Protect delete_entry with a CSRF token

src/Wallabag/CoreBundle/Controller/EntryController.php

@@ -501,12 +501,16 @@ class EntryController extends AbstractController
     /**
      * Deletes entry and redirect to the homepage or the last viewed page.
      *
-     * @Route("/delete/{id}", requirements={"id" = "\d+"}, name="delete_entry")
+     * @Route("/delete/{id}", name="delete_entry", methods={"POST"}, requirements={"id" = "\d+"})
      *
      * @return RedirectResponse
      */
     public function deleteEntryAction(Request $request, Entry $entry)
     {
+        if (!$this->isCsrfTokenValid('delete-entry', $request->request->get('token'))) {
+            throw new BadRequestHttpException('Bad CSRF token.');
+        }
+
         $this->checkUserAction($entry);
 
         // generates the view url for this entry to check for redirection later

src/Wallabag/CoreBundle/Resources/views/Entry/_card_actions.html.twig

@@ -32,7 +32,13 @@
             </form>
         </li>
         <li>
-            <a title="{{ 'entry.list.delete'|trans }}" onclick="return confirm('{{ 'entry.confirm.delete'|trans|escape('js') }}')" data-action-confirm="{{ 'entry.confirm.delete'|trans }}" class="tool grey-text delete" href="{{ path('delete_entry', {'id': entry.id, redirect: current_path}) }}" data-action="delete" data-entry-id="{{ entry.id }}"><i class="material-icons">delete</i></a>
+            <form action="{{ path('delete_entry', {'id': entry.id, redirect: current_path}) }}" method="post" class="inline-block">
+                <input type="hidden" name="token" value="{{ csrf_token('delete-entry') }}"/>
+
+                <button type="submit" class="btn-link tool grey-text" title="{{ 'entry.list.delete'|trans }}" onclick="return confirm('{{ 'entry.confirm.delete'|trans|escape('js') }}')">
+                    <i class="material-icons">delete</i>
+                </button>
+            </form>
         </li>
     </ul>
 </div>

src/Wallabag/CoreBundle/Resources/views/Entry/_card_list.html.twig

@@ -29,7 +29,13 @@
                     <i class="material-icons">{% if entry.isStarred == 0 %}star_border{% else %}star{% endif %}</i>
                 </button>
             </form>
-            <a title="{{ 'entry.list.delete'|trans }}" onclick="return confirm('{{ 'entry.confirm.delete'|trans|escape('js') }}')" class="tool grey-text delete" href="{{ path('delete_entry', {'id': entry.id, redirect: current_path}) }}"><i class="material-icons">delete</i></a>
+            <form action="{{ path('delete_entry', {'id': entry.id, redirect: current_path}) }}" method="post" class="inline-block">
+                <input type="hidden" name="token" value="{{ csrf_token('delete-entry') }}"/>
+
+                <button type="submit" class="btn-link tool grey-text" title="{{ 'entry.list.delete'|trans }}" onclick="return confirm('{{ 'entry.confirm.delete'|trans|escape('js') }}')">
+                    <i class="material-icons">delete</i>
+                </button>
+            </form>
         </li>
     </ul>
 </div>

src/Wallabag/CoreBundle/Resources/views/Entry/entry.html.twig

@@ -104,10 +104,14 @@
             <div class="collapsible-body"></div>
         </li>
         <li class="bold border-bottom">
-            <a class="waves-effect collapsible-header delete" onclick="return confirm('{{ 'entry.confirm.delete'|trans|escape('js') }}')" title="{{ 'entry.view.left_menu.delete'|trans }}" href="{{ path('delete_entry', {'id': entry.id, redirect: current_path}) }}">
-                <i class="material-icons small">delete</i>
-                <span>{{ 'entry.view.left_menu.delete'|trans }}</span>
-            </a>
+            <form action="{{ path('delete_entry', {'id': entry.id, redirect: current_path}) }}" method="post">
+                <input type="hidden" name="token" value="{{ csrf_token('delete-entry') }}"/>
+
+                <button type="submit" class="waves-effect collapsible-header delete" onclick="return confirm('{{ 'entry.confirm.delete'|trans|escape('js') }}')" title="{{ 'entry.view.left_menu.delete'|trans }}">
+                    <i class="material-icons small">delete</i>
+                    <span>{{ 'entry.view.left_menu.delete'|trans }}</span>
+                </button>
+            </form>
             <div class="collapsible-body"></div>
         </li>
 
@@ -338,7 +342,15 @@
                       </button>
                   </form>
               </li>
-              <li><a class="btn-floating" href="{{ path('delete_entry', {'id': entry.id, redirect: current_path}) }}" onclick="return confirm('{{ 'entry.confirm.delete'|trans|escape('js') }}')"><i class="material-icons">delete</i></a></li>
+              <li>
+                  <form action="{{ path('delete_entry', {'id': entry.id, redirect: current_path}) }}" method="post" class="inline-block">
+                      <input type="hidden" name="token" value="{{ csrf_token('delete-entry') }}"/>
+
+                      <button type="submit" class="btn-floating" onclick="return confirm('{{ 'entry.confirm.delete'|trans|escape('js') }}')">
+                          <i class="material-icons">delete</i>
+                      </button>
+                  </form>
+              </li>
             </ul>
         </div>
     </div>