This is an automated email from the ASF dual-hosted git repository. juanpablo pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/jspwiki.git
commit 25f3c707a9c6c5541e389beb7a9c56acccb4b3f0 Author: Juan Pablo Santos RodrÃguez <juanpablo.san...@gmail.com> AuthorDate: Tue Jul 12 22:58:25 2022 +0200 Ensure AJAX requests send the csrf protection parameter --- jspwiki-war/src/main/scripts/jspwiki-common.js | 4 ++-- jspwiki-war/src/main/scripts/jspwiki-edit.js | 2 +- jspwiki-war/src/main/scripts/wiki-edit/Wiki.Edit.js | 3 ++- jspwiki-war/src/main/scripts/wiki/Category.js | 5 ++++- jspwiki-war/src/main/scripts/wiki/Wiki.js | 5 +++-- 5 files changed, 12 insertions(+), 7 deletions(-) diff --git a/jspwiki-war/src/main/scripts/jspwiki-common.js b/jspwiki-war/src/main/scripts/jspwiki-common.js index 10fd693f5..aef3516cd 100644 --- a/jspwiki-war/src/main/scripts/jspwiki-common.js +++ b/jspwiki-war/src/main/scripts/jspwiki-common.js @@ -528,7 +528,7 @@ var Wiki = { xmlHttpRequest.onreadystatechange = getReadyStateHandler(xmlHttpRequest,responseId,loading); xmlHttpRequest.open('post', url, true); xmlHttpRequest.setRequestHeader("Content-Type", "application/x-www-form-urlencoded"); - xmlHttpRequest.send("params="+params); + xmlHttpRequest.send("X-XSRF-TOKEN=" + Wiki.CsrfProtection + "¶ms="+params); }, ajaxJsonCall: function (url, params, callback) { @@ -537,7 +537,7 @@ var Wiki = { xmlHttpRequest.onreadystatechange = getReadyStateHandler(xmlHttpRequest,null,null,callback); xmlHttpRequest.open('post', url, true); xmlHttpRequest.setRequestHeader("Content-Type", "application/x-www-form-urlencoded"); - xmlHttpRequest.send("params="+params); + xmlHttpRequest.send("X-XSRF-TOKEN=" + Wiki.CsrfProtection + "¶ms="+params); } } diff --git a/jspwiki-war/src/main/scripts/jspwiki-edit.js b/jspwiki-war/src/main/scripts/jspwiki-edit.js index bb975ac33..0cb72f79e 100644 --- a/jspwiki-war/src/main/scripts/jspwiki-edit.js +++ b/jspwiki-war/src/main/scripts/jspwiki-edit.js @@ -507,7 +507,7 @@ var EditTools = $('previewSpin').show(); new Ajax( Wiki.TemplateUrl + "/AJAXPreview.jsp?page="+Wiki.PageName, { method:'get', //use "get" to avoid mootools bug on XHR header "CONNECTION:CLOSE" - data: 'wikimarkup=' + encodeURIComponent(this.textarea.value), + data: 'X-XSRF-TOKEN=' + $('X-XSRF-TOKEN').get('value') + '&wikimarkup=' + encodeURIComponent(this.textarea.value), update: preview, onComplete: function(){ $('previewSpin').hide(); diff --git a/jspwiki-war/src/main/scripts/wiki-edit/Wiki.Edit.js b/jspwiki-war/src/main/scripts/wiki-edit/Wiki.Edit.js index e6bf49b7b..9642341ca 100644 --- a/jspwiki-war/src/main/scripts/wiki-edit/Wiki.Edit.js +++ b/jspwiki-war/src/main/scripts/wiki-edit/Wiki.Edit.js @@ -209,7 +209,8 @@ function livepreview(content, preview, previewToggle){ url: wiki.XHRPreview, data: { page: wiki.PageName, - wikimarkup: content + wikimarkup: content, + 'X-XSRF-TOKEN': wiki.CsrfProtection }, update: preview, onRequest: renderPreview, diff --git a/jspwiki-war/src/main/scripts/wiki/Category.js b/jspwiki-war/src/main/scripts/wiki/Category.js index da24d8c7f..5a1c59c1d 100644 --- a/jspwiki-war/src/main/scripts/wiki/Category.js +++ b/jspwiki-war/src/main/scripts/wiki/Category.js @@ -59,7 +59,10 @@ Wiki.Category = function(element, pagename, xhrURL){ new Request.HTML({ url: xhrURL, //+"?page="+pagename, - data: { page: decodeURIComponent(pagename) }, + data: { + page: decodeURIComponent(pagename), + 'X-XSRF-TOKEN': Wiki.CsrfProtection + }, update: popup, onSuccess: function(){ popup.swapClass("loading", "active"); diff --git a/jspwiki-war/src/main/scripts/wiki/Wiki.js b/jspwiki-war/src/main/scripts/wiki/Wiki.js index dc0211ee6..6b9c432da 100644 --- a/jspwiki-war/src/main/scripts/wiki/Wiki.js +++ b/jspwiki-war/src/main/scripts/wiki/Wiki.js @@ -657,7 +657,8 @@ var Wiki = { new Request({ url: wiki.XHRHtml2Markup, data: { - htmlPageText: getContent() + htmlPageText: getContent(), + 'X-XSRF-TOKEN': wiki.CsrfProtection }, onSuccess: function(responseText){ preview( responseText.trim() ); @@ -819,7 +820,7 @@ var Wiki = { throw new Error("Wiki rpc error: " + error); } - }).send( "params=" + params ); + }).send( "X-XSRF-TOKEN=" + this.CsrfProtection + "¶ms=" + params ); }