You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@jspwiki.apache.org by ju...@apache.org on 2022/07/12 21:03:50 UTC
[jspwiki] 17/25: Use new wiki:CsrfProtection tag on JSPs
This is an automated email from the ASF dual-hosted git repository.
juanpablo pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/jspwiki.git
commit 1f1c94e7776d90a816530028f5065b11cf00e1e6
Author: Juan Pablo Santos RodrÃguez <ju...@gmail.com>
AuthorDate: Tue Jul 12 22:57:46 2022 +0200
Use new wiki:CsrfProtection tag on JSPs
---
jspwiki-war/src/main/webapp/Captcha.jsp | 1 +
jspwiki-war/src/main/webapp/Install.jsp | 2 +-
jspwiki-war/src/main/webapp/templates/210/AttachmentTab.jsp | 13 +++++++------
jspwiki-war/src/main/webapp/templates/210/DiffTab.jsp | 1 +
.../src/main/webapp/templates/210/EditGroupContent.jsp | 3 ++-
jspwiki-war/src/main/webapp/templates/210/FindContent.jsp | 2 +-
jspwiki-war/src/main/webapp/templates/210/GroupContent.jsp | 1 +
jspwiki-war/src/main/webapp/templates/210/GroupTab.jsp | 1 +
jspwiki-war/src/main/webapp/templates/210/InfoContent.jsp | 5 ++++-
jspwiki-war/src/main/webapp/templates/210/LoginContent.jsp | 4 ++--
.../src/main/webapp/templates/210/NewGroupContent.jsp | 2 +-
jspwiki-war/src/main/webapp/templates/210/PageTab.jsp | 1 +
.../src/main/webapp/templates/210/PreferencesTab.jsp | 2 ++
jspwiki-war/src/main/webapp/templates/210/ProfileTab.jsp | 1 +
jspwiki-war/src/main/webapp/templates/210/SearchBox.jsp | 1 +
.../src/main/webapp/templates/210/WorkflowContent.jsp | 2 ++
.../src/main/webapp/templates/210/admin/AdminTemplate.jsp | 2 ++
.../src/main/webapp/templates/210/admin/UserManagement.jsp | 1 +
jspwiki-war/src/main/webapp/templates/210/commonheader.jsp | 1 +
.../src/main/webapp/templates/210/editors/CKeditor.jsp | 3 ++-
jspwiki-war/src/main/webapp/templates/210/editors/FCK.jsp | 1 +
.../src/main/webapp/templates/210/editors/TinyMCE.jsp | 1 +
jspwiki-war/src/main/webapp/templates/210/editors/plain.jsp | 1 +
.../src/main/webapp/templates/210/editors/preview.jsp | 1 +
.../src/main/webapp/templates/210/editors/wysiwyg.jsp | 1 +
.../src/main/webapp/templates/default/AttachmentTab.jsp | 5 ++++-
jspwiki-war/src/main/webapp/templates/default/DiffTab.jsp | 1 +
.../src/main/webapp/templates/default/EditGroupContent.jsp | 1 +
.../src/main/webapp/templates/default/FindContent.jsp | 1 +
jspwiki-war/src/main/webapp/templates/default/GroupTab.jsp | 2 ++
.../src/main/webapp/templates/default/InfoContent.jsp | 5 ++++-
.../src/main/webapp/templates/default/LoginContent.jsp | 4 +++-
jspwiki-war/src/main/webapp/templates/default/PageTab.jsp | 1 +
.../src/main/webapp/templates/default/PreferencesTab.jsp | 1 +
.../src/main/webapp/templates/default/ProfileTab.jsp | 1 +
jspwiki-war/src/main/webapp/templates/default/SearchBox.jsp | 1 +
jspwiki-war/src/main/webapp/templates/default/UserBox.jsp | 10 +++++-----
.../src/main/webapp/templates/default/WorkflowContent.jsp | 2 ++
.../main/webapp/templates/default/admin/AdminTemplate.jsp | 2 ++
.../main/webapp/templates/default/admin/UserManagement.jsp | 3 ++-
.../src/main/webapp/templates/default/commonheader.jsp | 1 +
.../src/main/webapp/templates/default/editors/CKeditor.jsp | 1 +
.../src/main/webapp/templates/default/editors/TinyMCE.jsp | 1 +
.../src/main/webapp/templates/default/editors/plain.jsp | 1 +
.../src/main/webapp/templates/default/editors/preview.jsp | 2 +-
.../src/main/webapp/templates/default/editors/wysiwyg.jsp | 1 +
46 files changed, 77 insertions(+), 24 deletions(-)
diff --git a/jspwiki-war/src/main/webapp/Captcha.jsp b/jspwiki-war/src/main/webapp/Captcha.jsp
index f44d94fb0..ed33fdf10 100644
--- a/jspwiki-war/src/main/webapp/Captcha.jsp
+++ b/jspwiki-war/src/main/webapp/Captcha.jsp
@@ -110,6 +110,7 @@
<p><fmt:message key="captcha.description" /></p>
<form action="<wiki:Link jsp='Captcha.jsp' format='url'/>" method="post" id="mainForm" style="display: none;">
+ <wiki:CsrfProtection/>
<input type="hidden" value="foo" name="text" />
<input type="hidden" value='<%=reqPage%>' name='page'/>
<script type="text/javascript" src="http://challenge.asirra.com/js/AsirraClientSide.js"></script>
diff --git a/jspwiki-war/src/main/webapp/Install.jsp b/jspwiki-war/src/main/webapp/Install.jsp
index 29fc2f319..6b2913914 100644
--- a/jspwiki-war/src/main/webapp/Install.jsp
+++ b/jspwiki-war/src/main/webapp/Install.jsp
@@ -109,7 +109,7 @@ if ( !installer.adminExists() )
<div class="formcontainer">
<form action="Install.jsp" method="post">
-
+ <wiki:CsrfProtection/>
<!-- Page directory -->
<h3><fmt:message key="install.jsp.basics.title" /></h3>
diff --git a/jspwiki-war/src/main/webapp/templates/210/AttachmentTab.jsp b/jspwiki-war/src/main/webapp/templates/210/AttachmentTab.jsp
index 9439e5b72..c732ca2b3 100644
--- a/jspwiki-war/src/main/webapp/templates/210/AttachmentTab.jsp
+++ b/jspwiki-war/src/main/webapp/templates/210/AttachmentTab.jsp
@@ -29,18 +29,19 @@
<%
int MAXATTACHNAMELENGTH = 30;
