diff options
| author |  Alexandre Alapetite <alexandre@alapetite.fr>
| 2016-08-13 21:14:36 +0200 |
|---|---|---|
| committer | Alexandre Alapetite <alexandre@alapetite.fr>
| 2016-08-13 21:14:36 +0200 |
| commit | 967dff535defd2c95bf1be9b48e0b18e3fe6025d (patch) | |
| tree | 8d06dbedc7635e96ba722b9cadfa2ee5fb7cda69 /app | |
| parent | bee833bf524e58ea9cf5309fb89f6f8b30005720 (diff) | |
| parent | cda414ff0f142d180c616eca1e08204e7c9c6ef9 (diff) | |
Merge branch 'FreshRSS/dev' into PostgreSQL
Diffstat (limited to 'app')
41 files changed, 124 insertions, 71 deletions
diff --git a/app/Controllers/configureController.php b/app/Controllers/configureController.php index d0f0bd68b..147a2fe06 100755 --- a/app/Controllers/configureController.php +++ b/app/Controllers/configureController.php @@ -139,7 +139,7 @@ class FreshRSS_configure_Controller extends Minz_ActionController { */ public function sharingAction() { if (Minz_Request::isPost()) { - $params = Minz_Request::params(); + $params = Minz_Request::fetchGET(); FreshRSS_Context::$user_conf->sharing = $params['share']; FreshRSS_Context::$user_conf->save(); invalidateHttpCache(); @@ -282,7 +282,7 @@ class FreshRSS_configure_Controller extends Minz_ActionController { foreach (FreshRSS_Context::$user_conf->queries as $key => $query) { $queries[$key] = new FreshRSS_UserQuery($query, $feed_dao, $category_dao); } - $params = Minz_Request::params(); + $params = Minz_Request::fetchGET(); $params['url'] = Minz_Url::display(array('params' => $params)); $params['name'] = _t('conf.query.number', count($queries) + 1); $queries[] = new FreshRSS_UserQuery($params, $feed_dao, $category_dao); diff --git a/app/Controllers/indexController.php b/app/Controllers/indexController.php index 7e626720e..2332d225d 100755 --- a/app/Controllers/indexController.php +++ b/app/Controllers/indexController.php @@ -32,9 +32,9 @@ class FreshRSS_index_Controller extends Minz_ActionController { Minz_Error::error(404); } - $this->view->callbackBeforeContent = function() { + $this->view->callbackBeforeContent = function($view) { try { - $entries = $this->listEntriesByContext(); + $entries = FreshRSS_index_Controller::listEntriesByContext(); $nb_entries = count($entries); if ($nb_entries > FreshRSS_Context::$number) { @@ -55,15 +55,15 @@ class FreshRSS_index_Controller extends Minz_ActionController { } } - $this->view->entries = $entries; + $view->entries = $entries; } catch (FreshRSS_EntriesGetter_Exception $e) { Minz_Log::notice($e->getMessage()); Minz_Error::error(404); } - $this->view->categories = FreshRSS_Context::$categories; + $view->categories = FreshRSS_Context::$categories; - $this->view->rss_title = FreshRSS_Context::$name . ' | ' . Minz_View::title(); + $view->rss_title = FreshRSS_Context::$name . ' | ' . Minz_View::title(); $title = FreshRSS_Context::$name; if (FreshRSS_Context::$get_unread > 0) { $title = '(' . FreshRSS_Context::$get_unread . ') ' . $title; @@ -132,7 +132,7 @@ class FreshRSS_index_Controller extends Minz_ActionController { } try { - $this->view->entries = $this->listEntriesByContext(); + $this->view->entries = FreshRSS_index_Controller::listEntriesByContext(); } catch (FreshRSS_EntriesGetter_Exception $e) { Minz_Log::notice($e->getMessage()); Minz_Error::error(404); @@ -189,7 +189,7 @@ class FreshRSS_index_Controller extends Minz_ActionController { /** * This method returns a list of entries based on the Context object. */ - private function listEntriesByContext() { + public static function listEntriesByContext() { $entryDAO = FreshRSS_Factory::createEntryDao(); $get = FreshRSS_Context::currentGet(true); diff --git a/app/FreshRSS.php b/app/FreshRSS.php index 20640266e..f9c371d27 100644 --- a/app/FreshRSS.php +++ b/app/FreshRSS.php @@ -57,7 +57,7 @@ class FreshRSS extends Minz_FrontController { private static function initAuth() { FreshRSS_Auth::init(); - if (Minz_Request::isPost() && !is_referer_from_same_domain()) { + if (Minz_Request::isPost() && !(is_referer_from_same_domain() && FreshRSS_Auth::isCsrfOk())) { // Basic protection against XSRF attacks FreshRSS_Auth::removeAccess(); $http_referer = empty($_SERVER['HTTP_REFERER']) ? '' : $_SERVER['HTTP_REFERER']; diff --git a/app/Models/Auth.php b/app/Models/Auth.php index d689f7cdb..b93942e19 100644 --- a/app/Models/Auth.php +++ b/app/Models/Auth.php @@ -124,6 +124,7 @@ class FreshRSS_Auth { self::$login_ok = false; $conf = Minz_Configuration::get('system'); Minz_Session::_param('currentUser', $conf->default_user); + Minz_Session::_param('csrf'); switch ($conf->auth_type) { case 'form': @@ -156,6 +157,26 @@ class FreshRSS_Auth { $auth_type = $conf->auth_type; return $auth_type === 'form'; } + + public static function csrfToken() { + $csrf = Minz_Session::param('csrf'); + if ($csrf == '') { + $salt = FreshRSS_Context::$system_conf->salt; + $csrf = sha1($salt . uniqid(mt_rand(), true)); + Minz_Session::_param('csrf', $csrf); + } + return $csrf; + } + public static function isCsrfOk($token = null) { + $csrf = Minz_Session::param('csrf'); + if ($csrf == '') { + return true; //Not logged in yet + } + if ($token === null) { + $token = Minz_Request::fetchPOST('_csrf'); + } + return $token === $csrf; + } } diff --git a/app/Models/EntryDAOSQLite.php b/app/Models/EntryDAOSQLite.php index ff049d813..19b97fd3a 100644 --- a/app/Models/EntryDAOSQLite.php +++ b/app/Models/EntryDAOSQLite.php @@ -2,11 +2,12 @@ class FreshRSS_EntryDAOSQLite