Fixed CSRF tokens not being added to URLs that need them.

This commit is contained in:
flash 2023-09-10 20:02:11 +00:00
parent e376671136
commit 55e23c7b5d
16 changed files with 31 additions and 31 deletions

View file

@ -23,7 +23,7 @@ if(CSRF::validateRequest() && !empty($_GET['emote'])) {
} else {
if(isset($_GET['order'])) {
$order = filter_input(INPUT_GET, 'order');
$offset = $order === 'i' ? 1 : ($order === 'd' ? -1 : 0);
$offset = $order === 'i' ? 10 : ($order === 'd' ? -10 : 0);
$emotes->updateEmoteOrderOffset($emoteInfo, $offset);
$msz->createAuditLog('EMOTICON_ORDER', [$emoteInfo->getId()]);
}

View file

@ -171,7 +171,7 @@ final class MisuzuSasaeExtension extends AbstractExtension {
$menu[] = [
'title' => 'Log out',
'url' => $urls->format('auth-logout'),
'url' => $urls->format('auth-logout', ['csrf' => CSRF::token()]),
'icon' => 'fas fa-sign-out-alt fa-fw',
];
} else {

View file

@ -67,7 +67,7 @@ class URLRegistry {
if(is_array($varValue))
$varValue = empty($varValue) ? '' : implode(',', $varValue);
elseif(is_int($varValue))
$varValue = $varValue < ($varName === 'page' ? 2 : 1) ? '' : (string)$varValue;
$varValue = ($varName === 'page' ? $varValue < 2 : $varValue === 0) ? '' : (string)$varValue;
else
$varValue = (string)$varValue;
} else

View file

@ -109,18 +109,18 @@
<div class="comment__actions">
{% if not comment.deleted and user is not null %}
{% if perms.can_vote|default(false) %}
{% set like_vote_state = userVote > 0 ? 0 : 1 %}
{% set dislike_vote_state = userVote < 0 ? 0 : -1 %}
{% set like_vote_state = (userVote > 0 ? 0 : 1) %}
{% set dislike_vote_state = (userVote < 0 ? 0 : -1) %}
<a class="comment__action comment__action--link comment__action--vote comment__action--like{% if userVote > 0 %} comment__action--voted{% endif %}" data-comment-id="{{ comment.id }}" data-comment-vote="{{ like_vote_state }}"
href="{{ url('comment-vote', {'comment': comment.id, 'vote': like_vote_state, 'return': return_url}) }}">
href="{{ url('comment-vote', { comment: comment.id, vote: like_vote_state, return: return_url, csrf: csrf_token() }) }}">
Like
{% if likes > 0 %}
({{ likes|number_format }})
{% endif %}
</a>
<a class="comment__action comment__action--link comment__action--vote comment__action--dislike{% if userVote < 0 %} comment__action--voted{% endif %}" data-comment-id="{{ comment.id }}" data-comment-vote="{{ dislike_vote_state }}"
href="{{ url('comment-vote', {'comment': comment.id, 'vote':dislike_vote_state, 'return': return_url}) }}">
href="{{ url('comment-vote', { comment: comment.id, vote: dislike_vote_state, return: return_url, csrf: csrf_token() }) }}">
Dislike
{% if dislikes > 0 %}
({{ dislikes|number_format }})
@ -131,16 +131,16 @@
<label class="comment__action comment__action--link" for="comment-reply-toggle-{{ comment.id }}">Reply</label>
{% endif %}
{% if perms.can_delete_any|default(false) or (poster.id|default(0) == user.id and perms.can_delete|default(false)) %}
<a class="comment__action comment__action--link comment__action--hide comment__action--delete" data-comment-id="{{ comment.id }}" href="{{ url('comment-delete', {'comment': comment.id, 'return': return_url}) }}">Delete</a>
<a class="comment__action comment__action--link comment__action--hide comment__action--delete" data-comment-id="{{ comment.id }}" href="{{ url('comment-delete', { comment: comment.id, return: return_url, csrf: csrf_token() }) }}">Delete</a>
{% endif %}
{# if user is not null %}
<a class="comment__action comment__action--link comment__action--hide" href="#">Report</a>
{% endif #}
{% if not isReply and perms.can_pin|default(false) %}
<a class="comment__action comment__action--link comment__action--hide comment__action--pin" data-comment-id="{{ comment.id }}" data-comment-pinned="{{ comment.pinned ? '1' : '0' }}" href="{{ url('comment-' ~ (comment.pinned ? 'unpin' : 'pin'), {'comment': comment.id, 'return': return_url}) }}">{{ comment.pinned ? 'Unpin' : 'Pin' }}</a>
<a class="comment__action comment__action--link comment__action--hide comment__action--pin" data-comment-id="{{ comment.id }}" data-comment-pinned="{{ comment.pinned ? '1' : '0' }}" href="{{ url((comment.pinned ? 'comment-unpin' : 'comment-pin'), { comment: comment.id, return: return_url, csrf: csrf_token() }) }}">{{ comment.pinned ? 'Unpin' : 'Pin' }}</a>
{% endif %}
{% elseif perms.can_delete_any|default(false) %}
<a class="comment__action comment__action--link comment__action--restore" data-comment-id="{{ comment.id }}" href="{{ url('comment-restore', {'comment': comment.id, 'return': return_url}) }}">Restore</a>
<a class="comment__action comment__action--link comment__action--restore" data-comment-id="{{ comment.id }}" href="{{ url('comment-restore', { comment: comment.id, return: return_url, csrf: csrf_token() }) }}">Restore</a>
{% endif %}
</div>
</div>