Context c = Context.findContext(pageContext);
- String progressId = c.getEngine().getManager( ProgressManager.class ).getNewProgressIdentifier();
%>
+<c:set var="progressId" value="<%= c.getEngine().getManager( ProgressManager.class ).getNewProgressIdentifier() %>" />
+<c:set var="csrfProtection" value="<%= c.getWikiSession().antiCsrfToken() %>" />
<div id="addattachment">
<h3><fmt:message key="attach.add"/></h3>
<wiki:Permission permission="upload">
- <form action="<wiki:Link jsp='attach' format='url'><wiki:Param name='progressid' value='<%=progressId%>'/></wiki:Link>"
+ <form action="<wiki:Link jsp='attach' format='url'><wiki:Param name='progressid' value='${progressId}'/><wiki:Param name='X-XSRF-TOKEN' value='${csrfProtection}'/></wiki:Link>"
class="wikiform"
id="uploadform"
method="post"
enctype="multipart/form-data" accept-charset="<wiki:ContentEncoding/>"
- onsubmit="return Wiki.submitUpload(this, '<%=progressId%>');" >
+ onsubmit="return Wiki.submitUpload(this, '${progressId}');" >
<table>
<tr>
<td colspan="2"><div class="formhelp"><fmt:message key="attach.add.info" /></div></td>
@@ -55,7 +56,7 @@
<input type="hidden" name="nextpage" value="<wiki:UploadLink format="url"/>" /></td>
</tr>
- <tr>
+ <tr>
<td></td>
<td>
<input type="hidden" name="page" value="<wiki:Variable var="pagename"/>" />
@@ -66,6 +67,7 @@
</tr>
</table>
+ <wiki:CsrfProtection/>
</form>
<wiki:Messages div="error" />
@@ -89,9 +91,8 @@
id="deleteForm" style="display:none;"
method="post" accept-charset="<wiki:ContentEncoding />"
onsubmit="return(confirm('<fmt:message key="attach.deleteconfirm"/>') && Wiki.submitOnce(this) );" >
-
+ <wiki:CsrfProtection/>
<input id="delete-all" name="delete-all" type="submit" value="Delete" />
-
</form>
</wiki:Permission>
diff --git a/jspwiki-war/src/main/webapp/templates/210/DiffTab.jsp b/jspwiki-war/src/main/webapp/templates/210/DiffTab.jsp
index 85bab3a42..257bea798 100644
--- a/jspwiki-war/src/main/webapp/templates/210/DiffTab.jsp
+++ b/jspwiki-war/src/main/webapp/templates/210/DiffTab.jsp
@@ -38,6 +38,7 @@
<wiki:PageExists>
<form action="<wiki:Link jsp='Diff.jsp' format='url' />" method="get" accept-charset="UTF-8">
+<wiki:CsrfProtection/>
<div class="collapsebox" id="diffcontent">
<h4>
<input type="hidden" name="page" value="<wiki:Variable var='pagename' />" />
diff --git a/jspwiki-war/src/main/webapp/templates/210/EditGroupContent.jsp b/jspwiki-war/src/main/webapp/templates/210/EditGroupContent.jsp
index 29d00c3b8..f448264d5 100644
--- a/jspwiki-war/src/main/webapp/templates/210/EditGroupContent.jsp
+++ b/jspwiki-war/src/main/webapp/templates/210/EditGroupContent.jsp
@@ -69,7 +69,7 @@
class="wikiform"
id="editGroup"
method="POST" accept-charset="UTF-8">
-
+ <wiki:CsrfProtection/>
<!-- Members -->
<%
StringBuffer s = new StringBuffer();
@@ -116,6 +116,7 @@
onsubmit="return( confirm('<fmt:message key="grp.deletegroup.confirm"/>')
&& Wiki.submitOnce(this) );"
method="POST" accept-charset="UTF-8">
+ <wiki:CsrfProtection/>
<input type="submit" name="ok" value="<fmt:message key="actions.deletegroup"/>" />
<input type="hidden" name="group" value="${param.group}" />
</form>
diff --git a/jspwiki-war/src/main/webapp/templates/210/FindContent.jsp b/jspwiki-war/src/main/webapp/templates/210/FindContent.jsp
index 9ebf4ce8e..0ceebc311 100644
--- a/jspwiki-war/src/main/webapp/templates/210/FindContent.jsp
+++ b/jspwiki-war/src/main/webapp/templates/210/FindContent.jsp
@@ -36,7 +36,7 @@
class="wikiform"
id="searchform2"
accept-charset="<wiki:ContentEncoding/>">
-
+ <wiki:CsrfProtection/>
<h4><fmt:message key="find.input" /></h4>
<p>
<input type="text"
diff --git a/jspwiki-war/src/main/webapp/templates/210/GroupContent.jsp b/jspwiki-war/src/main/webapp/templates/210/GroupContent.jsp
index 1e5fd553e..1f37656b1 100644
--- a/jspwiki-war/src/main/webapp/templates/210/GroupContent.jsp
+++ b/jspwiki-war/src/main/webapp/templates/210/GroupContent.jsp
@@ -154,6 +154,7 @@
onsubmit="return( confirm('<fmt:message key="grp.deletegroup.confirm"/>')
&& Wiki.submitOnce(this) );"
method="POST" accept-charset="UTF-8">
+ <wiki:CsrfProtection/>
<input type="submit" name="ok" value="<fmt:message key="actions.deletegroup"/>" />
<input type="hidden" name="group" value="${param.group}" />
</form>
diff --git a/jspwiki-war/src/main/webapp/templates/210/GroupTab.jsp b/jspwiki-war/src/main/webapp/templates/210/GroupTab.jsp
index 827e09cbe..df106512a 100644
--- a/jspwiki-war/src/main/webapp/templates/210/GroupTab.jsp
+++ b/jspwiki-war/src/main/webapp/templates/210/GroupTab.jsp
@@ -107,6 +107,7 @@
id="groupForm"
method="post" accept-charset="<wiki:ContentEncoding />" >
<div>
+ <wiki:CsrfProtection/>
<input type="hidden" name="group" value="" />
<input type="hidden" name="members" value="" />
<input type="hidden" name="action" value="save" />
diff --git a/jspwiki-war/src/main/webapp/templates/210/InfoContent.jsp b/jspwiki-war/src/main/webapp/templates/210/InfoContent.jsp
