t_a/cavepaintingsFork
1
Fork 0
forked from Cavemanon/cavepaintings
Code Issues Pull Requests Packages Projects Releases Wiki Activity

csrf-proofing for extensions

Browse Source
This commit is contained in:
Shish
2010-05-28 14:26:46 +01:00
parent 6cd53fed8a
commit 18403a3fa6
24 changed files with 99 additions and 93 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
contrib/numeric_score/main.php
View File

@@ -39,7 +39,7 @@ class NumericScore implements Extension {
}
}
if(($event instanceof PageRequestEvent) && $event->page_matches("numeric_score_vote")) {
if(($event instanceof PageRequestEvent) && $event->page_matches("numeric_score_vote") && $user->check_auth_token()) {
if(!$user->is_anonymous()) {
$image_id = int_escape($_POST['image_id']);
$char = $_POST['vote'];

4
contrib/numeric_score/theme.php
View File

@@ -2,6 +2,7 @@
class NumericScoreTheme extends Themelet {
public function get_voter_html(Image $image) {
global $user;
$i_image_id = int_escape($image->id);
$i_score = int_escape($image->numeric_score);
@@ -9,18 +10,21 @@ class NumericScoreTheme extends Themelet {
Current Score: $i_score
<p><form action='".make_link("numeric_score_vote")."' method='POST'>
".$user->get_auth_html()."
<input type='hidden' name='image_id' value='$i_image_id'>
<input type='hidden' name='vote' value='up'>
<input type='submit' value='Vote Up'>
</form>
<form action='".make_link("numeric_score_vote")."' method='POST'>
".$user->get_auth_html()."
<input type='hidden' name='image_id' value='$i_image_id'>
<input type='hidden' name='vote' value='null'>
<input type='submit' value='Remove Vote'>
</form>
<form action='".make_link("numeric_score_vote")."' method='POST'>
".$user->get_auth_html()."
<input type='hidden' name='image_id' value='$i_image_id'>
<input type='hidden' name='vote' value='down'>
<input type='submit' value='Vote Down'>