View file

@ -12,7 +12,7 @@
</a>
</div>
<div class="impersonate-options">
<a href="{{ url('auth-revert') }}" class="impersonate-options-link" title="Revert"><i class="fas fa-backward"></i></a>
<a href="{{ url('auth-revert', { csrf: csrf_token() }) }}" class="impersonate-options-link" title="Revert"><i class="fas fa-backward"></i></a>
</div>
</div>
</div>

View file

@ -11,7 +11,7 @@
<p class="auth__logout__paragraph">We couldn't verify that you were actually the person attempting to log out.</p>
<p class="auth__logout__paragraph">Press the button below to verify the logout request, otherwise click back in your browser or close this tab.</p>
<p class="auth__logout__paragraph">This error is usually caused by pressing the logout button on a page that's been loaded for a while.</p>
<a href="{{ url('auth-logout') }}" class="input__button">Log out</a>
<a href="{{ url('auth-logout', {'csrf': csrf_token()}) }}" class="input__button">Log out</a>
</div>
</div>
{% endblock %}

View file

@ -23,32 +23,32 @@
{% set topic_actions = [
{
'html': '<i class="far fa-trash-alt fa-fw"></i> Delete',
'url': url('forum-topic-delete', {'topic': topic_info.id}),
'url': url('forum-topic-delete', { topic: topic_info.id, csrf: csrf_token() }),
'display': topic_can_delete,
},
{
'html': '<i class="fas fa-magic fa-fw"></i> Restore',
'url': url('forum-topic-restore', {'topic': topic_info.id}),
'url': url('forum-topic-restore', { topic: topic_info.id, csrf: csrf_token() }),
'display': topic_can_nuke_or_restore,
},
{
'html': '<i class="fas fa-radiation-alt fa-fw"></i> Permanently Delete',
'url': url('forum-topic-nuke', {'topic': topic_info.id}),
'url': url('forum-topic-nuke', { topic: topic_info.id, csrf: csrf_token() }),
'display': topic_can_nuke_or_restore,
},
{
'html': '<i class="fas fa-plus-circle fa-fw"></i> Bump',
'url': url('forum-topic-bump', {'topic': topic_info.id}),
'url': url('forum-topic-bump', { topic: topic_info.id, csrf: csrf_token() }),
'display': topic_can_bump,
},
{
'html': '<i class="fas fa-lock fa-fw"></i> Lock',
'url': url('forum-topic-lock', {'topic': topic_info.id}),
'url': url('forum-topic-lock', { topic: topic_info.id, csrf: csrf_token() }),
'display': topic_can_lock and not topic_info.isLocked,
},
{
'html': '<i class="fas fa-lock-open fa-fw"></i> Unlock',
'url': url('forum-topic-unlock', {'topic': topic_info.id}),
'url': url('forum-topic-unlock', { topic: topic_info.id, csrf: csrf_token() }),
'display': topic_can_lock and topic_info.isLocked,
},
] %}