index 3942fe0e4..02b038bbe 100644
--- a/jspwiki-war/src/main/webapp/templates/210/InfoContent.jsp
+++ b/jspwiki-war/src/main/webapp/templates/210/InfoContent.jsp
@@ -140,6 +140,7 @@
onsubmit="return Wiki.submitOnce(this);"
method="post" accept-charset="<wiki:ContentEncoding />" >
<p>
+ <wiki:CsrfProtection/>
<input type="hidden" name="page" value="<wiki:Variable var='pagename' />" />
<input type="submit" name="rename" value="<fmt:message key='info.rename.submit' />" />
<input type="text" name="renameto"
@@ -161,6 +162,7 @@
method="post" accept-charset="<wiki:ContentEncoding />"
onsubmit="return( confirm('<fmt:message key="info.confirmdelete"/>') && Wiki.submitOnce(this) );">
<p>
+ <wiki:CsrfProtection/>
<input type="submit" name="delete-all" id="delete-all"
value="<fmt:message key='info.delete.submit'/>" />
</p>
@@ -291,7 +293,7 @@
<%-- Do NOT change the order of wikiname and content, otherwise the
servlet won't find its parts. --%>
-
+ <wiki:CsrfProtection/>
<table>
<tr>
<td colspan="2"><div class="formhelp"><fmt:message key="info.uploadnew.help" /></div></td>
@@ -331,6 +333,7 @@
method="post" accept-charset="<wiki:ContentEncoding />"
onsubmit="return( confirm('<fmt:message key="info.confirmdelete"/>') && Wiki.submitOnce(this) );" >
<div>
+ <wiki:CsrfProtection/>
<input type="submit" name="delete-all" id="delete-all"
value="<fmt:message key='info.deleteattachment.submit' />" />
</div>
diff --git a/jspwiki-war/src/main/webapp/templates/210/LoginContent.jsp b/jspwiki-war/src/main/webapp/templates/210/LoginContent.jsp
index 3a2e8fe7f..f0fd85df8 100644
--- a/jspwiki-war/src/main/webapp/templates/210/LoginContent.jsp
+++ b/jspwiki-war/src/main/webapp/templates/210/LoginContent.jsp
@@ -58,7 +58,7 @@
method="post" accept-charset="<wiki:ContentEncoding />" >
<div class="center">
-
+ <wiki:CsrfProtection/>
<h3><fmt:message key="login.heading.login"><fmt:param><wiki:Variable var="applicationname" /></fmt:param></fmt:message></h3>
<div class="formhelp"><fmt:message key="login.help"></fmt:message></div>
@@ -129,7 +129,7 @@
method="post" accept-charset="<wiki:ContentEncoding />" >
<h3><fmt:message key="login.lostpw.heading" /></h3>
-
+ <wiki:CsrfProtection/>
<c:choose>
<c:when test="${passwordreset == 'done' }">
<wiki:Messages div="information" topic="resetpw" prefix="" />
diff --git a/jspwiki-war/src/main/webapp/templates/210/NewGroupContent.jsp b/jspwiki-war/src/main/webapp/templates/210/NewGroupContent.jsp
index 0b85b7251..15aa8263d 100644
--- a/jspwiki-war/src/main/webapp/templates/210/NewGroupContent.jsp
+++ b/jspwiki-war/src/main/webapp/templates/210/NewGroupContent.jsp
@@ -63,7 +63,7 @@
<form id="createGroup" action="<wiki:Link format="url" jsp="NewGroup.jsp"/>"
method="POST" accept-charset="UTF-8">
-
+ <wiki:CsrfProtection/>
<div class="formhelp">
<fmt:message key="newgroup.instructions.start"/>
</div>
diff --git a/jspwiki-war/src/main/webapp/templates/210/PageTab.jsp b/jspwiki-war/src/main/webapp/templates/210/PageTab.jsp
index ac77fa7e9..ebe8ff003 100644
--- a/jspwiki-war/src/main/webapp/templates/210/PageTab.jsp
+++ b/jspwiki-war/src/main/webapp/templates/210/PageTab.jsp
@@ -47,6 +47,7 @@
<form action="<wiki:Link format='url' jsp='Wiki.jsp'/>"
method="get" accept-charset='UTF-8'>
+ <wiki:CsrfProtection/>
<input type="hidden" name="page" value="<wiki:Variable var='pagename' />" />
<div class="warning">
<fmt:message key="view.oldversion">
diff --git a/jspwiki-war/src/main/webapp/templates/210/PreferencesTab.jsp b/jspwiki-war/src/main/webapp/templates/210/PreferencesTab.jsp
index 8cb15aa68..de28e1e70 100644
--- a/jspwiki-war/src/main/webapp/templates/210/PreferencesTab.jsp
+++ b/jspwiki-war/src/main/webapp/templates/210/PreferencesTab.jsp
@@ -55,6 +55,7 @@
id="setCookie"
method="post" accept-charset="<wiki:ContentEncoding />"
onsubmit="WikiPreferences.savePrefs(); return Wiki.submitOnce(this);" >
+ <wiki:CsrfProtection/>
<table>
<tr>
@@ -210,6 +211,7 @@
onsubmit="Wiki.prefs.empty(); return Wiki.submitOnce( this );"
method="post" accept-charset="<wiki:ContentEncoding />" >
<div>
+ <wiki:CsrfProtection/>
<input type="submit" name="ok" value="<fmt:message key='prefs.clear.submit'/>" />
<input type="hidden" name="action" value="clearAssertedName" />
</div>
diff --git a/jspwiki-war/src/main/webapp/templates/210/ProfileTab.jsp b/jspwiki-war/src/main/webapp/templates/210/ProfileTab.jsp
index 969734f69..2605a5913 100644
--- a/jspwiki-war/src/main/webapp/templates/210/ProfileTab.jsp
+++ b/jspwiki-war/src/main/webapp/templates/210/ProfileTab.jsp
@@ -43,6 +43,7 @@
onsubmit="return Wiki.submitOnce( this );"
method="post" accept-charset="UTF-8">
+ <wiki:CsrfProtection/>
<h3>
<wiki:UserProfile property="exists"><fmt:message key="prefs.oldprofile"/></wiki:UserProfile>
<wiki:UserProfile property="new"><fmt:message key="prefs.newprofile"/></wiki:UserProfile>
diff --git a/jspwiki-war/src/main/webapp/templates/210/SearchBox.jsp b/jspwiki-war/src/main/webapp/templates/210/SearchBox.jsp
