You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@jspwiki.apache.org by ju...@apache.org on 2022/07/12 21:03:49 UTC
[jspwiki] 16/25: FormOpen generates csrf protection hidden input
This is an automated email from the ASF dual-hosted git repository.
juanpablo pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/jspwiki.git
commit d42623bcc66aaead9281de544717fe2211c4a149
Author: Juan Pablo Santos RodrÃguez <ju...@gmail.com>
AuthorDate: Tue Jul 12 22:56:59 2022 +0200
FormOpen generates csrf protection hidden input
---
jspwiki-main/src/main/java/org/apache/wiki/forms/FormOpen.java | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/jspwiki-main/src/main/java/org/apache/wiki/forms/FormOpen.java b/jspwiki-main/src/main/java/org/apache/wiki/forms/FormOpen.java
index 5d6bdf2b5..4e6cb1e42 100644
--- a/jspwiki-main/src/main/java/org/apache/wiki/forms/FormOpen.java
+++ b/jspwiki-main/src/main/java/org/apache/wiki/forms/FormOpen.java
@@ -24,6 +24,7 @@ import org.apache.wiki.api.core.Context;
import org.apache.wiki.api.core.ContextEnum;
import org.apache.wiki.api.exceptions.PluginException;
import org.apache.wiki.api.plugin.Plugin;
+import org.apache.wiki.http.filter.CsrfProtectionFilter;
import org.apache.wiki.preferences.Preferences;
import java.text.MessageFormat;
@@ -90,7 +91,9 @@ public class FormOpen extends FormElement {
submitServlet = ctx.getURL( ContextEnum.PAGE_VIEW.getRequestContext(), sourcePage );
String method = params.get( PARAM_METHOD );
- if( method == null ) method="post";
+ if( method == null ) {
+ method="post";
+ }
if( !( method.equalsIgnoreCase( "get" ) || method.equalsIgnoreCase( "post" ) ) ) {
throw new PluginException( rb.getString( "formopen.postorgetonly" ) );
@@ -125,7 +128,8 @@ public class FormOpen extends FormElement {
"<form action=\"" + submitServlet + "\" name=\"" + formName + "\" " +
"accept-charset=\"" + ctx.getEngine().getContentEncoding() + "\" " +
"method=\"" + method + "\" enctype=\"application/x-www-form-urlencoded\">\n" +
- " <input type=\"hidden\" name=\"" + PARAM_FORMNAMEHIDDEN + "\" value=\"" + formName + "\"/>\n";
+ " <input type=\"hidden\" name=\"" + PARAM_FORMNAMEHIDDEN + "\" value=\"" + formName + "\"/>\n" +
+ " <input type=\"hidden\" name=\"" + CsrfProtectionFilter.ANTICSRF_PARAM + "\" value=\"" + ctx.getWikiSession().antiCsrfToken() + "\"/>\n";
}
}