You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@jspwiki.apache.org by ju...@apache.org on 2022/07/12 21:03:51 UTC

[jspwiki] 18/25: Ensure AJAX requests send the csrf protection parameter

This is an automated email from the ASF dual-hosted git repository.

juanpablo pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/jspwiki.git

commit 25f3c707a9c6c5541e389beb7a9c56acccb4b3f0
Author: Juan Pablo Santos Rodríguez <ju...@gmail.com>
AuthorDate: Tue Jul 12 22:58:25 2022 +0200

    Ensure AJAX requests send the csrf protection parameter
---
 jspwiki-war/src/main/scripts/jspwiki-common.js      | 4 ++--
 jspwiki-war/src/main/scripts/jspwiki-edit.js        | 2 +-
 jspwiki-war/src/main/scripts/wiki-edit/Wiki.Edit.js | 3 ++-
 jspwiki-war/src/main/scripts/wiki/Category.js       | 5 ++++-
 jspwiki-war/src/main/scripts/wiki/Wiki.js           | 5 +++--
 5 files changed, 12 insertions(+), 7 deletions(-)

diff --git a/jspwiki-war/src/main/scripts/jspwiki-common.js b/jspwiki-war/src/main/scripts/jspwiki-common.js
index 10fd693f5..aef3516cd 100644
--- a/jspwiki-war/src/main/scripts/jspwiki-common.js
+++ b/jspwiki-war/src/main/scripts/jspwiki-common.js
@@ -528,7 +528,7 @@ var Wiki = {
 		xmlHttpRequest.onreadystatechange = getReadyStateHandler(xmlHttpRequest,responseId,loading);
 		xmlHttpRequest.open('post', url, true);
 		xmlHttpRequest.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
-		xmlHttpRequest.send("params="+params);
+		xmlHttpRequest.send("X-XSRF-TOKEN=" + Wiki.CsrfProtection + "&params="+params);
 	},
 
 	ajaxJsonCall: function (url, params, callback) {
@@ -537,7 +537,7 @@ var Wiki = {
 		xmlHttpRequest.onreadystatechange = getReadyStateHandler(xmlHttpRequest,null,null,callback);
 		xmlHttpRequest.open('post', url, true);
 		xmlHttpRequest.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
-		xmlHttpRequest.send("params="+params);
+		xmlHttpRequest.send("X-XSRF-TOKEN=" + Wiki.CsrfProtection + "&params="+params);
 	}
 }
 
diff --git a/jspwiki-war/src/main/scripts/jspwiki-edit.js b/jspwiki-war/src/main/scripts/jspwiki-edit.js
index bb975ac33..0cb72f79e 100644
--- a/jspwiki-war/src/main/scripts/jspwiki-edit.js
+++ b/jspwiki-war/src/main/scripts/jspwiki-edit.js
@@ -507,7 +507,7 @@ var EditTools =
 		$('previewSpin').show();
 		new Ajax( Wiki.TemplateUrl + "/AJAXPreview.jsp?page="+Wiki.PageName, {
 		    method:'get',   //use "get" to avoid mootools bug on XHR header "CONNECTION:CLOSE"
-			data: 'wikimarkup=' + encodeURIComponent(this.textarea.value),
+			data: 'X-XSRF-TOKEN=' + $('X-XSRF-TOKEN').get('value') + '&wikimarkup=' + encodeURIComponent(this.textarea.value),
 			update: preview,
 			onComplete: function(){
 				$('previewSpin').hide();
diff --git a/jspwiki-war/src/main/scripts/wiki-edit/Wiki.Edit.js b/jspwiki-war/src/main/scripts/wiki-edit/Wiki.Edit.js
index e6bf49b7b..9642341ca 100644
--- a/jspwiki-war/src/main/scripts/wiki-edit/Wiki.Edit.js
+++ b/jspwiki-war/src/main/scripts/wiki-edit/Wiki.Edit.js
@@ -209,7 +209,8 @@ function livepreview(content, preview, previewToggle){
             url: wiki.XHRPreview,
             data: {
                 page: wiki.PageName,
-                wikimarkup: content
+                wikimarkup: content,
+                'X-XSRF-TOKEN': wiki.CsrfProtection
             },
             update: preview,
             onRequest: renderPreview,
diff --git a/jspwiki-war/src/main/scripts/wiki/Category.js b/jspwiki-war/src/main/scripts/wiki/Category.js
index da24d8c7f..5a1c59c1d 100644
--- a/jspwiki-war/src/main/scripts/wiki/Category.js
+++ b/jspwiki-war/src/main/scripts/wiki/Category.js
@@ -59,7 +59,10 @@ Wiki.Category = function(element, pagename, xhrURL){
 
         new Request.HTML({
             url: xhrURL, //+"?page="+pagename,
-            data: { page: decodeURIComponent(pagename) },
+            data: {
+                page: decodeURIComponent(pagename),
+                'X-XSRF-TOKEN': Wiki.CsrfProtection
+            },
             update: popup,
             onSuccess: function(){
                 popup.swapClass("loading", "active");
diff --git a/jspwiki-war/src/main/scripts/wiki/Wiki.js b/jspwiki-war/src/main/scripts/wiki/Wiki.js
index dc0211ee6..6b9c432da 100644
--- a/jspwiki-war/src/main/scripts/wiki/Wiki.js
+++ b/jspwiki-war/src/main/scripts/wiki/Wiki.js
@@ -657,7 +657,8 @@ var Wiki = {
             new Request({
                 url: wiki.XHRHtml2Markup,
                 data: {
-                    htmlPageText: getContent()
+                    htmlPageText: getContent(),
+                    'X-XSRF-TOKEN': wiki.CsrfProtection
                 },
                 onSuccess: function(responseText){
                     preview( responseText.trim() );
@@ -819,7 +820,7 @@ var Wiki = {
                     throw new Error("Wiki rpc error: " + error);
                 }
 
-            }).send( "params=" + params );
+            }).send( "X-XSRF-TOKEN=" + this.CsrfProtection + "&params=" + params );
 
         }