index 9aea7d35c..005eb8a46 100644
--- a/jspwiki-war/src/main/webapp/templates/210/SearchBox.jsp
+++ b/jspwiki-war/src/main/webapp/templates/210/SearchBox.jsp
@@ -35,6 +35,7 @@
name="query" id="query"
size="20"
accesskey="f" />
+ <wiki:CsrfProtection/>
<button type="submit"
name="searchSubmit" id="searchSubmit"
value="<fmt:message key='find.submit.go'/>"
diff --git a/jspwiki-war/src/main/webapp/templates/210/WorkflowContent.jsp b/jspwiki-war/src/main/webapp/templates/210/WorkflowContent.jsp
index 9bb25f979..52376524b 100644
--- a/jspwiki-war/src/main/webapp/templates/210/WorkflowContent.jsp
+++ b/jspwiki-war/src/main/webapp/templates/210/WorkflowContent.jsp
@@ -84,6 +84,7 @@
<td align="left">
<form id="<c:out value='decision.${decision.id}'/>"
action="<wiki:Link jsp='Workflow.jsp' format='url'/>" method="POST" accept-charset="UTF-8">
+ <wiki:CsrfProtection/>
<input type="hidden" name="action" value="decide" />
<input type="hidden" name="id" value="<c:out value='${decision.id}' />" />
<select name="outcome" onchange="SubmitOutcomeIfSelected(this)">
@@ -163,6 +164,7 @@
<!-- Actions -->
<td align="left">
<form id="<c:out value='workflow.${workflow.id}'/>" action="<wiki:Link jsp='Workflow.jsp' format='url'/>" method="POST" accept-charset="UTF-8">
+ <wiki:CsrfProtection/>
<input type="submit" name="submit" value="<fmt:message key="outcome.step.abort" />" />
<input type="hidden" name="action" value="abort" />
<input type="hidden" name="id" value="<c:out value="${workflow.id}" />" />
diff --git a/jspwiki-war/src/main/webapp/templates/210/admin/AdminTemplate.jsp b/jspwiki-war/src/main/webapp/templates/210/admin/AdminTemplate.jsp
index 536f8c4e4..b946808ed 100644
--- a/jspwiki-war/src/main/webapp/templates/210/admin/AdminTemplate.jsp
+++ b/jspwiki-war/src/main/webapp/templates/210/admin/AdminTemplate.jsp
@@ -56,6 +56,7 @@ in your <code>jspwiki.properties</code> file.</div>
<div class="formcontainer">
<form action="Admin.jsp" method="post" accept-charset="UTF-8">
+ <wiki:CsrfProtection/>
<input type="hidden" name="tab-admin" value="core"/>
<input type="hidden" name="tab-core" value="${ab.title}" />
<input type="hidden" name="bean" value="${ab.id}" />
@@ -91,6 +92,7 @@ in your <code>jspwiki.properties</code> file.</div>
<div class="formcontainer">
<form action="Admin.jsp" method="post" accept-charset="UTF-8">
+ <wiki:CsrfProtection/>
<input type="hidden" name="tab-admin" value="editors"/>
<input type="hidden" name="tab-editors" value="${ab.title}" />
<%
diff --git a/jspwiki-war/src/main/webapp/templates/210/admin/UserManagement.jsp b/jspwiki-war/src/main/webapp/templates/210/admin/UserManagement.jsp
index 2c681c966..8dbc8e2de 100644
--- a/jspwiki-war/src/main/webapp/templates/210/admin/UserManagement.jsp
+++ b/jspwiki-war/src/main/webapp/templates/210/admin/UserManagement.jsp
@@ -84,6 +84,7 @@ function addNew()
onsubmit="return Wiki.submitOnce(this);"
method="post" accept-charset="<wiki:ContentEncoding/>"
enctype="application/x-www-form-urlencoded" >
+ <wiki:CsrfProtection/>
<input type="hidden" name='bean' value='org.apache.wiki.ui.admin.beans.UserBean'/>
<input type="hidden" id="loginid" name="loginid" value="" />
<table>
diff --git a/jspwiki-war/src/main/webapp/templates/210/commonheader.jsp b/jspwiki-war/src/main/webapp/templates/210/commonheader.jsp
index 873817336..346090133 100644
--- a/jspwiki-war/src/main/webapp/templates/210/commonheader.jsp
+++ b/jspwiki-war/src/main/webapp/templates/210/commonheader.jsp
@@ -72,6 +72,7 @@
<meta name="wikiUserName" content='<wiki:UserName />' />
<meta name="wikiTemplateUrl" content='<wiki:Link format="url" templatefile="" />' />
<meta name="wikiApplicationName" content='<wiki:Variable var="ApplicationName" />' />
+<wiki:CsrfProtection format="meta" />
<script type="text/javascript">//<![CDATA[
/* Localized javascript strings: LocalizedStrings[] */
diff --git a/jspwiki-war/src/main/webapp/templates/210/editors/CKeditor.jsp b/jspwiki-war/src/main/webapp/templates/210/editors/CKeditor.jsp
index aa4864f02..d4bac805b 100644
--- a/jspwiki-war/src/main/webapp/templates/210/editors/CKeditor.jsp
+++ b/jspwiki-war/src/main/webapp/templates/210/editors/CKeditor.jsp
@@ -130,7 +130,8 @@
id="editform"
enctype="application/x-www-form-urlencoded" >
- <%-- Edit.jsp relies on these being found. So be careful, if you make changes. --%>
+ <wiki:CsrfProtection/>
+ <%-- Edit.jsp relies on these being found. So be careful, if you make changes. --%>
<input type="hidden" name="page" value="<wiki:Variable var='pagename' />" />
<input type="hidden" name="action" value="save" />
<wiki:SpamFilterInputs/>
diff --git a/jspwiki-war/src/main/webapp/templates/210/editors/FCK.jsp b/jspwiki-war/src/main/webapp/templates/210/editors/FCK.jsp
index 792fcb476..67285cc75 100644
--- a/jspwiki-war/src/main/webapp/templates/210/editors/FCK.jsp
+++ b/jspwiki-war/src/main/webapp/templates/210/editors/FCK.jsp
@@ -104,6 +104,7 @@
