diff options
author | Vitaly Takmazov | 2022-12-18 01:42:18 +0300 |
---|---|---|
committer | Vitaly Takmazov | 2022-12-18 01:42:18 +0300 |
commit | c5abe180a8351279fddfb6a27050244272a9727d (patch) | |
tree | 9a1288e4f802d2cf8eca5174f1fa97adbeb93418 /src | |
parent | 13d176318534d64c0f9c6a4875f4d19270b28ca6 (diff) |
Add missing CSRF tokens
Diffstat (limited to 'src')
5 files changed, 14 insertions, 0 deletions
diff --git a/src/main/resources/templates/views/pm_inbox.html b/src/main/resources/templates/views/pm_inbox.html index f89b2923..10cd0a30 100644 --- a/src/main/resources/templates/views/pm_inbox.html +++ b/src/main/resources/templates/views/pm_inbox.html @@ -17,6 +17,7 @@ <div class="msg-txt">{{ msg | formatMessage }}</div> <form class="pmmsg"> + <input type="hidden" name="{{_csrf.parameterName}}" value="{{_csrf.token}}" /> <input type="hidden" name="uname" value="{{ msg.user.name }}"/> <div class="msg-comment"> <div class="ta-wrapper"> diff --git a/src/main/resources/templates/views/pm_sent.html b/src/main/resources/templates/views/pm_sent.html index f0af71d3..2f95dad1 100644 --- a/src/main/resources/templates/views/pm_sent.html +++ b/src/main/resources/templates/views/pm_sent.html @@ -1,6 +1,7 @@ {% extends "layouts/default" %} {% block content %} <form class="pmmsg"> + <input type="hidden" name="{{_csrf.parameterName}}" value="{{_csrf.token}}" /> <div class="newpm"> <div class="newpm-to">To: <input type="text" name="uname" placeholder="username" value="{{ uname }}"/></div> <div class="newpm-body"><textarea name="body" rows="2"></textarea></div> diff --git a/src/main/resources/templates/views/settings_about.html b/src/main/resources/templates/views/settings_about.html index 5e308671..94cd9058 100644 --- a/src/main/resources/templates/views/settings_about.html +++ b/src/main/resources/templates/views/settings_about.html @@ -2,6 +2,7 @@ {% block content %} <article> <form action="/settings" method="POST" enctype="multipart/form-data"> + <input type="hidden" name="{{_csrf.parameterName}}" value="{{_csrf.token}}" /> <p>Full name: <input type="text" name="fullname" value="{{ userinfo.fullName }}"/></p> <p>Country: <input type="text" name="country" value="{{ userinfo.country }}"/></p> <p>URL: <input type="text" name="url" value="{{ userinfo.url }}" size="32"/><br/> diff --git a/src/main/resources/templates/views/settings_main.html b/src/main/resources/templates/views/settings_main.html index 678d4c6f..a0315244 100644 --- a/src/main/resources/templates/views/settings_main.html +++ b/src/main/resources/templates/views/settings_main.html @@ -6,6 +6,7 @@ <h2 style="color: red; padding: 20px;">Verify your account by adding email or social account</h2> {% endif %} <form action="/settings" method="POST" enctype="multipart/form-data"> + <input type="hidden" name="{{_csrf.parameterName}}" value="{{_csrf.token}}" /> <fieldset> <legend>Notification options</legend> <p><input type="checkbox" name="jnotify" value="1" {% if notify_options.repliesEnabled %} @@ -22,6 +23,7 @@ Telegram</legend> {% if telegram_name is not empty %} <form action="/settings" method="post"> + <input type="hidden" name="{{_csrf.parameterName}}" value="{{_csrf.token}}" /> <div>Telegram: <b>{{ telegram_name }}</b> — <input type="hidden" name="page" value="telegram-del"/> <input type="submit" value=" Disable " {% if not beans.userServiceImpl.canDeleteTelegramUser(visitor) %}disabled="disabled"{% endif %} class="Button" /> @@ -34,6 +36,7 @@ </fieldset> {% if jids | length > 0 %} <form action="/settings" method="POST" enctype="multipart/form-data"> + <input type="hidden" name="{{_csrf.parameterName}}" value="{{_csrf.token}}" /> <fieldset> <legend style="background: url(//static.juick.com/settings/xmpp.png) no-repeat; padding-left: 58px; line-height: 48px;"> XMPP accounts @@ -63,6 +66,7 @@ E-mail </legend> <form action="/settings" method="POST" enctype="multipart/form-data"> + <input type="hidden" name="{{_csrf.parameterName}}" value="{{_csrf.token}}" /> <p>Add account:<br/> <input type="text" name="account"/> <input type="hidden" name="page" value="email-add"/> @@ -70,6 +74,7 @@ </p> </form> <form action="/settings" method="POST" enctype="multipart/form-data"> + <input type="hidden" name="{{_csrf.parameterName}}" value="{{_csrf.token}}" /> <p>Your accounts:</p> <p> {% for email in emails %} @@ -87,6 +92,7 @@ {% if emails is not empty %} <!--email_off--> <form action="/settings" method="POST" enctype="multipart/form-data"> + <input type="hidden" name="{{_csrf.parameterName}}" value="{{_csrf.token}}" /> <p>You can receive notifications to email:<br/> Sent to <select name="account"> <option value="">Disabled</option> @@ -112,6 +118,7 @@ {% if fbstatus.connected %} {% if fbstatus.crosspostEnabled %} <form action="/settings" method="post"> + <input type="hidden" name="{{_csrf.parameterName}}" value="{{_csrf.token}}" /> <div> Facebook: <b>Enabled</b> — <input type="hidden" name="page" value="facebook-disable"/> @@ -120,6 +127,7 @@ </form> {% else %} <form action="/settings" method="post"> + <input type="hidden" name="{{_csrf.parameterName}}" value="{{_csrf.token}}" /> <div> Facebook: <b>Disabled</b> — <input type="hidden" name="page" value="facebook-enable"/> @@ -136,6 +144,7 @@ Twitter</legend> {% if twitter_name is not empty %} <form action="/settings" method="post"> + <input type="hidden" name="{{_csrf.parameterName}}" value="{{_csrf.token}}" /> <div>Twitter: <b>{{ twitter_name }}</b> — <input type="hidden" name="page" value="twitter-del"/> <input type="submit" class="Button" value=" Disable "/> diff --git a/src/main/resources/templates/views/signup.html b/src/main/resources/templates/views/signup.html index d3742734..ad5f8dfb 100644 --- a/src/main/resources/templates/views/signup.html +++ b/src/main/resources/templates/views/signup.html @@ -14,6 +14,7 @@ <h2 class="signup-h2">Связать с существующим аккаунтом Juick</h2> <form action="/signup" method="post"> + <input type="hidden" name="{{_csrf.parameterName}}" value="{{_csrf.token}}" /> <input type="hidden" name="action" value="link"/> <input type="hidden" name="type" value="{{ type }}"/> <input type="hidden" name="hash" value="{{ hash }}"/> @@ -31,6 +32,7 @@ <h2 class="signup-h2">Создать новый аккаунт Juick</h2> <form action="/signup" method="post"> + <input type="hidden" name="{{_csrf.parameterName}}" value="{{_csrf.token}}" /> <input type="hidden" name="action" value="new"/> <input type="hidden" name="type" value="{{ type }}"/> <input type="hidden" name="hash" value="{{ hash }}"/> |