diff options
| author | r <r@freesoftwareextremist.com> | 2020-01-25 10:07:06 +0000 |
|---|---|---|
| committer | r <r@freesoftwareextremist.com> | 2020-01-26 06:49:29 +0000 |
| commit | bf2cfaf0ede0e9744408f52538fb4bcd87a6d5b8 (patch) | |
| tree | 5d3be1dfa65395bddedd2fb6f06a990c23274f00 /static | |
| parent | 5fdc7a59b2efc60e35f5421e28986c356810456e (diff) | |
| download | bloat-bf2cfaf0ede0e9744408f52538fb4bcd87a6d5b8.tar.gz bloat-bf2cfaf0ede0e9744408f52538fb4bcd87a6d5b8.zip | |
Add CSRF protection
Diffstat (limited to 'static')
| -rw-r--r-- | static/fluoride.js | 24 |
1 files changed, 18 insertions, 6 deletions
diff --git a/static/fluoride.js b/static/fluoride.js index 6a1b5fb..3c0d7f2 100644 --- a/static/fluoride.js +++ b/static/fluoride.js @@ -16,7 +16,14 @@ var reverseActions = { "unretweet": "retweet" }; -function http(method, url, success, error) { +function getCSRFToken() { + var tag = document.querySelector("meta[name='csrf_token']") + if (tag) + return tag.getAttribute("content"); + return ""; +} + +function http(method, url, body, type, success, error) { var req = new XMLHttpRequest(); req.onload = function() { if (this.status === 200 && typeof success === "function") { @@ -31,14 +38,15 @@ function http(method, url, success, error) { } }; req.open(method, url); - req.send(); + req.setRequestHeader("Content-Type", type); + req.send(body); } function updateActionForm(id, f, action) { if (Array.from(document.body.classList).indexOf("dark") > -1) { - f.children[1].src = actionIcons["dark-" + action]; + f.querySelector(".icon").src = actionIcons["dark-" + action]; } else { - f.children[1].src = actionIcons[action]; + f.querySelector(".icon").src = actionIcons[action]; } f.action = "/" + action + "/" + id; f.dataset.action = action; @@ -54,7 +62,9 @@ function handleLikeForm(id, f) { updateActionForm(id, f, reverseActions[action]); }); - http("POST", "/fluoride/" + action + "/" + id, function(res, type) { + var body = "csrf_token=" + encodeURIComponent(getCSRFToken()); + var contentType = "application/x-www-form-urlencoded"; + http("POST", "/fluoride/" + action + "/" + id, body, contentType, function(res, type) { var data = JSON.parse(res); var count = data.data; if (count === 0) { @@ -82,7 +92,9 @@ function handleRetweetForm(id, f) { updateActionForm(id, f, reverseActions[action]); }); - http("POST", "/fluoride/" + action + "/" + id, function(res, type) { + var body = "csrf_token=" + encodeURIComponent(getCSRFToken()); + var contentType = "application/x-www-form-urlencoded"; + http("POST", "/fluoride/" + action + "/" + id, body, contentType, function(res, type) { var data = JSON.parse(res); var count = data.data; if (count === 0) { |