diff options
| author |  Alexandre Alapetite <alexandre@alapetite.fr>
| 2016-08-13 17:49:31 +0200 |
|---|---|---|
| committer | Alexandre Alapetite <alexandre@alapetite.fr>
| 2016-08-13 17:49:31 +0200 |
| commit | e6fd34bdda5d067a9e74714aaae10c89ed998a46 (patch) | |
| tree | 1a82e54e636f856983e8cd94ec00247eb9987b27 /app/views/user | |
| parent | 97efdcac1e38c568b6be313120694e7201d4c69c (diff) | |
CSRF token, update HTTP Referrer policy to same-origin
https://www.w3.org/TR/referrer-policy/#referrer-policy-no-referrer
https://github.com/FreshRSS/FreshRSS/issues/570
https://github.com/FreshRSS/FreshRSS/issues/955
https://github.com/FreshRSS/FreshRSS/issues/1198
https://github.com/FreshRSS/FreshRSS/issues/565
https://github.com/FreshRSS/FreshRSS/issues/554
Diffstat (limited to 'app/views/user')
| -rw-r--r-- | app/views/user/manage.phtml | 2 | ||||
| -rw-r--r-- | app/views/user/profile.phtml | 2 |
2 files changed, 4 insertions, 0 deletions
diff --git a/app/views/user/manage.phtml b/app/views/user/manage.phtml index e48841d9b..aab3aa4c4 100644 --- a/app/views/user/manage.phtml +++ b/app/views/user/manage.phtml @@ -4,6 +4,7 @@ <a href="<?php echo _url('index', 'index'); ?>"><?php echo _t('gen.action.back_to_rss_feeds'); ?></a> <form method="post" action="<?php echo _url('user', 'create'); ?>"> + <input type="hidden" name="_csrf" value="<?php echo FreshRSS_Auth::csrfToken(); ?>" /> <legend><?php echo _t('admin.user.create'); ?></legend> <div class="form-group"> @@ -46,6 +47,7 @@ </form> <form method="post" action="<?php echo _url('user', 'delete'); ?>"> + <input type="hidden" name="_csrf" value="<?php echo FreshRSS_Auth::csrfToken(); ?>" /> <legend><?php echo _t('admin.user.users'); ?></legend> <div class="form-group"> diff --git a/app/views/user/profile.phtml b/app/views/user/profile.phtml index 51a5aed2f..429375e44 100644 --- a/app/views/user/profile.phtml +++ b/app/views/user/profile.phtml @@ -4,6 +4,7 @@ <a href="<?php echo _url('index', 'index'); ?>"><?php echo _t('gen.action.back_to_rss_feeds'); ?></a> <form method="post" action="<?php echo _url('user', 'profile'); ?>"> + <input type="hidden" name="_csrf" value="<?php echo FreshRSS_Auth::csrfToken(); ?>" /> <legend><?php echo _t('conf.profile'); ?></legend> <div class="form-group"> @@ -52,6 +53,7 @@ <?php if (!FreshRSS_Auth::hasAccess('admin')) { ?> <form id="crypto-form" method="post" action="<?php echo _url('user', 'delete'); ?>"> + <input type="hidden" name="_csrf" value="<?php echo FreshRSS_Auth::csrfToken(); ?>" /> <legend><?php echo _t('conf.profile.delete'); ?></legend> <p class="alert alert-warn"><span class="alert-head"><?php echo _t('gen.short.attention'); ?></span> <?php echo _t('conf.profile.delete.warn'); ?></p> |