extends FreshRSS_EntryDAO { - protected function autoAddColumn($errorInfo) { + protected function autoUpdateDb($errorInfo) { if (empty($errorInfo[0]) || $errorInfo[0] == '42S22') { //ER_BAD_FIELD_ERROR + //autoAddColumn if ($tableInfo = $this->bd->query("SELECT sql FROM sqlite_master where name='entry'")) { $showCreate = $tableInfo->fetchColumn(); - Minz_Log::debug('FreshRSS_EntryDAOSQLite::autoAddColumn: ' . $showCreate); + Minz_Log::debug('FreshRSS_EntryDAOSQLite::autoUpdateDb: ' . $showCreate); foreach (array('lastSeen', 'hash') as $column) { if (stripos($showCreate, $column) === false) { return $this->addColumn($column); diff --git a/app/i18n/cz/index.php b/app/i18n/cz/index.php index 5691d12af..cb0e5955d 100644 --- a/app/i18n/cz/index.php +++ b/app/i18n/cz/index.php @@ -6,7 +6,7 @@ return array( 'agpl3' => '<a href="https://www.gnu.org/licenses/agpl-3.0.html">AGPL 3</a>', 'bugs_reports' => 'Hlášení chyb', 'credits' => 'Poděkování', - 'credits_content' => 'Některé designové prvky pocházejí z <a href="http://twitter.github.io/bootstrap/">Bootstrap</a>, FreshRSS ale tuto platformu nevyužívá. <a href="https://git.gnome.org/browse/gnome-icon-theme-symbolic">Ikony</a> pocházejí z <a href="https://www.gnome.org/">GNOME projektu</a>. Font <em>Open Sans</em> vytvořil <a href="https://www.google.com/webfonts/specimen/Open+Sans">Steve Matteson</a>. Favicony jsou shromažďovány pomocí <a href="https://getfavicon.appspot.com/">getFavicon API</a>. FreshRSS je založen na PHP framework <a href="https://github.com/marienfressinaud/MINZ">Minz</a>.', + 'credits_content' => 'Některé designové prvky pocházejí z <a href="http://twitter.github.io/bootstrap/">Bootstrap</a>, FreshRSS ale tuto platformu nevyužívá. <a href="https://git.gnome.org/browse/gnome-icon-theme-symbolic">Ikony</a> pocházejí z <a href="https://www.gnome.org/">GNOME projektu</a>. Font <em>Open Sans</em> vytvořil <a href="https://fonts.google.com/specimen/Open+Sans">Steve Matteson</a>. FreshRSS je založen na PHP framework <a href="https://github.com/marienfressinaud/MINZ">Minz</a>.', 'freshrss_description' => 'FreshRSS je čtečka RSS kanálů určená k provozu na vlastním serveru, podobná <a href="http://tontof.net/kriss/feed/">Kriss Feed</a> nebo <a href="http://projet.idleman.fr/leed/">Leed</a>. Je to nenáročný a jednoduchý, zároveň ale mocný a konfigurovatelný nástroj.', 'github' => '<a href="https://github.com/FreshRSS/FreshRSS/issues">na Github</a>', 'license' => 'Licence', diff --git a/app/i18n/de/index.php b/app/i18n/de/index.php index 04798cdce..df92d8085 100644 --- a/app/i18n/de/index.php +++ b/app/i18n/de/index.php @@ -6,7 +6,7 @@ return array( 'agpl3' => '<a href="https://www.gnu.org/licenses/agpl-3.0.html">AGPL 3</a>', 'bugs_reports' => 'Fehlerberichte', 'credits' => 'Credits', - 'credits_content' => 'Einige Designelemente stammen von <a href="http://twitter.github.io/bootstrap/">Bootstrap</a>, obwohl FreshRSS dieses Framework nicht nutzt. <a href="https://git.gnome.org/browse/gnome-icon-theme-symbolic">Icons</a> stammen vom <a href="https://www.gnome.org/">GNOME project</a>. <em>Open Sans</em> Font wurde von <a href="https://www.google.com/webfonts/specimen/Open+Sans">Steve Matteson</a> erstellt. Favicons werden mit <a href="https://getfavicon.appspot.com/">getFavicon API</a> gesammelt. FreshRSS basiert auf <a href="https://github.com/marienfressinaud/MINZ">Minz</a>, einem PHP-Framework.', + 'credits_content' => 'Einige Designelemente stammen von <a href="http://twitter.github.io/bootstrap/">Bootstrap</a>, obwohl FreshRSS dieses Framework nicht nutzt. <a href="https://git.gnome.org/browse/gnome-icon-theme-symbolic">Icons</a> stammen vom <a href="https://www.gnome.org/">GNOME project</a>. <em>Open Sans</em> Font wurde von <a href="https://fonts.google.com/specimen/Open+Sans">Steve Matteson</a> erstellt. FreshRSS basiert auf <a href="https://github.com/marienfressinaud/MINZ">Minz</a>, einem PHP-Framework.', 'freshrss_description' => 'FreshRSS ist ein RSS-Feedsaggregator zum selbst hosten wie zum Beispiel <a href="http://tontof.net/kriss/feed/">Kriss Feed</a> oder <a href="http://projet.idleman.fr/leed/">Leed</a>. Er ist leicht und einfach zu handhaben und gleichzeitig ein leistungsstarkes und konfigurierbares Werkzeug.', 'github' => '<a href="https://github.com/FreshRSS/FreshRSS/issues">on Github</a>', 'license' => 'Lizenz', diff --git a/app/i18n/en/index.php b/app/i18n/en/index.php index 80fa3d950..eb6413e3c 100644 --- a/app/i18n/en/index.php +++ b/app/i18n/en/index.php @@ -6,7 +6,7 @@ return array( 'agpl3' => '<a href="https://www.gnu.org/licenses/agpl-3.0.html">AGPL 3</a>', 'bugs_reports' => 'Bugs reports', 'credits' => 'Credits', - 'credits_content' => 'Some design elements come from <a href="http://twitter.github.io/bootstrap/">Bootstrap</a> although FreshRSS doesn’t use this framework. <a href="https://git.gnome.org/browse/gnome-icon-theme-symbolic">Icons</a> come from <a href="https://www.gnome.org/">GNOME project</a>. <em>Open Sans</em> font police has been created by <a href="https://www.google.com/webfonts/specimen/Open+Sans">Steve Matteson</a>. Favicons are collected with <a href="https://getfavicon.appspot.com/">getFavicon API</a>. FreshRSS is based on <a href="https://github.com/marienfressinaud/MINZ">Minz</a>, a PHP framework.', + 'credits_content' => 'Some design elements come from <a href="http://twitter.github.io/bootstrap/">Bootstrap</a> although