Fix CSRF issues

GET routes are not protected against CSRF. This commit changes the needed URLs to
POST and replace simple links with forms.

Thanks @fdb-hiroshima for noticing it!
This commit is contained in:
Bat
2018-09-19 18:13:07 +01:00
parent eb24ba1774
commit d8ca1d70b7
12 changed files with 76 additions and 32 deletions
+6 -2
View File
@@ -24,8 +24,12 @@
<code>{{ media.md }}</code>
</div>
<div>
<a href="/medias/{{ media.id }}/avatar" class="button inline-block">{{ "Use as avatar" | _ }}</a>
<a href="/medias/{{ media.id }}/delete" class="button inline-block">{{ "Delete" | _ }}</a>
<form class="inline" method="post" action="/medias/{{ media.id }}/avatar">
<input class="button" type="submit" value="{{ 'Use as avatar' | _ }}">
</form>
<form class="inline" method="post" action="/medias/{{ media.id }}/delete">
<input class="button" type="submit" value="{{ 'Delete' | _ }}">
</form>
</div>
</section>
{% endblock content %}