[jspwiki] 16/25: FormOpen generates csrf protection hidden input

Tue, 12 Jul 2022 14:03:43 -0700 

This is an automated email from the ASF dual-hosted git repository.

juanpablo pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/jspwiki.git

commit d42623bcc66aaead9281de544717fe2211c4a149
Author: Juan Pablo Santos Rodríguez <[email protected]>
AuthorDate: Tue Jul 12 22:56:59 2022 +0200

    FormOpen generates csrf protection hidden input
---
 jspwiki-main/src/main/java/org/apache/wiki/forms/FormOpen.java | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/jspwiki-main/src/main/java/org/apache/wiki/forms/FormOpen.java 
b/jspwiki-main/src/main/java/org/apache/wiki/forms/FormOpen.java
index 5d6bdf2b5..4e6cb1e42 100644
--- a/jspwiki-main/src/main/java/org/apache/wiki/forms/FormOpen.java
+++ b/jspwiki-main/src/main/java/org/apache/wiki/forms/FormOpen.java
@@ -24,6 +24,7 @@ import org.apache.wiki.api.core.Context;
 import org.apache.wiki.api.core.ContextEnum;
 import org.apache.wiki.api.exceptions.PluginException;
 import org.apache.wiki.api.plugin.Plugin;
+import org.apache.wiki.http.filter.CsrfProtectionFilter;
 import org.apache.wiki.preferences.Preferences;
 
 import java.text.MessageFormat;
@@ -90,7 +91,9 @@ public class FormOpen extends FormElement {
             submitServlet = ctx.getURL( 
ContextEnum.PAGE_VIEW.getRequestContext(), sourcePage );
 
         String method = params.get( PARAM_METHOD );
-        if( method == null ) method="post";
+        if( method == null ) {
+            method="post";
+        }
 
         if( !( method.equalsIgnoreCase( "get" ) || method.equalsIgnoreCase( 
"post" ) ) ) {
             throw new PluginException( rb.getString( "formopen.postorgetonly" 
) );
@@ -125,7 +128,8 @@ public class FormOpen extends FormElement {
                   "<form action=\"" + submitServlet + "\" name=\"" + formName 
+ "\" " +
                         "accept-charset=\"" + 
ctx.getEngine().getContentEncoding() + "\" " +
                         "method=\"" + method + "\" 
enctype=\"application/x-www-form-urlencoded\">\n" +
-                  "  <input type=\"hidden\" name=\"" + PARAM_FORMNAMEHIDDEN + 
"\" value=\"" + formName + "\"/>\n";
+                  "  <input type=\"hidden\" name=\"" + PARAM_FORMNAMEHIDDEN + 
"\" value=\"" + formName + "\"/>\n" +
+                  "  <input type=\"hidden\" name=\"" + 
CsrfProtectionFilter.ANTICSRF_PARAM + "\" value=\"" + 
ctx.getWikiSession().antiCsrfToken() + "\"/>\n";
     }
 
 }

Reply via email to