diff options
author | Tobias Hößl <tobias@hoessl.eu> | 2012-03-12 20:17:37 +0000 |
---|---|---|
committer | Tobias Hößl <tobias@hoessl.eu> | 2012-03-12 20:17:37 +0000 |
commit | 59766b944c9ea3a45b1d7e8593f7bb5d4a0b8445 (patch) | |
tree | fea25d24a1559d6ce6681a6325b9e392ccace7a2 /view | |
parent | 9574f7df03407013fed4feb3922e19b7a94e34be (diff) | |
download | volse-hubzilla-59766b944c9ea3a45b1d7e8593f7bb5d4a0b8445.tar.gz volse-hubzilla-59766b944c9ea3a45b1d7e8593f7bb5d4a0b8445.tar.bz2 volse-hubzilla-59766b944c9ea3a45b1d7e8593f7bb5d4a0b8445.zip |
Some security against XSRF-attacks
Diffstat (limited to 'view')
-rwxr-xr-x | view/cropbody.tpl | 1 | ||||
-rwxr-xr-x | view/profile_edit.tpl | 5 | ||||
-rwxr-xr-x | view/profile_listing_header.tpl | 2 | ||||
-rwxr-xr-x | view/profile_photo.tpl | 1 | ||||
-rwxr-xr-x | view/settings.tpl | 2 | ||||
-rwxr-xr-x | view/settings_addons.tpl | 1 | ||||
-rwxr-xr-x | view/settings_connectors.tpl | 1 | ||||
-rwxr-xr-x | view/settings_oauth.tpl | 5 | ||||
-rwxr-xr-x | view/settings_oauth_edit.tpl | 2 |
9 files changed, 14 insertions, 6 deletions
diff --git a/view/cropbody.tpl b/view/cropbody.tpl index c9c0f84de..b484d15bf 100755 --- a/view/cropbody.tpl +++ b/view/cropbody.tpl @@ -40,6 +40,7 @@ $desc </script> <form action="profile_photo/$resource" id="crop-image-form" method="post" /> +<input type='hidden' name='form_security_token' value='$form_security_token'> <input type="hidden" name="cropfinal" value="1" /> <input type="hidden" name="xstart" id="x1" /> diff --git a/view/profile_edit.tpl b/view/profile_edit.tpl index 8dab72649..e5c7162d0 100755 --- a/view/profile_edit.tpl +++ b/view/profile_edit.tpl @@ -5,9 +5,9 @@ $default <div id="profile-edit-links"> <ul> <li><a href="profile/$profile_id/view?tab=profile" id="profile-edit-view-link" title="$viewprof">$viewprof</a></li> -<li><a href="profiles/clone/$profile_id" id="profile-edit-clone-link" title="$cr_prof">$cl_prof</a></li> +<li><a href="$profile_clone_link" id="profile-edit-clone-link" title="$cr_prof">$cl_prof</a></li> <li></li> -<li><a href="profiles/drop/$profile_id" id="profile-edit-drop-link" title="$del_prof" $disabled >$del_prof</a></li> +<li><a href="$profile_drop_link" id="profile-edit-drop-link" title="$del_prof" $disabled >$del_prof</a></li> </ul> </div> @@ -17,6 +17,7 @@ $default <div id="profile-edit-wrapper" > <form id="profile-edit-form" name="form1" action="profiles/$profile_id" method="post" > +<input type='hidden' name='form_security_token' value='$form_security_token'> <div id="profile-edit-profile-name-wrapper" > <label id="profile-edit-profile-name-label" for="profile-edit-profile-name" >$lbl_profname </label> diff --git a/view/profile_listing_header.tpl b/view/profile_listing_header.tpl index 09e4fc9b2..61a273792 100755 --- a/view/profile_listing_header.tpl +++ b/view/profile_listing_header.tpl @@ -3,6 +3,6 @@ <a href="profile_photo" >$chg_photo</a> </p> <div id="profile-listing-new-link-wrapper" class="button" > -<a href="profiles/new" id="profile-listing-new-link" title="$cr_new" >$cr_new</a> +<a href="$cr_new_link" id="profile-listing-new-link" title="$cr_new" >$cr_new</a> </div> diff --git a/view/profile_photo.tpl b/view/profile_photo.tpl index f258b5b86..0b3a1cac1 100755 --- a/view/profile_photo.tpl +++ b/view/profile_photo.tpl @@ -1,6 +1,7 @@ <h1>$title</h1> <form enctype="multipart/form-data" action="profile_photo" method="post"> +<input type='hidden' name='form_security_token' value='$form_security_token'> <div id="profile-photo-upload-wrapper"> <label id="profile-photo-upload-label" for="profile-photo-upload">$lbl_upfile </label> diff --git a/view/settings.tpl b/view/settings.tpl index 46c737b23..25479b5bf 100755 --- a/view/settings.tpl +++ b/view/settings.tpl @@ -5,7 +5,7 @@ $tabs $nickname_block <form action="settings" id="settings-form" method="post" autocomplete="off" > - +<input type='hidden' name='form_security_token' value='$form_security_token'> <h3 class="settings-heading">$h_pass</h3> diff --git a/view/settings_addons.tpl b/view/settings_addons.tpl index 2cbfd17e9..28fca5362 100755 --- a/view/settings_addons.tpl +++ b/view/settings_addons.tpl @@ -4,6 +4,7 @@ $tabs <form action="settings/addon" method="post" autocomplete="off"> +<input type='hidden' name='form_security_token' value='$form_security_token'> $settings_addons diff --git a/view/settings_connectors.tpl b/view/settings_connectors.tpl index 9493c8bf7..43c0346bb 100755 --- a/view/settings_connectors.tpl +++ b/view/settings_connectors.tpl @@ -6,6 +6,7 @@ $tabs <div class="connector_statusmsg">$ostat_enabled</div> <form action="settings/connectors" method="post" autocomplete="off"> +<input type='hidden' name='form_security_token' value='$form_security_token'> $settings_connectors diff --git a/view/settings_oauth.tpl b/view/settings_oauth.tpl index 0de0dbe98..da1398ab9 100755 --- a/view/settings_oauth.tpl +++ b/view/settings_oauth.tpl @@ -4,7 +4,8 @@ $tabs <form action="settings/oauth" method="post" autocomplete="off"> - +<input type='hidden' name='form_security_token' value='$form_security_token'> + <div id="profile-edit-links"> <ul> <li> @@ -24,7 +25,7 @@ $tabs {{ endif }} {{ if $app.my }} <a href="$baseurl/settings/oauth/edit/$app.client_id" class="icon s22 edit" title="$edit"> </a> - <a href="$baseurl/settings/oauth/delete/$app.client_id" class="icon s22 delete" title="$delete"> </a> + <a href="$baseurl/settings/oauth/delete/$app.client_id?t=$form_security_token" class="icon s22 delete" title="$delete"> </a> {{ endif }} </div> {{ endfor }} diff --git a/view/settings_oauth_edit.tpl b/view/settings_oauth_edit.tpl index 98b7457aa..d29341386 100755 --- a/view/settings_oauth_edit.tpl +++ b/view/settings_oauth_edit.tpl @@ -3,6 +3,8 @@ $tabs <h1>$title</h1> <form method="POST"> +<input type='hidden' name='form_security_token' value='$form_security_token'> + {{ inc field_input.tpl with $field=$name }}{{ endinc }} {{ inc field_input.tpl with $field=$key }}{{ endinc }} {{ inc field_input.tpl with $field=$secret }}{{ endinc }} |