diff options
| author |  Alexandre Alapetite <alexandre@alapetite.fr>
| 2025-08-03 23:30:35 +0200 |
|---|---|---|
| committer |  GitHub <noreply@github.com>
| 2025-08-03 23:30:35 +0200 |
| commit | 05c7aac84e575552a13f9dab9b9ca0d0374b4cb3 (patch) | |
| tree | 28d3a14671a1318d6b2e6813117ece38132610b9 /app/views | |
| parent | 26377b543d8b1cc4f3c0c60300d49fcbb2dcfa13 (diff) | |
Improve security of form for user details (#7771)
Related to https://github.com/FreshRSS/FreshRSS/pull/7684
The form buttons requiring confirmation are disabled in HTML in the case of Ajax, and only enabled again if our own JavaScript is running
Diffstat (limited to 'app/views')
| -rw-r--r-- | app/views/user/details.phtml | 11 |
1 files changed, 7 insertions, 4 deletions
diff --git a/app/views/user/details.phtml b/app/views/user/details.phtml index 6f0cbae3e..b85ff4fea 100644 --- a/app/views/user/details.phtml +++ b/app/views/user/details.phtml @@ -69,14 +69,17 @@ <div class="form-group form-actions"> <noscript><b><?= _t('gen.js.should_be_activated'); ?></b></noscript> + <?php + $disabledIfAjax = Minz_Request::paramBoolean('ajax') ? ' disabled="disabled"' : ''; + ?> <div class="group-controls"> <button type="submit" class="btn btn-important" name="action" value="update"><?= _t('gen.action.update') ?></button> - <button type="submit" class="btn btn-attention confirm" name="action" value="purge"><?= _t('gen.action.purge') ?></button> - <button type="submit" class="btn btn-attention confirm" name="action" value="delete"><?= _t('gen.action.remove') ?></button> + <button type="submit" class="btn btn-attention confirm" name="action" value="purge"<?= $disabledIfAjax ?>><?= _t('gen.action.purge') ?></button> + <button type="submit" class="btn btn-attention confirm" name="action" value="delete"<?= $disabledIfAjax ?>><?= _t('gen.action.remove') ?></button> <?php if ($isAdmin && !$isDefault): ?> - <button type="submit" class="btn btn-attention confirm" name="action" value="demote"><?= _t('gen.action.demote') ?></button> + <button type="submit" class="btn btn-attention confirm" name="action" value="demote"<?= $disabledIfAjax ?>><?= _t('gen.action.demote') ?></button> <?php elseif (!$isAdmin): ?> - <button type="submit" class="btn btn-attention confirm" name="action" value="promote"><?= _t('gen.action.promote') ?></button> + <button type="submit" class="btn btn-attention confirm" name="action" value="promote"<?= $disabledIfAjax ?>><?= _t('gen.action.promote') ?></button> <?php endif; ?> <?php if ($enabled && !$isDefault): ?> <button type="submit" class="btn btn-attention" name="action" value="disable"><?= _t('gen.action.disable') ?></button> |