e8cd94ec00247eb9987b27 /app/views/helpers
parent97efdcac1e38c568b6be313120694e7201d4c69c (diff)
CSRF token, update HTTP Referrer policy to same-origin
https://www.w3.org/TR/referrer-policy/#referrer-policy-no-referrer https://github.com/FreshRSS/FreshRSS/issues/570 https://github.com/FreshRSS/FreshRSS/issues/955 https://github.com/FreshRSS/FreshRSS/issues/1198 https://github.com/FreshRSS/FreshRSS/issues/565 https://github.com/FreshRSS/FreshRSS/issues/554
Diffstat (limited to 'app/views/helpers')
-rw-r--r--app/views/helpers/feed/update.phtml1
-rw-r--r--app/views/helpers/javascript_vars.phtml1
-rwxr-xr-xapp/views/helpers/pagination.phtml1
3 files changed, 3 insertions, 0 deletions
diff --git a/app/views/helpers/feed/update.phtml b/app/views/helpers/feed/update.phtml
index 72084d8fa..b7e8f68cd 100644
--- a/app/views/helpers/feed/update.phtml
+++ b/app/views/helpers/feed/update.phtml
@@ -18,6 +18,7 @@
<?php } ?>
<form method="post" action="<?php echo _url('subscription', 'feed', 'id', $this->feed->id()); ?>" autocomplete="off">
+ <input type="hidden" name="_csrf" value="<?php echo FreshRSS_Auth::csrfToken(); ?>" />
<legend><?php echo _t('sub.feed.informations'); ?></legend>
<div class="form-group">
<label class="group-name" for="name"><?php echo _t('sub.feed.title'); ?></label>
diff --git a/app/views/helpers/javascript_vars.phtml b/app/views/helpers/javascript_vars.phtml
index 1aa43a207..745baa195 100644
--- a/app/views/helpers/javascript_vars.phtml
+++ b/app/views/helpers/javascript_vars.phtml
@@ -16,6 +16,7 @@ echo htmlspecialchars(json_encode(array(
'html5_notif_timeout' => FreshRSS_Context::$user_conf->html5_notif_timeout,
'auth_type' => FreshRSS_Context::$system_conf->auth_type,
'current_view' => Minz_Request::actionName(),
+ 'csrf' => FreshRSS_Auth::csrfToken(),
),
'shortcuts' => array(
'mark_read' => @$s['mark_read'],
diff --git a/app/views/helpers/pagination.phtml b/app/views/helpers/pagination.phtml
index d1c3cc72c..23c45114d 100755
--- a/app/views/helpers/pagination.phtml
+++ b/app/views/helpers/pagination.phtml
@@ -15,6 +15,7 @@
?>
<form id="mark-read-pagination" method="post">
+<input type="hidden" name="_csrf" value="<?php echo FreshRSS_Auth::csrfToken(); ?>" />
<ul class="pagination">
<li class="item pager-next">
<?php if (FreshRSS_Context::$next_id) { ?>
generated by cgit v1.2.3 (git 2.39.1) at 2026-05-02 02:39:34 +0000