FreshRSS doesn’t use this framework. <a href="https://git.gnome.org/browse/gnome-icon-theme-symbolic">Icons</a> come from <a href="https://www.gnome.org/">GNOME project</a>. <em>Open Sans</em> font police has been created by <a href="https://fonts.google.com/specimen/Open+Sans">Steve Matteson</a>. FreshRSS is based on <a href="https://github.com/marienfressinaud/MINZ">Minz</a>, a PHP framework.', 'freshrss_description' => 'FreshRSS is a RSS feeds aggregator to self-host like <a href="http://tontof.net/kriss/feed/">Kriss Feed</a> or <a href="http://projet.idleman.fr/leed/">Leed</a>. It is light and easy to take in hand while being powerful and configurable tool.', 'github' => '<a href="https://github.com/FreshRSS/FreshRSS/issues">on Github</a>', 'license' => 'License', diff --git a/app/i18n/fr/index.php b/app/i18n/fr/index.php index 7e028ab92..62eedc280 100644 --- a/app/i18n/fr/index.php +++ b/app/i18n/fr/index.php @@ -6,7 +6,7 @@ return array( 'agpl3' => '<a href="https://www.gnu.org/licenses/agpl-3.0.html">AGPL 3</a>', 'bugs_reports' => 'Rapports de bugs', 'credits' => 'Crédits', - 'credits_content' => 'Des éléments de design sont issus du <a href="http://twitter.github.io/bootstrap/">projet Bootstrap</a> bien que FreshRSS n’utilise pas ce framework. Les <a href="https://git.gnome.org/browse/gnome-icon-theme-symbolic">icônes</a> sont issues du <a href="https://www.gnome.org/">projet GNOME</a>. La police <em>Open Sans</em> utilisée a été créée par <a href="https://www.google.com/webfonts/specimen/Open+Sans">Steve Matteson</a>. Les favicons sont récupérés grâce au site <a href="https://getfavicon.appspot.com/">getFavicon</a>. FreshRSS repose sur <a href="https://github.com/marienfressinaud/MINZ">Minz</a>, un framework PHP.', + 'credits_content' => 'Des éléments de design sont issus du <a href="http://twitter.github.io/bootstrap/">projet Bootstrap</a> bien que FreshRSS n’utilise pas ce framework. Les <a href="https://git.gnome.org/browse/gnome-icon-theme-symbolic">icônes</a> sont issues du <a href="https://www.gnome.org/">projet GNOME</a>. La police <em>Open Sans</em> utilisée a été créée par <a href="https://fonts.google.com/specimen/Open+Sans">Steve Matteson</a>. FreshRSS repose sur <a href="https://github.com/marienfressinaud/MINZ">Minz</a>, un framework PHP.', 'freshrss_description' => 'FreshRSS est un agrégateur de flux RSS à auto-héberger à l’image de <a href="http://tontof.net/kriss/feed/">Kriss Feed</a> ou <a href="http://projet.idleman.fr/leed/">Leed</a>. Il se veut léger et facile à prendre en main tout en étant un outil puissant et paramétrable.', 'github' => '<a href="https://github.com/FreshRSS/FreshRSS/issues">sur Github</a>', 'license' => 'Licence', diff --git a/app/i18n/it/index.php b/app/i18n/it/index.php index 584b044b1..d79502c79 100644 --- a/app/i18n/it/index.php +++ b/app/i18n/it/index.php @@ -6,7 +6,7 @@ return array( 'agpl3' => '<a href="https://www.gnu.org/licenses/agpl-3.0.html">AGPL 3</a>', 'bugs_reports' => 'Bugs', 'credits' => 'Crediti', - 'credits_content' => 'Alcuni elementi di design provengono da <a href="http://twitter.github.io/bootstrap/">Bootstrap</a> sebbene FreshRSS non usi questo framework. Le <a href="https://git.gnome.org/browse/gnome-icon-theme-symbolic">icone</a> provengono dal progetto <a href="https://www.gnome.org/">GNOME</a>. Il carattere <em>Open Sans</em> è stato creato da <a href="https://www.google.com/webfonts/specimen/Open+Sans">Steve Matteson</a>. Le Favicons vengono estratte con le API <a href="https://getfavicon.appspot.com/">getFavicon</a>. FreshRSS è basato su <a href="https://github.com/marienfressinaud/MINZ">Minz</a>, un framework PHP.', + 'credits_content' => 'Alcuni elementi di design provengono da <a href="http://twitter.github.io/bootstrap/">Bootstrap</a> sebbene FreshRSS non usi questo framework. Le <a href="https://git.gnome.org/browse/gnome-icon-theme-symbolic">icone</a> provengono dal progetto <a href="https://www.gnome.org/">GNOME</a>. Il carattere <em>Open Sans</em> è stato creato da <a href="https://fonts.google.com/specimen/Open+Sans">Steve Matteson</a>. FreshRSS è basato su <a href="https://github.com/marienfressinaud/MINZ">Minz</a>, un framework PHP.', 'freshrss_description' => 'FreshRSS è un aggregatore di feeds RSS da installare sul proprio host come <a href="http://tontof.net/kriss/feed/">Kriss Feed</a> o <a href="http://projet.idleman.fr/leed/">Leed</a>. Leggero e facile da mantenere pur essendo molto configurabile e potente.', 'github' => '<a href="https://github.com/FreshRSS/FreshRSS/issues">su Github</a>', 'license' => 'Licenza', diff --git a/app/i18n/nl/index.php b/app/i18n/nl/index.php index df6a064e4..751806bfa 100644 --- a/app/i18n/nl/index.php +++ b/app/i18n/nl/index.php @@ -6,7 +6,7 @@ return array( 'agpl3' => '<a href="https://www.gnu.org/licenses/agpl-3.0.html">AGPL 3</a>', 'bugs_reports' => 'Rapporteer fouten', 'credits' => 'Waarderingen', - 'credits_content' => 'Sommige ontwerp elementen komen van <a href="http://twitter.github.io/bootstrap/">Bootstrap</a> alhoewel FreshRSS dit raamwerk niet gebruikt. <a href="https://git.gnome.org/browse/gnome-icon-theme-symbolic">Pictogrammen</a> komen van het <a href="https://www.gnome.org/">GNOME project</a>. <em>De Open Sans</em> font police is gemaakt door <a href="https://www.google.com/webfonts/specimen/Open+Sans">Steve Matteson</a>. Favicons zijn verzameld met