- backend: require CSRF token to be passed via POST

- do not leak CSRF token via GET request in feed debugger - rework Article/redirect to use POST
2025-12-13 10:45:56 +00:00 · 2020-09-15 16:12:53 +03:00
parent aeaafefa07
commit 8080c525fd
6 changed files with 45 additions and 41 deletions
--- a/js/Article.js
+++ b/js/Article.js
@@ -131,37 +131,11 @@ const Article = {
 		});
 	},
 	openInNewWindow: function (id) {
+		/* global __csrf_token */
+		App.postOpenWindow("backend.php",
+			{ "op": "article", "method": "redirect", "id": id, "csrf_token": __csrf_token });

-		const w = window.open("");
-
-		if (w) {
-			w.opener = null;
-
-			const form = document.createElement("form");
-
-			form.setAttribute("method", "post");
-			form.setAttribute("action", App.getInitParam("self_url_prefix") + "/backend.php");
-
-			/* global __csrf_token */
-
-			const params = { "op": "article", "method": "redirect", "id": id, "csrf_token": __csrf_token };
-
-			for (const [k,v] of Object.entries(params)) {
-				const field = document.createElement("input");
-
-				field.setAttribute("name", k);
-				field.setAttribute("value", v);
-				field.setAttribute("type", "hidden");
-
-				form.appendChild(field);
-			}
-
-			w.document.body.appendChild(form);
-			form.submit();
-
-			Headlines.toggleUnread(id, 0);
-		}
-
+		Headlines.toggleUnread(id, 0);
 	},
 	render: function (article) {
 		App.cleanupMemory("content-insert");