This is an automated email from the ASF dual-hosted git repository.
juanpablo pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/jspwiki.git
commit 25f3c707a9c6c5541e389beb7a9c56acccb4b3f0
Author: Juan Pablo Santos RodrÃguez <juanpablo.san...@gmail.com>
AuthorDate: Tue Jul 12 22:58:25 2022 +0200
Ensure AJAX requests send the csrf protection parameter
---
jspwiki-war/src/main/scripts/jspwiki-common.js | 4 ++--
jspwiki-war/src/main/scripts/jspwiki-edit.js | 2 +-
jspwiki-war/src/main/scripts/wiki-edit/Wiki.Edit.js | 3 ++-
jspwiki-war/src/main/scripts/wiki/Category.js | 5 ++++-
jspwiki-war/src/main/scripts/wiki/Wiki.js | 5 +++--
5 files changed, 12 insertions(+), 7 deletions(-)
diff --git a/jspwiki-war/src/main/scripts/jspwiki-common.js
b/jspwiki-war/src/main/scripts/jspwiki-common.js
index 10fd693f5..aef3516cd 100644
--- a/jspwiki-war/src/main/scripts/jspwiki-common.js
+++ b/jspwiki-war/src/main/scripts/jspwiki-common.js
@@ -528,7 +528,7 @@ var Wiki = {
xmlHttpRequest.onreadystatechange =
getReadyStateHandler(xmlHttpRequest,responseId,loading);
xmlHttpRequest.open('post', url, true);
xmlHttpRequest.setRequestHeader("Content-Type",
"application/x-www-form-urlencoded");
- xmlHttpRequest.send("params="+params);
+ xmlHttpRequest.send("X-XSRF-TOKEN=" + Wiki.CsrfProtection +
"¶ms="+params);
},
ajaxJsonCall: function (url, params, callback) {
@@ -537,7 +537,7 @@ var Wiki = {
xmlHttpRequest.onreadystatechange =
getReadyStateHandler(xmlHttpRequest,null,null,callback);
xmlHttpRequest.open('post', url, true);
xmlHttpRequest.setRequestHeader("Content-Type",
"application/x-www-form-urlencoded");
- xmlHttpRequest.send("params="+params);
+ xmlHttpRequest.send("X-XSRF-TOKEN=" + Wiki.CsrfProtection +
"¶ms="+params);
}
}
diff --git a/jspwiki-war/src/main/scripts/jspwiki-edit.js
b/jspwiki-war/src/main/scripts/jspwiki-edit.js
index bb975ac33..0cb72f79e 100644
--- a/jspwiki-war/src/main/scripts/jspwiki-edit.js
+++ b/jspwiki-war/src/main/scripts/jspwiki-edit.js
@@ -507,7 +507,7 @@ var EditTools =
$('previewSpin').show();
new Ajax( Wiki.TemplateUrl +
"/AJAXPreview.jsp?page="+Wiki.PageName, {
method:'get', //use "get" to avoid mootools bug on XHR
header "CONNECTION:CLOSE"
- data: 'wikimarkup=' +
encodeURIComponent(this.textarea.value),
+ data: 'X-XSRF-TOKEN=' + $('X-XSRF-TOKEN').get('value')
+ '&wikimarkup=' + encodeURIComponent(this.textarea.value),
update: preview,
onComplete: function(){
$('previewSpin').hide();
diff --git a/jspwiki-war/src/main/scripts/wiki-edit/Wiki.Edit.js
b/jspwiki-war/src/main/scripts/wiki-edit/Wiki.Edit.js
index e6bf49b7b..9642341ca 100644
--- a/jspwiki-war/src/main/scripts/wiki-edit/Wiki.Edit.js
+++ b/jspwiki-war/src/main/scripts/wiki-edit/Wiki.Edit.js
@@ -209,7 +209,8 @@ function livepreview(content, preview, previewToggle){
url: wiki.XHRPreview,
data: {
page: wiki.PageName,
- wikimarkup: content
+ wikimarkup: content,
+ 'X-XSRF-TOKEN': wiki.CsrfProtection
},
update: preview,
onRequest: renderPreview,
diff --git a/jspwiki-war/src/main/scripts/wiki/Category.js
b/jspwiki-war/src/main/scripts/wiki/Category.js
index da24d8c7f..5a1c59c1d 100644
--- a/jspwiki-war/src/main/scripts/wiki/Category.js
+++ b/jspwiki-war/src/main/scripts/wiki/Category.js
@@ -59,7 +59,10 @@ Wiki.Category = function(element, pagename, xhrURL){
new Request.HTML({
url: xhrURL, //+"?page="+pagename,
- data: { page: decodeURIComponent(pagename) },
+ data: {
+ page: decodeURIComponent(pagename),
+ 'X-XSRF-TOKEN': Wiki.CsrfProtection
+ },
update: popup,
onSuccess: function(){
popup.swapClass("loading", "active");
diff --git a/jspwiki-war/src/main/scripts/wiki/Wiki.js
b/jspwiki-war/src/main/scripts/wiki/Wiki.js
index dc0211ee6..6b9c432da 100644
--- a/jspwiki-war/src/main/scripts/wiki/Wiki.js
+++ b/jspwiki-war/src/main/scripts/wiki/Wiki.js
@@ -657,7 +657,8 @@ var Wiki = {
new Request({
url: wiki.XHRHtml2Markup,
data: {
- htmlPageText: getContent()
+ htmlPageText: getContent(),
+ 'X-XSRF-TOKEN': wiki.CsrfProtection
},
onSuccess: function(responseText){
preview( responseText.trim() );
@@ -819,7 +820,7 @@ var Wiki = {
throw new Error("Wiki rpc error: " + error);
}
- }).send( "params=" + params );
+ }).send( "X-XSRF-TOKEN=" + this.CsrfProtection + "¶ms=" +
params );
}