name="editform" id="editform"
enctype="application/x-www-form-urlencoded">
<p>
+ <wiki:CsrfProtection/>
<%-- Edit.jsp relies on these being found. So be careful, if you make changes. --%>
<input name="page" type="hidden" value="<wiki:Variable var="pagename"/>" />
<input name="action" type="hidden" value="save" />
diff --git a/jspwiki-war/src/main/webapp/templates/210/editors/TinyMCE.jsp b/jspwiki-war/src/main/webapp/templates/210/editors/TinyMCE.jsp
index 8e0021c8b..008876c7e 100644
--- a/jspwiki-war/src/main/webapp/templates/210/editors/TinyMCE.jsp
+++ b/jspwiki-war/src/main/webapp/templates/210/editors/TinyMCE.jsp
@@ -126,6 +126,7 @@
id="editform"
enctype="application/x-www-form-urlencoded" >
+ <wiki:CsrfProtection/>
<%-- Edit.jsp relies on these being found. So be careful, if you make changes. --%>
<input type="hidden" name="page" value="<wiki:Variable var='pagename' />" />
<input type="hidden" name="action" value="save" />
diff --git a/jspwiki-war/src/main/webapp/templates/210/editors/plain.jsp b/jspwiki-war/src/main/webapp/templates/210/editors/plain.jsp
index 4f36913f6..ae0dcf5af 100644
--- a/jspwiki-war/src/main/webapp/templates/210/editors/plain.jsp
+++ b/jspwiki-war/src/main/webapp/templates/210/editors/plain.jsp
@@ -88,6 +88,7 @@
method="post" accept-charset="<wiki:ContentEncoding/>"
enctype="application/x-www-form-urlencoded" >
+ <wiki:CsrfProtection/>
<%-- Edit.jsp relies on these being found. So be careful, if you make changes. --%>
<p id="submitbuttons">
<input name="page" type="hidden" value="<wiki:Variable var='pagename' />" />
diff --git a/jspwiki-war/src/main/webapp/templates/210/editors/preview.jsp b/jspwiki-war/src/main/webapp/templates/210/editors/preview.jsp
index 1c0036b3f..9a2a47ed3 100644
--- a/jspwiki-war/src/main/webapp/templates/210/editors/preview.jsp
+++ b/jspwiki-war/src/main/webapp/templates/210/editors/preview.jsp
@@ -47,6 +47,7 @@
enctype="application/x-www-form-urlencoded">
<p>
+ <wiki:CsrfProtection/>
<%-- Edit.jsp & Comment.jsp rely on these being found. So be careful, if you make changes. --%>
<input type="hidden" name="author" value="${author}" />
<input type="hidden" name="link" value="${link}" />
diff --git a/jspwiki-war/src/main/webapp/templates/210/editors/wysiwyg.jsp b/jspwiki-war/src/main/webapp/templates/210/editors/wysiwyg.jsp
index 67b304c2d..e49ec3b77 100644
--- a/jspwiki-war/src/main/webapp/templates/210/editors/wysiwyg.jsp
+++ b/jspwiki-war/src/main/webapp/templates/210/editors/wysiwyg.jsp
@@ -93,6 +93,7 @@ Falling back to the plain editor.
method="post" accept-charset="<wiki:ContentEncoding/>"
enctype="application/x-www-form-urlencoded" >
+ <wiki:CsrfProtection/>
<%-- Edit.jsp relies on these being found. So be careful, if you make changes. --%>
<p id="submitbuttons">
<input name="page" type="hidden" value="<wiki:Variable var='pagename' />" />
diff --git a/jspwiki-war/src/main/webapp/templates/default/AttachmentTab.jsp b/jspwiki-war/src/main/webapp/templates/default/AttachmentTab.jsp
index 9614286c5..29016589c 100644
--- a/jspwiki-war/src/main/webapp/templates/default/AttachmentTab.jsp
+++ b/jspwiki-war/src/main/webapp/templates/default/AttachmentTab.jsp
@@ -33,16 +33,18 @@
Context c = Context.findContext(pageContext);
%>
<c:set var="progressId" value="<%= c.getEngine().getManager( ProgressManager.class ).getNewProgressIdentifier() %>" />
+<c:set var="csrfProtection" value="<%= c.getWikiSession().antiCsrfToken() %>" />
<div class="page-content">
<wiki:Permission permission="upload">
- <form action="<wiki:Link jsp='attach' format='url'><wiki:Param name='progressid' value='${progressId}'/></wiki:Link>"
+ <form action="<wiki:Link jsp='attach' format='url'><wiki:Param name='progressid' value='${progressId}'/><wiki:Param name='X-XSRF-TOKEN' value='${csrfProtection}'/></wiki:Link>"
class="accordion<wiki:HasAttachments></wiki:HasAttachments>"
id="uploadform"
method="post"
enctype="multipart/form-data" accept-charset="<wiki:ContentEncoding/>" >
<h4><span class="icon-paper-clip"></span> <fmt:message key="attach.add"/></h4>
+ <wiki:CsrfProtection/>
<input type="hidden" name="nextpage" value="<wiki:Link context='upload' format='url'/>" />
<input type="hidden" name="page" value="<wiki:Variable var="pagename"/>" />
<input type="hidden" name="action" value="upload" />
@@ -92,6 +94,7 @@
<%--TODO: "nextpage" is not yet implemented in Delete.jsp
--%>
+ <wiki:CsrfProtection/>
<input type="hidden" name="nextpage" value="<wiki:Link context='upload' format='url'/>" />
<input id="delete-all" name="delete-all" type="submit"
data-modal="+ .modal"
diff --git a/jspwiki-war/src/main/webapp/templates/default/DiffTab.jsp b/jspwiki-war/src/main/webapp/templates/default/DiffTab.jsp
index 126273ef1..15ff22357 100644
--- a/jspwiki-war/src/main/webapp/templates/default/DiffTab.jsp
+++ b/jspwiki-war/src/main/webapp/templates/default/DiffTab.jsp
@@ -37,6 +37,7 @@
class="diffbody form-inline"
method="get" accept-charset="UTF-8">
