Fix CSRF issues

GET routes are not protected against CSRF. This commit changes the needed URLs to
POST and replace simple links with forms.

Thanks @fdb-hiroshima for noticing it!
This commit is contained in:
Bat
2018-09-19 18:13:07 +01:00
parent eb24ba1774
commit d8ca1d70b7
12 changed files with 76 additions and 32 deletions
+3 -1
View File
@@ -25,7 +25,9 @@
<h2>{{ "Danger zone" | _ }}</h2>
<p>{{ "Be very careful, any action taken here can't be cancelled." | _ }}
{% if not account.is_admin %}
<p><a class="inline-block button destructive" href="/@/{{ account.fqn }}/delete">{{ "Delete your account" | _ }}</a></p>
<form method="post" action="/@/{{ account.fqn }}/delete">
<input type="submit" class="inline-block button destructive" value="{{ 'Delete your account' | _ }}">
</form>
{% else %}
<p>{{ "Sorry, but as an admin, you can't leave your instance." | _ }}</p>
{% endif %}
+5 -3
View File
@@ -23,16 +23,18 @@
</div>
{% if is_remote %}
<a class="inline-block button" href="{{ user.ap_url }}" target="_blank">{{ "Open on {{ instance_url }}" | _(instance_url=instance_url) }}</a>
<a class="inline-block" href="{{ user.ap_url }}" target="_blank">{{ "Open on {{ instance_url }}" | _(instance_url=instance_url) }}</a>
{% endif %}
{% set not_self = not is_self %}
{% if not_self and (account is defined) %}
<form class="inline" method="post" action="/@/{{ user.fqn }}/follow/">
{% if follows %}
<a href="/@/{{ user.fqn }}/follow/" class="inline-block button">{{ "Unfollow" | _ }}</a>
<input type="submit" value="{{ 'Unfollow' | _ }}">
{% else %}
<a href="/@/{{ user.fqn }}/follow/" class="inline-block button">{{ "Follow" | _ }}</a>
<input type="submit" value="{{ 'Follow' | _ }}">
{% endif %}
</form>
{% endif %}
</div>