de <a href="https://getfavicon.appspot.com/">getFavicon API</a>. FreshRSS is gebaseerd op <a href="https://github.com/marienfressinaud/MINZ">Minz</a>, een PHP raamwerk. Nederlandse vertaling door Wanabo, <a href="http://www.nieuwskop.be" title="NieuwsKop">NieuwsKop.be</a>. Link naar de Nederlandse vertaling, <a href="https://github.com/Wanabo/FreshRSS-Dutch-translation/tree/master">FreshRSS-Dutch-translation</a>.', + 'credits_content' => 'Sommige ontwerp elementen komen van <a href="http://twitter.github.io/bootstrap/">Bootstrap</a> alhoewel FreshRSS dit raamwerk niet gebruikt. <a href="https://git.gnome.org/browse/gnome-icon-theme-symbolic">Pictogrammen</a> komen van het <a href="https://www.gnome.org/">GNOME project</a>. <em>De Open Sans</em> font police is gemaakt door <a href="https://fonts.google.com/specimen/Open+Sans">Steve Matteson</a>. FreshRSS is gebaseerd op <a href="https://github.com/marienfressinaud/MINZ">Minz</a>, een PHP raamwerk. Nederlandse vertaling door Wanabo, <a href="http://www.nieuwskop.be" title="NieuwsKop">NieuwsKop.be</a>. Link naar de Nederlandse vertaling, <a href="https://github.com/Wanabo/FreshRSS-Dutch-translation/tree/master">FreshRSS-Dutch-translation</a>.', 'freshrss_description' => 'FreshRSS is een RSS feed aggregator om zelf te hosten zoals <a href="http://tontof.net/kriss/feed/">Kriss Feed</a> of <a href="http://projet.idleman.fr/leed/">Leed</a>. Het gebruikt weinig systeembronnen en is makkelijk te administreren terwijl het een krachtig en makkelijk te configureren programma is.', 'github' => '<a href="https://github.com/FreshRSS/FreshRSS/issues">op Github</a>', 'license' => 'License', diff --git a/app/i18n/ru/index.php b/app/i18n/ru/index.php index 80fa3d950..eb6413e3c 100644 --- a/app/i18n/ru/index.php +++ b/app/i18n/ru/index.php @@ -6,7 +6,7 @@ return array( 'agpl3' => '<a href="https://www.gnu.org/licenses/agpl-3.0.html">AGPL 3</a>', 'bugs_reports' => 'Bugs reports', 'credits' => 'Credits', - 'credits_content' => 'Some design elements come from <a href="http://twitter.github.io/bootstrap/">Bootstrap</a> although FreshRSS doesn’t use this framework. <a href="https://git.gnome.org/browse/gnome-icon-theme-symbolic">Icons</a> come from <a href="https://www.gnome.org/">GNOME project</a>. <em>Open Sans</em> font police has been created by <a href="https://www.google.com/webfonts/specimen/Open+Sans">Steve Matteson</a>. Favicons are collected with <a href="https://getfavicon.appspot.com/">getFavicon API</a>. FreshRSS is based on <a href="https://github.com/marienfressinaud/MINZ">Minz</a>, a PHP framework.', + 'credits_content' => 'Some design elements come from <a href="http://twitter.github.io/bootstrap/">Bootstrap</a> although FreshRSS doesn’t use this framework. <a href="https://git.gnome.org/browse/gnome-icon-theme-symbolic">Icons</a> come from <a href="https://www.gnome.org/">GNOME project</a>. <em>Open Sans</em> font police has been created by <a href="https://fonts.google.com/specimen/Open+Sans">Steve Matteson</a>. FreshRSS is based on <a href="https://github.com/marienfressinaud/MINZ">Minz</a>, a PHP framework.', 'freshrss_description' => 'FreshRSS is a RSS feeds aggregator to self-host like <a href="http://tontof.net/kriss/feed/">Kriss Feed</a> or <a href="http://projet.idleman.fr/leed/">Leed</a>. It is light and easy to take in hand while being powerful and configurable tool.', 'github' => '<a href="https://github.com/FreshRSS/FreshRSS/issues">on Github</a>', 'license' => 'License', diff --git a/app/i18n/tr/index.php b/app/i18n/tr/index.php index 9912203c8..cb36d6717 100644 --- a/app/i18n/tr/index.php +++ b/app/i18n/tr/index.php @@ -6,7 +6,7 @@ return array( 'agpl3' => '<a href="https://www.gnu.org/licenses/agpl-3.0.html">AGPL 3</a>', 'bugs_reports' => 'Hata raporu', 'credits' => 'Tanıtım', - 'credits_content' => 'Bu frameworkü kullanmamasına rağmen FreshRSS bazı tasarım ögelerini <a href="http://twitter.github.io/bootstrap/">Bootstrap</a> dan almıştır. <a href="https://git.gnome.org/browse/gnome-icon-theme-symbolic">İkonlar</a> <a href="https://www.gnome.org/">GNOME projesinden</a> alınmıştır. <em>Open Sans</em> yazı tipi <a href="https://www.google.com/webfonts/specimen/Open+Sans">Steve Matteson</a> tarafından oluşturulmuştur. Site ikonları <a href="https://getfavicon.appspot.com/">getFavicon API</a> ile oluşturuldu. FreshRSS bir PHP framework olan <a href="https://github.com/marienfressinaud/MINZ">Minz</a> i temel alır.', + 'credits_content' => 'Bu frameworkü kullanmamasına rağmen FreshRSS bazı tasarım ögelerini <a href="http://twitter.github.io/bootstrap/">Bootstrap</a> dan almıştır. <a href="https://git.gnome.org/browse/gnome-icon-theme-symbolic">İkonlar</a> <a href="https://www.gnome.org/">GNOME projesinden</a> alınmıştır. <em>Open Sans</em> yazı tipi <a href="https://fonts.google.com/specimen/Open+Sans">Steve Matteson</a> tarafından oluşturulmuştur. FreshRSS bir PHP framework olan <a href="https://github.com/marienfressinaud/MINZ">Minz</a> i temel alır.', 'freshrss_description' => 'FreshRSS <a href="http://tontof.net/kriss/feed/">Kriss Feed</a> veya <a href="http://projet.idleman.fr/leed/">Leed</a> gibi kendi hostunuzda çalışan bir RSS akış toplayıcısıdır. Güçlü ve yapılandırılabilir araçlarıyla basit ve kullanımı kolay bir uygulamadır.', 'github' => '<a href="https://github.com/FreshRSS/FreshRSS/issues">Github sayfası</a>', 'license' => 'Lisans', diff --git a/app/layout/aside_feed.phtml b/app/layout/aside_feed.phtml index 67507b88d..e8fdbf842 100644 --- a/app/layout/aside_feed.phtml +++ b/app/layout/aside_feed.phtml @@ -20,6 +20,7 @@ <?php } ?