<input type="hidden" name="page" value="<wiki:PageName />" />
+ <wiki:CsrfProtection/>
<p class="btn btn-default btn-block">
<fmt:message key="diff.difference">
diff --git a/jspwiki-war/src/main/webapp/templates/default/EditGroupContent.jsp b/jspwiki-war/src/main/webapp/templates/default/EditGroupContent.jsp
index f3465c862..0092da87f 100644
--- a/jspwiki-war/src/main/webapp/templates/default/EditGroupContent.jsp
+++ b/jspwiki-war/src/main/webapp/templates/default/EditGroupContent.jsp
@@ -64,6 +64,7 @@
method="POST" accept-charset="UTF-8">
<input type="hidden" name="group" value="${name}" />
+ <wiki:CsrfProtection/>
<div class="form-group">
<button class="btn btn-success" type="submit" name="action" value="save">
diff --git a/jspwiki-war/src/main/webapp/templates/default/FindContent.jsp b/jspwiki-war/src/main/webapp/templates/default/FindContent.jsp
index c85371ca6..fae834803 100644
--- a/jspwiki-war/src/main/webapp/templates/default/FindContent.jsp
+++ b/jspwiki-war/src/main/webapp/templates/default/FindContent.jsp
@@ -41,6 +41,7 @@
placeholder="<fmt:message key="find.input" />"
autofocus="autofocus"
size="32" />
+ <wiki:CsrfProtection/>
<div class="form-inline form-group">
diff --git a/jspwiki-war/src/main/webapp/templates/default/GroupTab.jsp b/jspwiki-war/src/main/webapp/templates/default/GroupTab.jsp
index 4d8027759..c3a521266 100644
--- a/jspwiki-war/src/main/webapp/templates/default/GroupTab.jsp
+++ b/jspwiki-war/src/main/webapp/templates/default/GroupTab.jsp
@@ -66,6 +66,7 @@
<h4><fmt:message key="newgroup.heading.create"/></h4>
<input type="hidden" name="action" value="save" />
+ <wiki:CsrfProtection/>
<fmt:message key='newgroup.errorprefix' var="msg"/>
<wiki:Messages div="alert alert-danger form-col-offset-20 form-col-50" topic="group" prefix="${msg}"/>
@@ -102,6 +103,7 @@
name="deleteGroupForm" id="deleteGroupForm"
method="POST" accept-charset="UTF-8">
<input type="hidden" name="group" value="${group.name}" />
+ <wiki:CsrfProtection/>
<input type="submit" name="ok"
data-modal="+ .modal"
value="<fmt:message key="actions.deletegroup"/>" />
diff --git a/jspwiki-war/src/main/webapp/templates/default/InfoContent.jsp b/jspwiki-war/src/main/webapp/templates/default/InfoContent.jsp
index 744bf0c75..89c2d2e71 100644
--- a/jspwiki-war/src/main/webapp/templates/default/InfoContent.jsp
+++ b/jspwiki-war/src/main/webapp/templates/default/InfoContent.jsp
@@ -120,6 +120,7 @@
id="renameform"
method="post" accept-charset="<wiki:ContentEncoding />" >
+ <wiki:CsrfProtection/>
<input type="hidden" name="page" value="<wiki:Variable var='pagename' />" />
<input class="btn btn-success" type="submit" name="rename" value="<fmt:message key='info.rename.submit' />" />
<input class="form-control form-col-50" type="text" name="renameto"
@@ -142,6 +143,7 @@
<input class="btn btn-danger" type="submit" name="delete-all" id="delete-all"
data-modal="+ .modal"
value="<fmt:message key='info.delete.submit'/>" />
+ <wiki:CsrfProtection/>
<div class="modal"><fmt:message key='info.confirmdelete'/></div>
</form>
</wiki:Permission>
@@ -262,7 +264,7 @@
<%-- Do NOT change the order of wikiname and content, otherwise the
servlet won't find its parts. --%>
-
+ <wiki:CsrfProtection/>
<h4><span class="icon-paper-clip"></span> <fmt:message key="info.uploadnew"/></h4>
<div class="form-group">
@@ -310,6 +312,7 @@
</fmt:message>
</a>
--%>
+ <wiki:CsrfProtection/>
<wiki:Permission permission="delete">
<input class="btn btn-danger" type="submit" name="delete-all" id="delete-all"
data-modal="+ .modal"
diff --git a/jspwiki-war/src/main/webapp/templates/default/LoginContent.jsp b/jspwiki-war/src/main/webapp/templates/default/LoginContent.jsp
index e6acc78f3..4b8cfadbe 100644
--- a/jspwiki-war/src/main/webapp/templates/default/LoginContent.jsp
+++ b/jspwiki-war/src/main/webapp/templates/default/LoginContent.jsp
@@ -55,7 +55,7 @@
id="login"
class="login-form"
method="post" accept-charset="<wiki:ContentEncoding />" >
-
+ <wiki:CsrfProtection/>
<p class="login-header">
<fmt:message key="login.heading.login">
<fmt:param><wiki:Variable var="applicationname" /></fmt:param>
@@ -122,6 +122,7 @@
class="login-form"
method="post" accept-charset="<wiki:ContentEncoding />" >
+ <wiki:CsrfProtection/>
<p class="login-header"><fmt:message key="login.lostpw.title" /></p>
<c:choose>
@@ -190,6 +191,7 @@
class="login-form"
method="post" accept-charset="UTF-8">
+ <wiki:CsrfProtection/>
<input type="hidden" name="redirect" value="<wiki:Variable var='redirect' default='' />" />
<p class="login-header"><fmt:message key="login.registernow.title" /></p>
diff --git a/jspwiki-war/src/main/webapp/templates/default/PageTab.jsp b/jspwiki-war/src/main/webapp/templates/default/PageTab.jsp
index b889a1dc1..8e7660a2b 100644
--- a/jspwiki-war/src/main/webapp/templates/default/PageTab.jsp
+++ b/jspwiki-war/src/main/webapp/templates/default/PageTab.jsp
@@ -48,6 +48,7 @@
method="get" accept-charset='UTF-8'>