View file

@ -56,7 +56,7 @@
<div>
<button class="input__button">Save</button>
{% if not change_new %}
<a href="{{ url('manage-changelog-change-delete', {'change': change_info.id}) }}" class="input__button input__button--destroy" onclick="return confirm('Are you sure?');">Delete</a>
<a href="{{ url('manage-changelog-change-delete', { change: change_info.id, csrf: csrf_token() }) }}" class="input__button input__button--destroy" onclick="return confirm('Are you sure?');">Delete</a>
{% endif %}
</div>
</form>

View file

@ -42,7 +42,7 @@
<div>
<button class="input__button">Save</button>
{% if not tag_new %}
<a href="{{ url('manage-changelog-tag-delete', {'tag': tag_info.id}) }}" class="input__button input__button--destroy" onclick="return confirm('Are you sure?');">Delete</a>
<a href="{{ url('manage-changelog-tag-delete', { tag: tag_info.id, csrf: csrf_token() }) }}" class="input__button input__button--destroy" onclick="return confirm('Are you sure?');">Delete</a>
{% endif %}
</div>
</form>

View file

@ -67,7 +67,7 @@
</div>
</td>
<td class="manage-list-setting-options">
<a class="input__button input__button--autosize input__button--destroy" href="{{ url('manage-forum-topic-redirs-nuke', {'topic': redir.topicId}) }}" title="Delete"><i class="fas fa-times fa-fw"></i></a>
<a class="input__button input__button--autosize input__button--destroy" href="{{ url('manage-forum-topic-redirs-nuke', { topic: redir.topicId, csrf: csrf_token() }) }}" title="Delete"><i class="fas fa-times fa-fw"></i></a>
</td>
</tr>
{% endfor %}

View file

@ -49,9 +49,9 @@
<div class="manage__emotes__entry__actions">
<button class="input__button input__button--autosize" title="Create Alias" onclick="createEmoteAlias({{ emote.id }}, prompt('Enter an alias for this emoticon...'))"><i class="fas fa-copy fa-fw"></i></button>
<a class="input__button input__button--autosize" href="{{ url('manage-general-emoticon', {'emote': emote.id}) }}" title="Edit"><i class="fas fa-edit fa-fw"></i></a>
<a class="input__button input__button--autosize input__button--destroy" href="{{ url('manage-general-emoticon-delete', {'emote': emote.id}) }}" title="Delete" onclick="return confirm('ARE YOU SURE ABOUT THAT?');"><i class="fas fa-times fa-fw"></i></a>
<a class="input__button input__button--autosize input__button--blue" href="{{ url('manage-general-emoticon-order-up', {'emote': emote.id}) }}" title="Move up"><i class="fas fa-angle-up fa-fw"></i></a>
<a class="input__button input__button--autosize input__button--blue" href="{{ url('manage-general-emoticon-order-down', {'emote': emote.id}) }}" title="Move down"><i class="fas fa-angle-down fa-fw"></i></a>
<a class="input__button input__button--autosize input__button--destroy" href="{{ url('manage-general-emoticon-delete', { emote: emote.id, csrf: csrf_token() }) }}" title="Delete" onclick="return confirm('ARE YOU SURE ABOUT THAT?');"><i class="fas fa-times fa-fw"></i></a>
<a class="input__button input__button--autosize input__button--blue" href="{{ url('manage-general-emoticon-order-up', { emote: emote.id, csrf: csrf_token() }) }}" title="Move up"><i class="fas fa-angle-up fa-fw"></i></a>
<a class="input__button input__button--autosize input__button--blue" href="{{ url('manage-general-emoticon-order-down', { emote: emote.id, csrf: csrf_token() }) }}" title="Move down"><i class="fas fa-angle-down fa-fw"></i></a>
</div>
</div>
{% endfor %}
@ -69,7 +69,7 @@
return;
location.reload();
});
xhr.open('GET', "{{ url('manage-general-emoticon-alias', {'emote': '%1', 'string': '%2'})|raw }}".replace('%1', id).replace('%2', alias));
xhr.open('GET', "{{ url('manage-general-emoticon-alias', { emote: '~1', string: '~2', csrf: csrf_token() })|raw }}".replace('~1', id).replace('~2', alias));
xhr.send();
}
</script>