> <form id="mark-read-aside" method="post"> + <input type="hidden" name="_csrf" value="<?php echo FreshRSS_Auth::csrfToken(); ?>" /> <ul class="tree"> <li class="tree-folder category all<?php echo FreshRSS_Context::isCurrentGet('a') ? ' active' : ''; ?>"> <div class="tree-folder-title"> diff --git a/app/layout/layout.phtml b/app/layout/layout.phtml index 6906fa05f..189d93fbe 100644 --- a/app/layout/layout.phtml +++ b/app/layout/layout.phtml @@ -23,7 +23,7 @@ <?php flush(); if (isset($this->callbackBeforeContent)) { - call_user_func($this->callbackBeforeContent); + call_user_func($this->callbackBeforeContent, $this); } ?> <?php echo self::headTitle(); ?> @@ -41,6 +41,8 @@ $url_rss['a'] = 'rss'; ?> <link rel="alternate" type="application/rss+xml" title="<?php echo $this->rss_title; ?>" href="<?php echo Minz_Url::display($url_rss); ?>" /> +<?php } if (!FreshRSS_Context::$system_conf->allow_referrer) { ?> + <meta name="referrer" content="never" /> <?php } if (FreshRSS_Context::$system_conf->allow_robots) { ?> <meta name="description" content="<?php echo htmlspecialchars(FreshRSS_Context::$name . ' | ' . FreshRSS_Context::$description, ENT_COMPAT, 'UTF-8'); ?>" /> <?php } else { ?> diff --git a/app/layout/nav_menu.phtml b/app/layout/nav_menu.phtml index 92268ff67..17655acbf 100644 --- a/app/layout/nav_menu.phtml +++ b/app/layout/nav_menu.phtml @@ -88,6 +88,7 @@ type="submit"><?php echo _t('gen.action.mark_read'); ?></button> <div class="dropdown"> + <input type="hidden" name="_csrf" value="<?php echo FreshRSS_Auth::csrfToken(); ?>" /> <div id="dropdown-read" class="dropdown-target"></div> <a class="dropdown-toggle btn" href="#dropdown-read"><?php echo _i('down'); ?></a> diff --git a/app/views/auth/formLogin.phtml b/app/views/auth/formLogin.phtml index b0083944f..4bbc8ed55 100644 --- a/app/views/auth/formLogin.phtml +++ b/app/views/auth/formLogin.phtml @@ -6,6 +6,7 @@ <?php } ?> <form id="crypto-form" method="post" action="<?php echo _url('auth', 'login'); ?>"> + <input type="hidden" name="_csrf" value="<?php echo FreshRSS_Auth::csrfToken(); ?>" /> <div> <label for="username"><?php echo _t('gen.auth.username'); ?></label> <input type="text" id="username" name="username" size="16" required="required" maxlength="16" pattern="[0-9a-zA-Z]{1,16}" autofocus="autofocus" /> diff --git a/app/views/auth/index.phtml b/app/views/auth/index.phtml index 8f81ac856..74e692ec5 100644 --- a/app/views/auth/index.phtml +++ b/app/views/auth/index.phtml @@ -4,6 +4,7 @@ <a href="<?php echo _url('index', 'index'); ?>"><?php echo _t('gen.action.back_to_rss_feeds'); ?></a> <form method="post" action="<?php echo _url('auth', 'index'); ?>"> + <input type="hidden" name="_csrf" value="<?php echo FreshRSS_Auth::csrfToken(); ?>" /> <legend><?php echo _t('admin.auth.type'); ?></legend> <div class="form-group"> diff --git a/app/views/auth/register.phtml b/app/views/auth/register.phtml index 0c261319a..1f9976391 100644 --- a/app/views/auth/register.phtml +++ b/app/views/auth/register.phtml @@ -1,33 +1,34 @@ <div class="prompt"> - <h1><?php echo _t('gen.auth.registration'); ?></h1> + <h1><?php echo _t('gen.auth.registration'); ?></h1> - <form method="post" action="<?php echo _url('user', 'create'); ?>"> - <div> - <label class="group-name" for="new_user_name"><?php echo _t('gen.auth.username'), '<br />', _i('help'), ' ', _t('gen.auth.username.format'); ?></label> - <input id="new_user_name" name="new_user_name" type="text" size="16" required="required" maxlength="16" autocomplete="off" pattern="[0-9a-zA-Z]{1,16}" /> - </div> + <form method="post" action="<?php echo _url('user', 'create'); ?>"> + <input type="hidden" name="_csrf" value="<?php echo FreshRSS_Auth::csrfToken(); ?>" /> + <div> + <label class="group-name" for="new_user_name"><?php echo _t('gen.auth.username'), '<br />', _i('help'), ' ', _t('gen.auth.username.format'); ?></label> + <input id="new_user_name" name="new_user_name" type="text" size="16" required="required" maxlength="16" autocomplete="off" pattern="[0-9a-zA-Z]{1,16}" /> + </div> - <div> - <label class="group-name" for="new_user_passwordPlain"><?php echo _t('gen.auth.password'), '<br />', _i('help'), ' ', _t('gen.auth.password.format'); ?></label> - <div class="stick"> - <input type="password" id="new_user_passwordPlain" name="new_user_passwordPlain" required="required" autocomplete="off" pattern=".{7,}" /> - <a class="btn toggle-password" data-toggle="new_user_passwordPlain"><?php echo _i('key'); ?></a> - </div> - <noscript><b><?php echo _t('gen.js.should_be_activated'); ?></b></noscript> - </div> + <div> + <label class="group-name" for="new_user_passwordPlain"><?php echo _t('gen.auth.password'), '<br />', _i('help'), ' ', _t('gen.auth.password.format'); ?></label> + <div class="stick"> + <input type="password" id="new_user_passwordPlain" name="new_user_passwordPlain" required="required" autocomplete="off" pattern=".{7,}" /> + <a class="btn toggle-password" data-toggle="new_user_passwordPlain"><?php echo _i('key'); ?></a> + </div> + <noscript><b><?php echo _t('gen.js.should_be_activated'); ?></b></noscript> + </div> - <div> - <?php - $redirect_url = urlencode(Minz_Url::display( - array('c' => 'index', 'a' => 'index'), - 'php', true - )); - ?