From 56ffc115d15bf136bfced74707ccc1f41c7b5e44 Mon Sep 17 00:00:00 2001 From: Alexandre Alapetite Date: Sat, 13 Aug 2016 19:10:32 +0200 Subject: Do not mix POST and GET params Avoid returning CSRF POST token for a GET --- app/views/entry/bookmark.phtml | 19 +++++++++---------- app/views/entry/read.phtml | 19 +++++++++---------- 2 files changed, 18 insertions(+), 20 deletions(-) (limited to 'app/views/entry') diff --git a/app/views/entry/bookmark.phtml b/app/views/entry/bookmark.phtml index 6b5a4ed03..d85706669 100755 --- a/app/views/entry/bookmark.phtml +++ b/app/views/entry/bookmark.phtml @@ -1,17 +1,16 @@ Minz_Request::controllerName(), 'a' => Minz_Request::actionName(), - 'params' => Minz_Request::params(), -)); + 'params' => Minz_Request::fetchGET(), +); + +$url['params']['is_favorite'] = Minz_Request::param('is_favorite', true) ? '0' : '1'; FreshRSS::loadStylesAndScripts(); -echo json_encode(array('url' => str_ireplace('&', '&', $url), 'icon' => _i(Minz_Request::param('is_favorite') ? 'non-starred' : 'starred'))); +echo json_encode(array( + 'url' => str_ireplace('&', '&', Minz_Url::display($url)), + 'icon' => _i($url['params']['is_favorite'] === '1' ? 'non-starred' : 'starred') + )); diff --git a/app/views/entry/read.phtml b/app/views/entry/read.phtml index 7d0e3de82..73977d94b 100755 --- a/app/views/entry/read.phtml +++ b/app/views/entry/read.phtml @@ -1,17 +1,16 @@ Minz_Request::controllerName(), 'a' => Minz_Request::actionName(), - 'params' => Minz_Request::params(), -)); + 'params' => Minz_Request::fetchGET(), +); + +$url['params']['is_read'] = Minz_Request::param('is_read', true) ? '0' : '1'; FreshRSS::loadStylesAndScripts(); -echo json_encode(array('url' => str_ireplace('&', '&', $url), 'icon' => _i(Minz_Request::param('is_read') ? 'unread' : 'read'))); +echo json_encode(array( + 'url' => str_ireplace('&', '&', Minz_Url::display($url)), + 'icon' => _i($url['params']['is_read'] === '1' ? 'unread' : 'read') + )); -- cgit v1.2.3