<input type="hidden" name="page" value="${param.page}" />
+ <wiki:CsrfProtection/>
<div class="error center">
<label>
<fmt:message key="view.oldversion">
diff --git a/jspwiki-war/src/main/webapp/templates/default/PreferencesTab.jsp b/jspwiki-war/src/main/webapp/templates/default/PreferencesTab.jsp
index d1b1a4fe5..4da7bbb17 100644
--- a/jspwiki-war/src/main/webapp/templates/default/PreferencesTab.jsp
+++ b/jspwiki-war/src/main/webapp/templates/default/PreferencesTab.jsp
@@ -47,6 +47,7 @@
method="post" accept-charset="<wiki:ContentEncoding />" >
<input type="hidden" name="redirect" value="${redirect}" />
+ <wiki:CsrfProtection/>
<div class="form-group ">
diff --git a/jspwiki-war/src/main/webapp/templates/default/ProfileTab.jsp b/jspwiki-war/src/main/webapp/templates/default/ProfileTab.jsp
index 36a7befbe..d58b051a3 100644
--- a/jspwiki-war/src/main/webapp/templates/default/ProfileTab.jsp
+++ b/jspwiki-war/src/main/webapp/templates/default/ProfileTab.jsp
@@ -43,6 +43,7 @@
id="editProfile">
<input type="hidden" name="redirect" value="<wiki:Variable var='redirect' default='' />" />
+ <wiki:CsrfProtection/>
<div class="form-group">
<span class="form-col-20 control-label"></span>
diff --git a/jspwiki-war/src/main/webapp/templates/default/SearchBox.jsp b/jspwiki-war/src/main/webapp/templates/default/SearchBox.jsp
index cf7144e32..53df644a2 100644
--- a/jspwiki-war/src/main/webapp/templates/default/SearchBox.jsp
+++ b/jspwiki-war/src/main/webapp/templates/default/SearchBox.jsp
@@ -28,6 +28,7 @@
id="searchForm" tabindex="0" role="search"
accept-charset="<wiki:ContentEncoding />">
+ <wiki:CsrfProtection/>
<%-- FFS <div onclick="" class="btn">
the onclick="" is needed for hover effect on ipad https://www.codehaven.co.uk/fix-css-hover-on-iphone-ipad/ --%>
<a href="#" aria-label="<fmt:message key='sbox.search.button'/>" class="btn">
diff --git a/jspwiki-war/src/main/webapp/templates/default/UserBox.jsp b/jspwiki-war/src/main/webapp/templates/default/UserBox.jsp
index 1ce74e48d..4b7ab6c63 100644
--- a/jspwiki-war/src/main/webapp/templates/default/UserBox.jsp
+++ b/jspwiki-war/src/main/webapp/templates/default/UserBox.jsp
@@ -105,13 +105,13 @@
--%>
<wiki:UserCheck status="authenticated">
<a href="<wiki:Link jsp='Logout.jsp' format='url' />"
- class="btn btn-default btn-block logout" data-modal=".logout > .modal">
+ class="btn btn-default btn-block logout" data-modal="+ .modal">
<span class="icon-signout"></span> <fmt:message key="actions.logout"/>
- <div class="modal">
- <h4><fmt:message key="actions.logout"/></h4>
- <p><fmt:message key='actions.confirmlogout'/></p>
- </div>
</a>
+ <div class="modal">
+ <h4><fmt:message key="actions.logout"/></h4>
+ <p><fmt:message key='actions.confirmlogout'/></p>
+ </div>
</wiki:UserCheck>
</li>
</ul>
diff --git a/jspwiki-war/src/main/webapp/templates/default/WorkflowContent.jsp b/jspwiki-war/src/main/webapp/templates/default/WorkflowContent.jsp
index a8e2b0d46..8eb39bdcb 100644
--- a/jspwiki-war/src/main/webapp/templates/default/WorkflowContent.jsp
+++ b/jspwiki-war/src/main/webapp/templates/default/WorkflowContent.jsp
@@ -84,6 +84,7 @@
<form action="<wiki:Link jsp='Workflow.jsp' format='url'/>"
id="decision.${decision.id}"
method="POST" accept-charset="UTF-8">
+ <wiki:CsrfProtection/>
<input type="hidden" name="action" value="decide" />
<input type="hidden" name="id" value="${decision.id}" />
<c:forEach var="outcome" items="${decision.availableOutcomes}">
@@ -163,6 +164,7 @@
<form id="workflow.${workflow.id}"
action="<wiki:Link jsp='Workflow.jsp' format='url'/>"
method="POST" accept-charset="UTF-8">
+ <wiki:CsrfProtection/>
<input class="btn btn-danger btn-xs" type="submit" name="submit" value="<fmt:message key="outcome.step.abort" />" />
<input type="hidden" name="action" value="abort" />
<input type="hidden" name="id" value="${workflow.id}" />
diff --git a/jspwiki-war/src/main/webapp/templates/default/admin/AdminTemplate.jsp b/jspwiki-war/src/main/webapp/templates/default/admin/AdminTemplate.jsp
index c3b4f826a..184f2e626 100644
--- a/jspwiki-war/src/main/webapp/templates/default/admin/AdminTemplate.jsp
+++ b/jspwiki-war/src/main/webapp/templates/default/admin/AdminTemplate.jsp
@@ -56,6 +56,7 @@ in your <code>jspwiki.properties</code> file.</div>
<div class="formcontainer">
<form action="Admin.jsp" method="post" accept-charset="UTF-8">
+ <wiki:CsrfProtection/>
<input type="hidden" name="tab-admin" value="core"/>
<input type="hidden" name="tab-core" value="${ab.title}" />
<input type="hidden" name="bean" value="${ab.id}" />
@@ -88,6 +89,7 @@ in your <code>jspwiki.properties</code> file.</div>
<div class="formcontainer">
<form action="Admin.jsp" method="post" accept-charset="UTF-8">
+ <wiki:CsrfProtection/>
<input type="hidden" name="tab-admin" value="editors"/>
<input type="hidden" name="tab-editors" value="${ab.title}" />
<%
diff --git a/jspwiki-war/src/main/webapp/templates/default/admin/UserManagement.jsp b/jspwiki-war/src/main/webapp/templates/default/admin/UserManagement.jsp