> - <input type="hidden" name="r" value="<?php echo $redirect_url; ?>" /> - <button type="submit" class="btn btn-important"><?php echo _t('gen.action.create'); ?></button> - <a class="btn" href="<?php echo _url('index', 'index'); ?>"><?php echo _t('gen.action.cancel'); ?></a> - </div> - </form> + <div> + <?php + $redirect_url = urlencode(Minz_Url::display( + array('c' => 'index', 'a' => 'index'), + 'php', true + )); + ?> + <input type="hidden" name="r" value="<?php echo $redirect_url; ?>" /> + <button type="submit" class="btn btn-important"><?php echo _t('gen.action.create'); ?></button> + <a class="btn" href="<?php echo _url('index', 'index'); ?>"><?php echo _t('gen.action.cancel'); ?></a> + </div> + </form> - <p><a href="<?php echo _url('index', 'about'); ?>"><?php echo _t('gen.freshrss.about'); ?></a></p> + <p><a href="<?php echo _url('index', 'about'); ?>"><?php echo _t('gen.freshrss.about'); ?></a></p> </div> diff --git a/app/views/configure/archiving.phtml b/app/views/configure/archiving.phtml index 52ee98a48..2254f5dba 100644 --- a/app/views/configure/archiving.phtml +++ b/app/views/configure/archiving.phtml @@ -4,6 +4,7 @@ <a href="<?php echo _url('index', 'index'); ?>"><?php echo _t('gen.action.back_to_rss_feeds'); ?></a> <form method="post" action="<?php echo _url('configure', 'archiving'); ?>"> + <input type="hidden" name="_csrf" value="<?php echo FreshRSS_Auth::csrfToken(); ?>" /> <legend><?php echo _t('conf.archiving'); ?></legend> <p><?php echo _i('help'); ?> <?php echo _t('conf.archiving.help'); ?></p> @@ -55,6 +56,7 @@ </form> <form method="post" action="<?php echo _url('entry', 'optimize'); ?>"> + <input type="hidden" name="_csrf" value="<?php echo FreshRSS_Auth::csrfToken(); ?>" /> <legend><?php echo _t('conf.archiving.advanced'); ?></legend> <div class="form-group"> diff --git a/app/views/configure/display.phtml b/app/views/configure/display.phtml index db6d7951c..62ecc1080 100644 --- a/app/views/configure/display.phtml +++ b/app/views/configure/display.phtml @@ -4,6 +4,7 @@ <a href="<?php echo _url('index', 'index'); ?>"><?php echo _t('gen.action.back_to_rss_feeds'); ?></a> <form method="post" action="<?php echo _url('configure', 'display'); ?>"> + <input type="hidden" name="_csrf" value="<?php echo FreshRSS_Auth::csrfToken(); ?>" /> <legend><?php echo _t('conf.display'); ?></legend> <div class="form-group"> diff --git a/app/views/configure/queries.phtml b/app/views/configure/queries.phtml index 50df4cfea..0dffa268d 100644 --- a/app/views/configure/queries.phtml +++ b/app/views/configure/queries.phtml @@ -4,6 +4,7 @@ <a href="<?php echo _url('index', 'index'); ?>"><?php echo _t('gen.action.back_to_rss_feeds'); ?></a> <form method="post" action="<?php echo _url('configure', 'queries'); ?>"> + <input type="hidden" name="_csrf" value="<?php echo FreshRSS_Auth::csrfToken(); ?>" /> <legend><?php echo _t('conf.query'); ?></legend> <?php foreach ($this->queries as $key => $query) { ?> diff --git a/app/views/configure/reading.phtml b/app/views/configure/reading.phtml index 9c54b6bd5..07dabf15f 100644 --- a/app/views/configure/reading.phtml +++ b/app/views/configure/reading.phtml @@ -4,6 +4,7 @@ <a href="<?php echo _url('index', 'index'); ?>"><?php echo _t('gen.action.back_to_rss_feeds'); ?></a> <form method="post" action="<?php echo _url('configure', 'reading'); ?>"> + <input type="hidden" name="_csrf" value="<?php echo FreshRSS_Auth::csrfToken(); ?>" /> <legend><?php echo _t('conf.reading'); ?></legend> <div class="form-group"> diff --git a/app/views/configure/sharing.phtml b/app/views/configure/sharing.phtml index 7bf435777..0dad5bf6d 100644 --- a/app/views/configure/sharing.phtml +++ b/app/views/configure/sharing.phtml @@ -15,6 +15,7 @@ <a href="#" class="remove btn btn-attention" data-remove="group-share-##key##"><?php echo _i('close'); ?></a></div> <a target="_blank" class="btn" title="<?php echo _t('conf.sharing.more_information'); ?>" href="##help##"><?php echo _i('help'); ?></a> </div></div>'> + <input type="hidden" name="_csrf" value="<?php echo FreshRSS_Auth::csrfToken(); ?>" /> <legend><?php echo _t('conf.sharing'); ?></legend> <?php foreach (FreshRSS_Context::$user_conf->sharing as $key => $share_options) { diff --git a/app/views/configure/shortcut.phtml b/app/views/configure/shortcut.phtml index 264a5f805..dceeb17de 100644 --- a/app/views/configure/shortcut.phtml +++ b/app/views/configure/shortcut.phtml @@ -12,6 +12,7 @@ <?php $s = FreshRSS_Context::$user_conf->shortcuts; ?> <form method="post" action="<?php echo _url('configure', 'shortcut'); ?>"> + <input type="hidden" name="_csrf" value="<?php echo FreshRSS_Auth::csrfToken(); ?>" /> <legend><?php echo _t('conf.shortcut'); ?></legend> <noscript><p class="alert alert-error"><?php echo _t('conf.shortcut.javascript'); ?></p></noscript> diff --git a/app/views/configure/system.phtml b/app/views/configure/system.phtml index 4af669eb0..935b49fda 100644 --- a/app/views/configure/system.phtml +++ b/app/views/configure/system.phtml @@ -4,6 +4,7 @@ <a href="<?php echo _url('index', 'index'); ?>"><?php echo _t('gen.action.back_to_rss_feeds'); ?></a> <form method="post" action="<?php echo _url('configure', 'system'); ?>"> + <input type="hidden" name="_csrf" value="<?php echo FreshRSS_Auth::csrfToken(); ?>" /> <legend><?php echo _t('admin.system'); ?