aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorGravatar Vitaly Takmazov2022-12-18 01:42:18 +0300
committerGravatar Vitaly Takmazov2022-12-18 01:42:18 +0300
commitc5abe180a8351279fddfb6a27050244272a9727d (patch)
tree9a1288e4f802d2cf8eca5174f1fa97adbeb93418
parent13d176318534d64c0f9c6a4875f4d19270b28ca6 (diff)
Add missing CSRF tokens
-rw-r--r--src/main/resources/templates/views/pm_inbox.html1
-rw-r--r--src/main/resources/templates/views/pm_sent.html1
-rw-r--r--src/main/resources/templates/views/settings_about.html1
-rw-r--r--src/main/resources/templates/views/settings_main.html9
-rw-r--r--src/main/resources/templates/views/signup.html2
5 files changed, 14 insertions, 0 deletions
diff --git a/src/main/resources/templates/views/pm_inbox.html b/src/main/resources/templates/views/pm_inbox.html
index f89b2923..10cd0a30 100644
--- a/src/main/resources/templates/views/pm_inbox.html
+++ b/src/main/resources/templates/views/pm_inbox.html
@@ -17,6 +17,7 @@
<div class="msg-txt">{{ msg | formatMessage }}</div>
<form class="pmmsg">
+ <input type="hidden" name="{{_csrf.parameterName}}" value="{{_csrf.token}}" />
<input type="hidden" name="uname" value="{{ msg.user.name }}"/>
<div class="msg-comment">
<div class="ta-wrapper">
diff --git a/src/main/resources/templates/views/pm_sent.html b/src/main/resources/templates/views/pm_sent.html
index f0af71d3..2f95dad1 100644
--- a/src/main/resources/templates/views/pm_sent.html
+++ b/src/main/resources/templates/views/pm_sent.html
@@ -1,6 +1,7 @@
{% extends "layouts/default" %}
{% block content %}
<form class="pmmsg">
+ <input type="hidden" name="{{_csrf.parameterName}}" value="{{_csrf.token}}" />
<div class="newpm">
<div class="newpm-to">To: <input type="text" name="uname" placeholder="username" value="{{ uname }}"/></div>
<div class="newpm-body"><textarea name="body" rows="2"></textarea></div>
diff --git a/src/main/resources/templates/views/settings_about.html b/src/main/resources/templates/views/settings_about.html
index 5e308671..94cd9058 100644
--- a/src/main/resources/templates/views/settings_about.html
+++ b/src/main/resources/templates/views/settings_about.html
@@ -2,6 +2,7 @@
{% block content %}
<article>
<form action="/settings" method="POST" enctype="multipart/form-data">
+ <input type="hidden" name="{{_csrf.parameterName}}" value="{{_csrf.token}}" />
<p>Full name: <input type="text" name="fullname" value="{{ userinfo.fullName }}"/></p>
<p>Country: <input type="text" name="country" value="{{ userinfo.country }}"/></p>
<p>URL: <input type="text" name="url" value="{{ userinfo.url }}" size="32"/><br/>
diff --git a/src/main/resources/templates/views/settings_main.html b/src/main/resources/templates/views/settings_main.html
index 678d4c6f..a0315244 100644
--- a/src/main/resources/templates/views/settings_main.html
+++ b/src/main/resources/templates/views/settings_main.html
@@ -6,6 +6,7 @@
<h2 style="color: red; padding: 20px;">Verify your account by adding email or social account</h2>
{% endif %}
<form action="/settings" method="POST" enctype="multipart/form-data">
+ <input type="hidden" name="{{_csrf.parameterName}}" value="{{_csrf.token}}" />
<fieldset>
<legend>Notification options</legend>
<p><input type="checkbox" name="jnotify" value="1" {% if notify_options.repliesEnabled %}
@@ -22,6 +23,7 @@
Telegram</legend>
{% if telegram_name is not empty %}
<form action="/settings" method="post">