index abd32b545..30217d23c 100644
--- a/jspwiki-war/src/main/webapp/templates/default/admin/UserManagement.jsp
+++ b/jspwiki-war/src/main/webapp/templates/default/admin/UserManagement.jsp
@@ -76,6 +76,7 @@ function addNew()
id="adminuserform"
method="post" accept-charset="<wiki:ContentEncoding/>"
enctype="application/x-www-form-urlencoded" >
+ <wiki:CsrfProtection/>
<input type="hidden" name='bean' value='org.apache.wiki.ui.admin.beans.UserBean'/>
<input type="hidden" id="loginid" name="loginid" value="" />
<table>
@@ -131,7 +132,7 @@ function addNew()
</table>
<div id="useractions">
- <input type="submit" name="action" value="Remove" data-modal="#useractions > .modal" />
+ <input type="submit" name="action" value="Remove" data-modal="+ .modal" />
<div class="modal">
<p>Are you sure you wish to remove this user?</p>
</div>
diff --git a/jspwiki-war/src/main/webapp/templates/default/commonheader.jsp b/jspwiki-war/src/main/webapp/templates/default/commonheader.jsp
index 8aceb2298..5539cb90d 100644
--- a/jspwiki-war/src/main/webapp/templates/default/commonheader.jsp
+++ b/jspwiki-war/src/main/webapp/templates/default/commonheader.jsp
@@ -100,6 +100,7 @@ String.I18N.PREFIX = "javascript.";
<meta name="wikiUserName" content="<wiki:UserName />" />
<meta name="wikiTemplateUrl" content='<wiki:Link format="url" templatefile="" />' />
<meta name="wikiApplicationName" content='<wiki:Variable var="ApplicationName" />' />
+<wiki:CsrfProtection format="meta" />
<%--CHECKME
<wiki:link> seems not to lookup the right jsp from the right template directory
EG when a templatefile is not present, the generated link should point to the default template.
diff --git a/jspwiki-war/src/main/webapp/templates/default/editors/CKeditor.jsp b/jspwiki-war/src/main/webapp/templates/default/editors/CKeditor.jsp
index 0e76da44b..6a973858f 100644
--- a/jspwiki-war/src/main/webapp/templates/default/editors/CKeditor.jsp
+++ b/jspwiki-war/src/main/webapp/templates/default/editors/CKeditor.jsp
@@ -134,6 +134,7 @@
id="editform"
enctype="application/x-www-form-urlencoded" >
+ <wiki:CsrfProtection/>
<%-- Edit.jsp relies on these being found. So be careful, if you make changes. --%>
<input type="hidden" name="page" value="<wiki:Variable var='pagename' />" />
<input type="hidden" name="action" value="save" />
diff --git a/jspwiki-war/src/main/webapp/templates/default/editors/TinyMCE.jsp b/jspwiki-war/src/main/webapp/templates/default/editors/TinyMCE.jsp
index 9fd7c8a41..ec156fa62 100644
--- a/jspwiki-war/src/main/webapp/templates/default/editors/TinyMCE.jsp
+++ b/jspwiki-war/src/main/webapp/templates/default/editors/TinyMCE.jsp
@@ -136,6 +136,7 @@
id="editform"
enctype="application/x-www-form-urlencoded" >
+ <wiki:CsrfProtection/>
<%-- Edit.jsp relies on these being found. So be careful, if you make changes. --%>
<input type="hidden" name="page" value="<wiki:Variable var='pagename' />" />
<input type="hidden" name="action" value="save" />
diff --git a/jspwiki-war/src/main/webapp/templates/default/editors/plain.jsp b/jspwiki-war/src/main/webapp/templates/default/editors/plain.jsp
index 7b10ced7f..0187b60db 100644
--- a/jspwiki-war/src/main/webapp/templates/default/editors/plain.jsp
+++ b/jspwiki-war/src/main/webapp/templates/default/editors/plain.jsp
@@ -84,6 +84,7 @@
id="editform"
enctype="application/x-www-form-urlencoded" >
+ <wiki:CsrfProtection/>
<%-- Edit.jsp relies on these being found. So be careful, if you make changes. --%>
<input type="hidden" name="page" value="<wiki:Variable var='pagename' />" />
<input type="hidden" name="action" value="save" />
diff --git a/jspwiki-war/src/main/webapp/templates/default/editors/preview.jsp b/jspwiki-war/src/main/webapp/templates/default/editors/preview.jsp
index f39a0af1c..1baf06904 100644
--- a/jspwiki-war/src/main/webapp/templates/default/editors/preview.jsp
+++ b/jspwiki-war/src/main/webapp/templates/default/editors/preview.jsp
@@ -45,7 +45,7 @@
id="editform"
enctype="application/x-www-form-urlencoded">
-
+ <wiki:CsrfProtection/>
<%-- Edit.jsp & Comment.jsp rely on these being found. So be careful, if you make changes. --%>
<input type="hidden" name="author" value="${author}" />
<input type="hidden" name="link" value="${link}" />
diff --git a/jspwiki-war/src/main/webapp/templates/default/editors/wysiwyg.jsp b/jspwiki-war/src/main/webapp/templates/default/editors/wysiwyg.jsp
index 387bd70c0..2c4617a50 100644
--- a/jspwiki-war/src/main/webapp/templates/default/editors/wysiwyg.jsp
+++ b/jspwiki-war/src/main/webapp/templates/default/editors/wysiwyg.jsp
@@ -128,6 +128,7 @@
id="editform"
enctype="application/x-www-form-urlencoded" >
+ <wiki:CsrfProtection/>
<%-- Edit.jsp relies on these being found. So be careful, if you make changes. --%>
<input type="hidden" name="page" value="<wiki:Variable var='pagename' />" />
<input type="hidden" name="action" value="save" />