Fix CSRF issues
GET routes are not protected against CSRF. This commit changes the needed URLs to POST and replace simple links with forms. Thanks @fdb-hiroshima for noticing it!
This commit is contained in:
@@ -18,13 +18,13 @@
|
||||
<small>{{ instance.public_domain }}</small>
|
||||
</p>
|
||||
{% if not instance.local %}
|
||||
<a href="/admin/instances/{{ instance.id }}/block">
|
||||
<form class="inline" method="post" action="/admin/instances/{{ instance.id }}/block">
|
||||
{% if instance.blocked %}
|
||||
{{ "Unblock" | _ }}
|
||||
<input type="submit" value="{{ 'Unblock' | _ }}">
|
||||
{% else %}
|
||||
{{ "Block" | _ }}
|
||||
<input type="submit" value="{{ 'Block' | _ }}">
|
||||
{% endif %}
|
||||
</a>
|
||||
</form>
|
||||
{% endif %}
|
||||
</div>
|
||||
{% endfor %}
|
||||
|
||||
@@ -19,9 +19,9 @@
|
||||
<small>@{{ user.username }}</small>
|
||||
</p>
|
||||
{% if not user.is_admin %}
|
||||
<a href="/admin/users/{{ user.id }}/ban">
|
||||
{{ "Ban" | _ }}
|
||||
</a>
|
||||
<form class="inline" method="post" href="/admin/users/{{ user.id }}/ban">
|
||||
<input type="submit" value="{{ 'Ban' | _ }}">
|
||||
</form>
|
||||
{% endif %}
|
||||
</div>
|
||||
{% endfor %}
|
||||
|
||||
@@ -24,8 +24,12 @@
|
||||
<code>{{ media.md }}</code>
|
||||
</div>
|
||||
<div>
|
||||
<a href="/medias/{{ media.id }}/avatar" class="button inline-block">{{ "Use as avatar" | _ }}</a>
|
||||
<a href="/medias/{{ media.id }}/delete" class="button inline-block">{{ "Delete" | _ }}</a>
|
||||
<form class="inline" method="post" action="/medias/{{ media.id }}/avatar">
|
||||
<input class="button" type="submit" value="{{ 'Use as avatar' | _ }}">
|
||||
</form>
|
||||
<form class="inline" method="post" action="/medias/{{ media.id }}/delete">
|
||||
<input class="button" type="submit" value="{{ 'Delete' | _ }}">
|
||||
</form>
|
||||
</div>
|
||||
</section>
|
||||
{% endblock content %}
|
||||
|
||||
@@ -12,7 +12,7 @@
|
||||
{% block content %}
|
||||
<h1 class="article">{{ article.post.title }}</h1>
|
||||
<h2 class="article">{{ article.post.subtitle }}</h2>
|
||||
<p class="article-info">
|
||||
<div class="article-info">
|
||||
<span class="author">{{ "Written by {{ link_1 }}{{ url }}{{ link_2 }}{{ name | escape }}{{ link_3 }}" | _(
|
||||
link_1='<a href="/@/',
|
||||
url=author.fqn,
|
||||
@@ -20,19 +20,21 @@
|
||||
name=author.name,
|
||||
link_3="</a>"
|
||||
)
|
||||
}}</a></span>
|
||||
}}</span>
|
||||
—
|
||||
<span class="date">{{ date | date(format="%B %e, %Y") }}</span>
|
||||
{% if is_author %}
|
||||
—
|
||||
<a href="{{ article.url}}edit">{{ "Edit" | _ }}</a>
|
||||
—
|
||||
<a href="{{ article.url}}delete" onclick="return confirm('Are you sure you?')">{{ "Delete this article" | _ }}</a>
|
||||
<form class="inline" method="post" action="{{ article.url}}delete">
|
||||
<input onclick="return confirm('Are you sure you?')" type="submit" value="{{ 'Delete this article' | _ }}">
|
||||
</form>
|
||||
{% endif %}
|
||||
{% if not article.post.published %}
|
||||
<span class="badge">{{ "Draft" }}</span>
|
||||
{% endif %}
|
||||
</p>
|
||||
</div>
|
||||
<article>
|
||||
{{ article.post.content | safe }}
|
||||
</article>
|
||||
|
||||
@@ -25,7 +25,9 @@
|
||||
<h2>{{ "Danger zone" | _ }}</h2>
|
||||
<p>{{ "Be very careful, any action taken here can't be cancelled." | _ }}
|
||||
{% if not account.is_admin %}
|
||||
<p><a class="inline-block button destructive" href="/@/{{ account.fqn }}/delete">{{ "Delete your account" | _ }}</a></p>
|
||||
<form method="post" action="/@/{{ account.fqn }}/delete">
|
||||
<input type="submit" class="inline-block button destructive" value="{{ 'Delete your account' | _ }}">
|
||||
</form>
|
||||
{% else %}
|
||||
<p>{{ "Sorry, but as an admin, you can't leave your instance." | _ }}</p>
|
||||
{% endif %}
|
||||
|
||||
@@ -23,16 +23,18 @@
|
||||
</div>
|
||||
|
||||
{% if is_remote %}
|
||||
<a class="inline-block button" href="{{ user.ap_url }}" target="_blank">{{ "Open on {{ instance_url }}" | _(instance_url=instance_url) }}</a>
|
||||
<a class="inline-block" href="{{ user.ap_url }}" target="_blank">{{ "Open on {{ instance_url }}" | _(instance_url=instance_url) }}</a>
|
||||
{% endif %}
|
||||
|
||||
{% set not_self = not is_self %}
|
||||
{% if not_self and (account is defined) %}
|
||||
<form class="inline" method="post" action="/@/{{ user.fqn }}/follow/">
|
||||
{% if follows %}
|
||||
<a href="/@/{{ user.fqn }}/follow/" class="inline-block button">{{ "Unfollow" | _ }}</a>
|
||||
<input type="submit" value="{{ 'Unfollow' | _ }}">
|
||||
{% else %}
|
||||
<a href="/@/{{ user.fqn }}/follow/" class="inline-block button">{{ "Follow" | _ }}</a>
|
||||
<input type="submit" value="{{ 'Follow' | _ }}">
|
||||
{% endif %}
|
||||
</form>
|
||||
{% endif %}
|
||||
</div>
|
||||
|
||||
|
||||
Reference in New Issue
Block a user