diff options
| author |  Alexandre Alapetite <alexandre@alapetite.fr>
| 2016-08-13 17:49:31 +0200 |
|---|---|---|
| committer | Alexandre Alapetite <alexandre@alapetite.fr>
| 2016-08-13 17:49:31 +0200 |
| commit | e6fd34bdda5d067a9e74714aaae10c89ed998a46 (patch) | |
| tree | 1a82e54e636f856983e8cd94ec00247eb9987b27 /app/views/subscription/index.phtml | |
| parent | 97efdcac1e38c568b6be313120694e7201d4c69c (diff) | |
CSRF token, update HTTP Referrer policy to same-origin
https://www.w3.org/TR/referrer-policy/#referrer-policy-no-referrer
https://github.com/FreshRSS/FreshRSS/issues/570
https://github.com/FreshRSS/FreshRSS/issues/955
https://github.com/FreshRSS/FreshRSS/issues/1198
https://github.com/FreshRSS/FreshRSS/issues/565
https://github.com/FreshRSS/FreshRSS/issues/554
Diffstat (limited to 'app/views/subscription/index.phtml')
| -rw-r--r-- | app/views/subscription/index.phtml | 7 |
1 files changed, 6 insertions, 1 deletions
diff --git a/app/views/subscription/index.phtml b/app/views/subscription/index.phtml index 07cebf817..48f760d3e 100644 --- a/app/views/subscription/index.phtml +++ b/app/views/subscription/index.phtml @@ -6,6 +6,7 @@ <h2><?php echo _t('sub.title'); ?></h2> <form id="add_rss" method="post" action="<?php echo _url('feed', 'add'); ?>" autocomplete="off"> + <input type="hidden" name="_csrf" value="<?php echo FreshRSS_Auth::csrfToken(); ?>" /> <div class="stick"> <input type="url" name="url_rss" class="long" placeholder="<?php echo _t('sub.feed.add'); ?>" /> <div class="dropdown"> @@ -56,13 +57,16 @@ <ul class="box-content box-content-centered"> <form action="<?php echo _url('category', 'create'); ?>" method="post"> + <input type="hidden" name="_csrf" value="<?php echo FreshRSS_Auth::csrfToken(); ?>" /> <li class="item"><input type="text" id="new-category" name="new-category" placeholder="<?php echo _t('sub.category.new'); ?>" /></li> <li class="item"><button class="btn btn-important" type="submit"><?php echo _t('gen.action.submit'); ?></button></li> </form> </ul> </div> - <form id="controller-category" method="post" aria-hidden="true"></form> + <form id="controller-category" method="post" aria-hidden="true"> + <input type="hidden" name="_csrf" value="<?php echo FreshRSS_Auth::csrfToken(); ?>" /> + </form> <?php foreach ($this->categories as $cat) { @@ -71,6 +75,7 @@ <div class="box"> <div class="box-title"> <form action="<?php echo _url('category', 'update', 'id', $cat->id()); ?>" method="post"> + <input type="hidden" name="_csrf" value="<?php echo FreshRSS_Auth::csrfToken(); ?>" /> <input type="text" name="name" value="<?php echo $cat->name(); ?>" /> <div class="dropdown"> |