Fix CSRF issues
GET routes are not protected against CSRF. This commit changes the needed URLs to POST and replace simple links with forms. Thanks @fdb-hiroshima for noticing it!
This commit is contained in:
@@ -25,7 +25,9 @@
|
||||
<h2>{{ "Danger zone" | _ }}</h2>
|
||||
<p>{{ "Be very careful, any action taken here can't be cancelled." | _ }}
|
||||
{% if not account.is_admin %}
|
||||
<p><a class="inline-block button destructive" href="/@/{{ account.fqn }}/delete">{{ "Delete your account" | _ }}</a></p>
|
||||
<form method="post" action="/@/{{ account.fqn }}/delete">
|
||||
<input type="submit" class="inline-block button destructive" value="{{ 'Delete your account' | _ }}">
|
||||
</form>
|
||||
{% else %}
|
||||
<p>{{ "Sorry, but as an admin, you can't leave your instance." | _ }}</p>
|
||||
{% endif %}
|
||||
|
||||
@@ -23,16 +23,18 @@
|
||||
</div>
|
||||
|
||||
{% if is_remote %}
|
||||
<a class="inline-block button" href="{{ user.ap_url }}" target="_blank">{{ "Open on {{ instance_url }}" | _(instance_url=instance_url) }}</a>
|
||||
<a class="inline-block" href="{{ user.ap_url }}" target="_blank">{{ "Open on {{ instance_url }}" | _(instance_url=instance_url) }}</a>
|
||||
{% endif %}
|
||||
|
||||
{% set not_self = not is_self %}
|
||||
{% if not_self and (account is defined) %}
|
||||
<form class="inline" method="post" action="/@/{{ user.fqn }}/follow/">
|
||||
{% if follows %}
|
||||
<a href="/@/{{ user.fqn }}/follow/" class="inline-block button">{{ "Unfollow" | _ }}</a>
|
||||
<input type="submit" value="{{ 'Unfollow' | _ }}">
|
||||
{% else %}
|
||||
<a href="/@/{{ user.fqn }}/follow/" class="inline-block button">{{ "Follow" | _ }}</a>
|
||||
<input type="submit" value="{{ 'Follow' | _ }}">
|
||||
{% endif %}
|
||||
</form>
|
||||
{% endif %}
|
||||
</div>
|
||||
|
||||
|
||||
Reference in New Issue
Block a user