></legend> <div class="form-group"> diff --git a/app/views/entry/bookmark.phtml b/app/views/entry/bookmark.phtml index 6b5a4ed03..d85706669 100755 --- a/app/views/entry/bookmark.phtml +++ b/app/views/entry/bookmark.phtml @@ -1,17 +1,16 @@ <?php header('Content-Type: application/json; charset=UTF-8'); -if (Minz_Request::param('is_favorite', true)) { - Minz_Request::_param('is_favorite', 0); -} else { - Minz_Request::_param('is_favorite', 1); -} - -$url = Minz_Url::display(array( +$url = array( 'c' => Minz_Request::controllerName(), 'a' => Minz_Request::actionName(), - 'params' => Minz_Request::params(), -)); + 'params' => Minz_Request::fetchGET(), +); + +$url['params']['is_favorite'] = Minz_Request::param('is_favorite', true) ? '0' : '1'; FreshRSS::loadStylesAndScripts(); -echo json_encode(array('url' => str_ireplace('&', '&', $url), 'icon' => _i(Minz_Request::param('is_favorite') ? 'non-starred' : 'starred'))); +echo json_encode(array( + 'url' => str_ireplace('&', '&', Minz_Url::display($url)), + 'icon' => _i($url['params']['is_favorite'] === '1' ? 'non-starred' : 'starred') + )); diff --git a/app/views/entry/read.phtml b/app/views/entry/read.phtml index 7d0e3de82..73977d94b 100755 --- a/app/views/entry/read.phtml +++ b/app/views/entry/read.phtml @@ -1,17 +1,16 @@ <?php header('Content-Type: application/json; charset=UTF-8'); -if (Minz_Request::param('is_read', true)) { - Minz_Request::_param('is_read', 0); -} else { - Minz_Request::_param('is_read', 1); -} - -$url = Minz_Url::display(array( +$url = array( 'c' => Minz_Request::controllerName(), 'a' => Minz_Request::actionName(), - 'params' => Minz_Request::params(), -)); + 'params' => Minz_Request::fetchGET(), +); + +$url['params']['is_read'] = Minz_Request::param('is_read', true) ? '0' : '1'; FreshRSS::loadStylesAndScripts(); -echo json_encode(array('url' => str_ireplace('&', '&', $url), 'icon' => _i(Minz_Request::param('is_read') ? 'unread' : 'read'))); +echo json_encode(array( + 'url' => str_ireplace('&', '&', Minz_Url::display($url)), + 'icon' => _i($url['params']['is_read'] === '1' ? 'unread' : 'read') + )); diff --git a/app/views/extension/index.phtml b/app/views/extension/index.phtml index b26334937..7cb16bfff 100644 --- a/app/views/extension/index.phtml +++ b/app/views/extension/index.phtml @@ -6,6 +6,7 @@ <h1><?php echo _t('admin.extensions.title'); ?></h1> <form id="form-extension" method="post"> + <input type="hidden" name="_csrf" value="<?php echo FreshRSS_Auth::csrfToken(); ?>" /> <?php if (!empty($this->extension_list['system'])) { ?> <h2><?php echo _t('admin.extensions.system'); ?></h2> <?php diff --git a/app/views/feed/add.phtml b/app/views/feed/add.phtml index fd6d41b1d..caf685d79 100644 --- a/app/views/feed/add.phtml +++ b/app/views/feed/add.phtml @@ -7,6 +7,7 @@ <?php } ?> <form method="post" action="<?php echo _url('feed', 'add'); ?>" autocomplete="off"> + <input type="hidden" name="_csrf" value="<?php echo FreshRSS_Auth::csrfToken(); ?>" /> <legend><?php echo _t('sub.feed.informations'); ?></legend> <?php if ($this->load_ok) { ?> <div class="form-group"> diff --git a/app/views/helpers/feed/update.phtml b/app/views/helpers/feed/update.phtml index 72084d8fa..b7e8f68cd 100644 --- a/app/views/helpers/feed/update.phtml +++ b/app/views/helpers/feed/update.phtml @@ -18,6 +18,7 @@ <?php } ?> <form method="post" action="<?php echo _url('subscription', 'feed', 'id', $this->feed->id()); ?>" autocomplete="off"> + <input type="hidden" name="_csrf" value="<?php echo FreshRSS_Auth::csrfToken(); ?>" /> <legend><?php echo _t('sub.feed.informations'); ?></legend> <div class="form-group"> <label class="group-name" for="name"><?php echo _t('sub.feed.title'); ?></label> diff --git a/app/views/helpers/javascript_vars.phtml b/app/views/helpers/javascript_vars.phtml index 1aa43a207..745baa195 100644 --- a/app/views/helpers/javascript_vars.phtml +++ b/app/views/helpers/javascript_vars.phtml @@ -16,6 +16,7 @@ echo htmlspecialchars(json_encode(array( 'html5_notif_timeout' => FreshRSS_Context::$user_conf->html5_notif_timeout, 'auth_type' => FreshRSS_Context::$system_conf->auth_type, 'current_view' => Minz_Request::actionName(), + 'csrf' => FreshRSS_Auth::csrfToken(), ), 'shortcuts' => array( 'mark_read' => @$s['mark_read'], diff --git a/app/views/helpers/logs_pagination.phtml b/app/views/helpers/logs_pagination.phtml index 58b3c68f4..bf9d91f04 100755 --- a/app/views/helpers/logs_pagination.phtml +++ b/app/views/helpers/logs_pagination.phtml @@ -1,7 +1,7 @@ <?php $c = Minz_Request::controllerName(); $a = Minz_Request::actionName(); - $params = Minz_Request::params(); + $params = Minz_Request::fetchGET(); ?> <?php if ($this->nbPage > 1) { ?> diff --git a/app/views/helpers/pagination.phtml b/app/views/helpers/pagination.phtml index d1c3cc72c..23c45114d 100755 --- a/app/views/helpers/pagination.phtml +++ b/app/views/helpers/pagination.phtml @@ -15,6 +15,7 @@ ?> <form id="mark-read-pagination" method="post"> +<input type="hidden" name="_csrf" value="<?php echo FreshRSS_Auth::csrfToken(); ?>" /> <ul class="pagination"> <li class="item pager-next"> <?php if (FreshRSS_Context::$next_id) { ?> diff --git a/app/views/importExport/index.phtml b/app/views/importExport/index.phtml index a64524bf1..c0bc412c3 100644 --- a/app/views/importExport/index.phtml +++ b/app/views/importExport/index.phtml @@ -4,6 +4,7 @@ <a href="<?php echo _url('index', 'index'); ?>"><?php echo _t('gen.action.back_to_rss_feeds'); ?></a> <form method="post" action="<?php echo _url('importExport', 'import'); ?