+ <input type="hidden" name="{{_csrf.parameterName}}" value="{{_csrf.token}}" />
<div>Telegram: <b>{{ telegram_name }}</b> &mdash;
<input type="hidden" name="page" value="telegram-del"/>
<input type="submit" value=" Disable " {% if not beans.userServiceImpl.canDeleteTelegramUser(visitor) %}disabled="disabled"{% endif %} class="Button" />
@@ -34,6 +36,7 @@
</fieldset>
{% if jids | length > 0 %}
<form action="/settings" method="POST" enctype="multipart/form-data">
+ <input type="hidden" name="{{_csrf.parameterName}}" value="{{_csrf.token}}" />
<fieldset>
<legend style="background: url(//static.juick.com/settings/xmpp.png) no-repeat; padding-left: 58px; line-height: 48px;">
XMPP accounts
@@ -63,6 +66,7 @@
E-mail
</legend>
<form action="/settings" method="POST" enctype="multipart/form-data">
+ <input type="hidden" name="{{_csrf.parameterName}}" value="{{_csrf.token}}" />
<p>Add account:<br/>
<input type="text" name="account"/>
<input type="hidden" name="page" value="email-add"/>
@@ -70,6 +74,7 @@
</p>
</form>
<form action="/settings" method="POST" enctype="multipart/form-data">
+ <input type="hidden" name="{{_csrf.parameterName}}" value="{{_csrf.token}}" />
<p>Your accounts:</p>
<p>
{% for email in emails %}
@@ -87,6 +92,7 @@
{% if emails is not empty %}
<!--email_off-->
<form action="/settings" method="POST" enctype="multipart/form-data">
+ <input type="hidden" name="{{_csrf.parameterName}}" value="{{_csrf.token}}" />
<p>You can receive notifications to email:<br/>
Sent to <select name="account">
<option value="">Disabled</option>
@@ -112,6 +118,7 @@
{% if fbstatus.connected %}
{% if fbstatus.crosspostEnabled %}
<form action="/settings" method="post">
+ <input type="hidden" name="{{_csrf.parameterName}}" value="{{_csrf.token}}" />
<div>
Facebook: <b>Enabled</b> &mdash;
<input type="hidden" name="page" value="facebook-disable"/>
@@ -120,6 +127,7 @@
</form>
{% else %}
<form action="/settings" method="post">
+ <input type="hidden" name="{{_csrf.parameterName}}" value="{{_csrf.token}}" />
<div>
Facebook: <b>Disabled</b> &mdash;
<input type="hidden" name="page" value="facebook-enable"/>
@@ -136,6 +144,7 @@
Twitter</legend>
{% if twitter_name is not empty %}
<form action="/settings" method="post">
+ <input type="hidden" name="{{_csrf.parameterName}}" value="{{_csrf.token}}" />
<div>Twitter: <b>{{ twitter_name }}</b> &mdash;
<input type="hidden" name="page" value="twitter-del"/>
<input type="submit" class="Button" value=" Disable "/>
diff --git a/src/main/resources/templates/views/signup.html b/src/main/resources/templates/views/signup.html
index d3742734..ad5f8dfb 100644
--- a/src/main/resources/templates/views/signup.html
+++ b/src/main/resources/templates/views/signup.html
@@ -14,6 +14,7 @@
<h2 class="signup-h2">Связать с существующим аккаунтом Juick</h2>
<form action="/signup" method="post">
+ <input type="hidden" name="{{_csrf.parameterName}}" value="{{_csrf.token}}" />
<input type="hidden" name="action" value="link"/>
<input type="hidden" name="type" value="{{ type }}"/>
<input type="hidden" name="hash" value="{{ hash }}"/>
@@ -31,6 +32,7 @@
<h2 class="signup-h2">Создать новый аккаунт Juick</h2>
<form action="/signup" method="post">
+ <input type="hidden" name="{{_csrf.parameterName}}" value="{{_csrf.token}}" />
<input type="hidden" name="action" value="new"/>
<input type="hidden" name="type" value="{{ type }}"/>
<input type="hidden" name="hash" value="{{ hash }}"/>