From f612a560d28a31095c27c130e84bf6ff39f061f5 Mon Sep 17 00:00:00 2001
From: Inverle <inverle@proton.me>
Date: Wed, 24 Sep 2025 12:13:40 +0200
Subject: Fix some CSRFs (#8000)

In two bookmark actions and one in `entryController`

Completes one TODO from #7923:

https://github.com/FreshRSS/FreshRSS/blob/de624dc8ce63ec819c61216d9d44f828841c293e/app/Controllers/entryController.php#L257

(a POST request is already sent in the frontend)
---
 app/layout/nav_menu.phtml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'app/layout')

diff --git a/app/layout/nav_menu.phtml b/app/layout/nav_menu.phtml
index 11efa5763..2f09465aa 100644
--- a/app/layout/nav_menu.phtml
+++ b/app/layout/nav_menu.phtml
@@ -96,7 +96,7 @@
 					$url_query['c'] = 'configure';
 					$url_query['a'] = 'bookmarkQuery';
 				?>
-				<li class="item<?= $classSeparator ?>"><a href="<?= Minz_Url::display($url_query) ?>"><?= _i('bookmark-add') ?> <?= _t('index.menu.bookmark_query') ?></a></li>
+				<li class="item<?= $classSeparator ?>"><button class="as-link" form="post-csrf" formaction="<?= Minz_Url::display($url_query) ?>"><?= _i('bookmark-add') ?> <?= _t('index.menu.bookmark_query') ?></button></li>
 			</ul>
 			<a class="dropdown-close" href="#close">❌</a>
 		</div>
-- 
cgit v1.2.3