>" enctype="multipart/form-data"> + <input type="hidden" name="_csrf" value="<?php echo FreshRSS_Auth::csrfToken(); ?>" /> <legend><?php echo _t('sub.import_export.import'); ?></legend> <div class="form-group"> <label class="group-name" for="file"> @@ -23,6 +24,7 @@ <?php if (count($this->feeds) > 0) { ?> <form method="post" action="<?php echo _url('importExport', 'export'); ?>"> + <input type="hidden" name="_csrf" value="<?php echo FreshRSS_Auth::csrfToken(); ?>" /> <legend><?php echo _t('sub.import_export.export'); ?></legend> <div class="form-group"> <div class="group-controls"> diff --git a/app/views/index/global.phtml b/app/views/index/global.phtml index 0ffa3bc54..1e53e4f8c 100644 --- a/app/views/index/global.phtml +++ b/app/views/index/global.phtml @@ -14,7 +14,7 @@ $url_base = array( 'c' => 'index', 'a' => 'normal', - 'params' => Minz_Request::params() + 'params' => Minz_Request::fetchGET(), ); foreach ($this->categories as $cat) { diff --git a/app/views/index/logs.phtml b/app/views/index/logs.phtml index 0938491c3..a88f89278 100644 --- a/app/views/index/logs.phtml +++ b/app/views/index/logs.phtml @@ -3,6 +3,7 @@ <h1><?php echo _t('index.log'); ?></h1> <form method="post" action="<?php echo _url('index', 'logs'); ?>"><p> + <input type="hidden" name="_csrf" value="<?php echo FreshRSS_Auth::csrfToken(); ?>" /> <input type="hidden" name="clearLogs" /> <button type="submit" class="btn"><?php echo _t('index.log.clear'); ?></button> </p></form> diff --git a/app/views/stats/idle.phtml b/app/views/stats/idle.phtml index 8c5f182c2..88c78d465 100644 --- a/app/views/stats/idle.phtml +++ b/app/views/stats/idle.phtml @@ -19,6 +19,7 @@ <h2><?php echo _t('gen.date.' . $period); ?></h2> <form id="form-delete" method="post"> + <input type="hidden" name="_csrf" value="<?php echo FreshRSS_Auth::csrfToken(); ?>" /> <?php foreach ($feeds as $feed) { ?> <ul class="horizontal-list"> <li class="item"> diff --git a/app/views/subscription/index.phtml b/app/views/subscription/index.phtml index 07cebf817..48f760d3e 100644 --- a/app/views/subscription/index.phtml +++ b/app/views/subscription/index.phtml @@ -6,6 +6,7 @@ <h2><?php echo _t('sub.title'); ?></h2> <form id="add_rss" method="post" action="<?php echo _url('feed', 'add'); ?>" autocomplete="off"> + <input type="hidden" name="_csrf" value="<?php echo FreshRSS_Auth::csrfToken(); ?>" /> <div class="stick"> <input type="url" name="url_rss" class="long" placeholder="<?php echo _t('sub.feed.add'); ?>" /> <div class="dropdown"> @@ -56,13 +57,16 @@ <ul class="box-content box-content-centered"> <form action="<?php echo _url('category', 'create'); ?>" method="post"> + <input type="hidden" name="_csrf" value="<?php echo FreshRSS_Auth::csrfToken(); ?>" /> <li class="item"><input type="text" id="new-category" name="new-category" placeholder="<?php echo _t('sub.category.new'); ?>" /></li> <li class="item"><button class="btn btn-important" type="submit"><?php echo _t('gen.action.submit'); ?></button></li> </form> </ul> </div> - <form id="controller-category" method="post" aria-hidden="true"></form> + <form id="controller-category" method="post" aria-hidden="true"> + <input type="hidden" name="_csrf" value="<?php echo FreshRSS_Auth::csrfToken(); ?>" /> + </form> <?php foreach ($this->categories as $cat) { @@ -71,6 +75,7 @@ <div class="box"> <div class="box-title"> <form action="<?php echo _url('category', 'update', 'id', $cat->id()); ?>" method="post"> + <input type="hidden" name="_csrf" value="<?php echo FreshRSS_Auth::csrfToken(); ?>" /> <input type="text" name="name" value="<?php echo $cat->name(); ?>" /> <div class="dropdown"> diff --git a/app/views/user/manage.phtml b/app/views/user/manage.phtml index e48841d9b..aab3aa4c4 100644 --- a/app/views/user/manage.phtml +++ b/app/views/user/manage.phtml @@ -4,6 +4,7 @@ <a href="<?php echo _url('index', 'index'); ?>"><?php echo _t('gen.action.back_to_rss_feeds'); ?></a> <form method="post" action="<?php echo _url('user', 'create'); ?>"> + <input type="hidden" name="_csrf" value="<?php echo FreshRSS_Auth::csrfToken(); ?>" /> <legend><?php echo _t('admin.user.create'); ?></legend> <div class="form-group"> @@ -46,6 +47,7 @@ </form> <form method="post" action="<?php echo _url('user', 'delete'); ?>"> + <input type="hidden" name="_csrf" value="<?php echo FreshRSS_Auth::csrfToken(); ?>" /> <legend><?php echo _t('admin.user.users'); ?></legend> <div class="form-group"> diff --git a/app/views/user/profile.phtml b/app/views/user/profile.phtml index 51a5aed2f..429375e44 100644 --- a/app/views/user/profile.phtml +++ b/app/views/user/profile.phtml @@ -4,6 +4,7 @@ <a href="<?php echo _url('index', 'index'); ?>"><?php echo _t('gen.action.back_to_rss_feeds'); ?></a> <form method="post" action="<?php echo _url('user', 'profile'); ?>"> + <input type="hidden" name="_csrf" value="<?php echo FreshRSS_Auth::csrfToken(); ?>" /> <legend><?php echo _t('conf.profile'); ?></legend> <div class="form-group"> @@ -52,6 +53,7 @@ <?php if (!FreshRSS_Auth::hasAccess('admin')) { ?> <form id="crypto-form" method="post" action="<?php echo _url('user', 'delete'); ?>"> + <input type="hidden" name="_csrf" value="<?php echo FreshRSS_Auth::csrfToken(); ?>" /> <legend><?php echo _t('conf.profile.delete'); ?></legend> <p class="alert alert-warn"><span class="alert-head"><?php echo _t('gen.short.attention'); ?></span> <?php echo _t('conf.profile.delete.warn'); ?></p> |