aboutsummaryrefslogtreecommitdiff
path: root/templates
diff options
context:
space:
mode:
authorr <r@freesoftwareextremist.com>2020-01-25 10:07:06 +0000
committerr <r@freesoftwareextremist.com>2020-01-26 06:49:29 +0000
commitbf2cfaf0ede0e9744408f52538fb4bcd87a6d5b8 (patch)
tree5d3be1dfa65395bddedd2fb6f06a990c23274f00 /templates
parent5fdc7a59b2efc60e35f5421e28986c356810456e (diff)
downloadbloat-bf2cfaf0ede0e9744408f52538fb4bcd87a6d5b8.tar.gz
bloat-bf2cfaf0ede0e9744408f52538fb4bcd87a6d5b8.zip
Add CSRF protection
Diffstat (limited to 'templates')
-rw-r--r--templates/header.tmpl3
-rw-r--r--templates/postform.tmpl1
-rw-r--r--templates/settings.tmpl1
-rw-r--r--templates/status.tmpl12
-rw-r--r--templates/user.tmpl9
5 files changed, 19 insertions, 7 deletions
diff --git a/templates/header.tmpl b/templates/header.tmpl
index 571008a..e6e7f0d 100644
--- a/templates/header.tmpl
+++ b/templates/header.tmpl
@@ -4,6 +4,9 @@
<head>
<meta charset='utf-8'>
<meta content='width=device-width, initial-scale=1' name='viewport'>
+ {{if .CSRFToken}}
+ <meta name="csrf_token" content="{{.CSRFToken}}">
+ {{end}}
<title>{{if gt .NotificationCount 0}}({{.NotificationCount}}) {{end}}{{.Title}}</title>
<link rel="stylesheet" href="/static/main.css">
{{if .CustomCSS}}
diff --git a/templates/postform.tmpl b/templates/postform.tmpl
index 0b83d2c..ff2dfd9 100644
--- a/templates/postform.tmpl
+++ b/templates/postform.tmpl
@@ -1,5 +1,6 @@
{{with .Data}}
<form class="post-form" action="/post" method="POST" enctype="multipart/form-data">
+ <input type="hidden" name="csrf_token" value="{{$.Ctx.CSRFToken}}">
{{if .ReplyContext}}
<input type="hidden" name="reply_to_id" value="{{.ReplyContext.InReplyToID}}" />
<label for="post-content" class="post-form-title"> Reply to {{.ReplyContext.InReplyToName}} </label>
diff --git a/templates/settings.tmpl b/templates/settings.tmpl
index a32a1b0..e7d49e9 100644
--- a/templates/settings.tmpl
+++ b/templates/settings.tmpl
@@ -4,6 +4,7 @@
<div class="page-title"> Settings </div>
<form id="settings-form" action="/settings" method="POST">
+ <input type="hidden" name="csrf_token" value="{{$.Ctx.CSRFToken}}">
<div class="settings-form-field">
<label for="visibility"> Default scope </label>
<select id="visibility" name="visibility">
diff --git a/templates/status.tmpl b/templates/status.tmpl
index 09c1354..fd5339a 100644
--- a/templates/status.tmpl
+++ b/templates/status.tmpl
@@ -109,12 +109,14 @@
{{else}}
{{if .Reblogged}}
<form class="status-retweet" data-action="unretweet" action="/unretweet/{{.ID}}" method="post">
- <input type="hidden" name="retweeted_by_id" value="{{.RetweetedByID}}" />
+ <input type="hidden" name="csrf_token" value="{{$.Ctx.CSRFToken}}">
+ <input type="hidden" name="retweeted_by_id" value="{{.RetweetedByID}}">
<input type="image" src="{{GetIcon "retweeted" $.Ctx.DarkMode}}" alt="undo retweet" class="icon" title="undo retweet">
</form>
{{else}}
<form class="status-retweet" data-action="retweet" action="/retweet/{{.ID}}" method="post">
- <input type="hidden" name="retweeted_by_id" value="{{.RetweetedByID}}" />
+ <input type="hidden" name="csrf_token" value="{{$.Ctx.CSRFToken}}">
+ <input type="hidden" name="retweeted_by_id" value="{{.RetweetedByID}}">
<input type="image" src="{{GetIcon "retweet" $.Ctx.DarkMode}}" alt="retweet" class="icon" title="retweet">
</form>
{{end}}
@@ -126,12 +128,14 @@
<div class="status-action">
{{if .Favourited}}
<form class="status-like" data-action="unlike" action="/unlike/{{.ID}}" method="post">
- <input type="hidden" name="retweeted_by_id" value="{{.RetweetedByID}}" />
+ <input type="hidden" name="csrf_token" value="{{$.Ctx.CSRFToken}}">
+ <input type="hidden" name="retweeted_by_id" value="{{.RetweetedByID}}">
<input type="image" src="{{GetIcon "liked" $.Ctx.DarkMode}}" alt="unlike" class="icon" title="unlike">
</form>
{{else}}
<form class="status-like" data-action="like" action="/like/{{.ID}}" method="post">
- <input type="hidden" name="retweeted_by_id" value="{{.RetweetedByID}}" />
+ <input type="hidden" name="csrf_token" value="{{$.Ctx.CSRFToken}}">
+ <input type="hidden" name="retweeted_by_id" value="{{.RetweetedByID}}">
<input type="image" src="{{GetIcon "star-o" $.Ctx.DarkMode}}" alt="like" class="icon" title="like">
</form>
{{end}}
diff --git a/templates/user.tmpl b/templates/user.tmpl
index bbbce32..abf22ec 100644
--- a/templates/user.tmpl
+++ b/templates/user.tmpl
@@ -22,17 +22,20 @@
<span> {{if .User.Pleroma.Relationship.FollowedBy}} follows you - {{end}} </span>
{{if .User.Pleroma.Relationship.Following}}
<form class="d-inline" action="/unfollow/{{.User.ID}}" method="post">
- <input type="submit" value="unfollow" class="btn-link">
+ <input type="hidden" name="csrf_token" value="{{$.Ctx.CSRFToken}}">
+ <input type="submit" value="unfollow" class="btn-link">
</form>
{{end}}
{{if .User.Pleroma.Relationship.Requested}}
<form class="d-inline" action="/unfollow/{{.User.ID}}" method="post">
- <input type="submit" value="cancel request" class="btn-link">
+ <input type="hidden" name="csrf_token" value="{{$.Ctx.CSRFToken}}">
+ <input type="submit" value="cancel request" class="btn-link">
</form>
{{end}}
{{if not .User.Pleroma.Relationship.Following}}
<form class="d-inline" action="/follow/{{.User.ID}}" method="post">
- <input type="submit" value="{{if .User.Pleroma.Relationship.Requested}}resend request{{else}}follow{{end}}" class="btn-link">
+ <input type="hidden" name="csrf_token" value="{{$.Ctx.CSRFToken}}">
+ <input type="submit" value="{{if .User.Pleroma.Relationship.Requested}}resend request{{else}}follow{{end}}" class="btn-link">
</form>
{{end}}
</div>