oss/wallabag
oss/wallabag
1
0
Fork 0
mirror of https://github.com/wallabag/wallabag.git synced 2025-09-15 18:57:05 +00:00
Code Wiki Activity

Protect mass_action with a CSRF token

Browse source
This commit is contained in:
Yassine Guedidi 2025-03-30 05:58:54 +02:00
parent 27f0d94db7
commit 5ea5115a72
3 changed files with 24 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

6
src/Wallabag/CoreBundle/Controller/EntryController.php
View file

@ -53,12 +53,16 @@ class EntryController extends AbstractController
}
/**
* @Route("/mass", name="mass_action")
* @Route("/mass", name="mass_action", methods={"POST"})
*
* @return Response
*/
public function massAction(Request $request, TagRepository $tagRepository)
{
if (!$this->isCsrfTokenValid('mass-action', $request->request->get('token'))) {
throw new BadRequestHttpException('Bad CSRF token.');
}
$values = $request->request->all();
$tagsToAdd = [];

4
src/Wallabag/CoreBundle/Resources/views/Entry/entries.html.twig
View file

@ -26,7 +26,9 @@
{% if current_route == 'homepage' %}
{% set current_route = 'unread' %}
{% endif %}
<form id="form_mass_action" name="form_mass_action" action="{{ path('mass_action', {redirect: current_path}) }}" method="post"></form>
<form id="form_mass_action" name="form_mass_action" action="{{ path('mass_action', {redirect: current_path}) }}" method="post">
<input type="hidden" name="token" value="{{ csrf_token('mass-action') }}"/>
</form>
<div class="results">
<div class="nb-results">
{{ 'entry.list.number_on_the_page'|trans({'%count%': entries.count}) }}