View file

@ -27,7 +27,7 @@
<div>
<button class="input__button">Save</button>
{% if not category_new %}
<a href="{{ url('manage-news-category-delete', {'category': category_info.id}) }}" class="input__button input__button--destroy" onclick="return confirm('Are you sure?');">Delete</a>
<a href="{{ url('manage-news-category-delete', { category: category_info.id, csrf: csrf_token() }) }}" class="input__button input__button--destroy" onclick="return confirm('Are you sure?');">Delete</a>
{% endif %}
</div>
</form>

View file

@ -31,7 +31,7 @@
<div>
<button class="input__button">Save</button>
{% if not post_new %}
<a href="{{ url('manage-news-post-delete', {'post': post_info.id}) }}" class="input__button input__button--destroy" onclick="return confirm('Are you sure?');">Delete</a>
<a href="{{ url('manage-news-post-delete', { post: post_info.id, csrf: csrf_token() }) }}" class="input__button input__button--destroy" onclick="return confirm('Are you sure?');">Delete</a>
{% endif %}
</div>
</form>

View file

@ -91,7 +91,7 @@
</div>
</div>
<div class="manage__bans__item__actions">
<a href="{{ url('manage-users-ban-delete', {'ban': ban.info.id}) }}" title="Revoke/Delete" class="input__button input__button--autosize input__button--destroy manage__bans__item__action" onclick="return confirm('Are you sure?');"><i class="fas fa-times fa-fw"></i></a>
<a href="{{ url('manage-users-ban-delete', { ban: ban.info.id, csrf: csrf_token() }) }}" title="Revoke/Delete" class="input__button input__button--autosize input__button--destroy manage__bans__item__action" onclick="return confirm('Are you sure?');"><i class="fas fa-times fa-fw"></i></a>
</div>
</div>
{% if ban.info.hasPublicReason %}

View file

@ -31,8 +31,8 @@
<div class="manage__notes__item__header">
<div class="manage__notes__item__title"><a href="{{ url('manage-users-note', {'note': note.info.id}) }}">{{ note.info.title }}</a></div>
<div class="manage__notes__item__actions">
<a href="{{ url('manage-users-note', {'note': note.info.id}) }}" title="View/Edit" class="input__button input__button--autosize manage__notes__item__action"><i class="fas fa-pen fa-fw"></i></a>
<a href="{{ url('manage-users-note-delete', {'note': note.info.id}) }}" title="Delete" class="input__button input__button--autosize input__button--destroy manage__notes__item__action" onclick="return confirm('Are you sure?');"><i class="fas fa-times fa-fw"></i></a>
<a href="{{ url('manage-users-note', { note: note.info.id }) }}" title="View/Edit" class="input__button input__button--autosize manage__notes__item__action"><i class="fas fa-pen fa-fw"></i></a>
<a href="{{ url('manage-users-note-delete', { note: note.info.id, csrf: csrf_token() }) }}" title="Delete" class="input__button input__button--autosize input__button--destroy manage__notes__item__action" onclick="return confirm('Are you sure?');"><i class="fas fa-times fa-fw"></i></a>
</div>
</div>
<div class="manage__notes__item__attributes">

View file

@ -63,7 +63,7 @@
</div>
</div>
<div class="manage__warnings__item__actions">
<a href="{{ url('manage-users-warning-delete', {'warning': warn.info.id}) }}" title="Remove" class="input__button input__button--autosize input__button--destroy manage__warnings__item__action" onclick="return confirm('Are you sure?');"><i class="fas fa-times fa-fw"></i></a>
<a href="{{ url('manage-users-warning-delete', { warning: warn.info.id, csrf: csrf_token() }) }}" title="Remove" class="input__button input__button--autosize input__button--destroy manage__warnings__item__action" onclick="return confirm('Are you sure?');"><i class="fas fa-times fa-fw"></i></a>
</div>
</div>
<div class="manage__warnings__item__reason">