- backend: require CSRF token to be passed via POST

- do not leak CSRF token via GET request in feed debugger - rework Article/redirect to use POST
2025-12-13 13:15:55 +00:00 · 2020-09-15 16:12:53 +03:00
parent aeaafefa07
commit 8080c525fd
6 changed files with 45 additions and 41 deletions
--- a/js/FeedTree.js
+++ b/js/FeedTree.js
@@ -101,8 +101,9 @@ define(["dojo/_base/declare", "dojo/dom-construct", "dojo/_base/array", "dojo/co
 					menu.addChild(new dijit.MenuItem({
 						label: __("Debug feed"),
 						onClick: function() {
-							window.open("backend.php?op=feeds&method=update_debugger&feed_id=" + this.getParent().row_id +
-								"&csrf_token=" + App.getInitParam("csrf_token"));
+							/* global __csrf_token */
+							App.postOpenWindow("backend.php", {op: "feeds", method: "update_debugger",
+								feed_id: this.getParent().row_id, csrf_token: __csrf_token});
 						}}));
 				}