This is an automated email from the ASF dual-hosted git repository. juanpablo pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/jspwiki.git
commit 1f1c94e7776d90a816530028f5065b11cf00e1e6 Author: Juan Pablo Santos RodrÃguez <[email protected]> AuthorDate: Tue Jul 12 22:57:46 2022 +0200 Use new wiki:CsrfProtection tag on JSPs --- jspwiki-war/src/main/webapp/Captcha.jsp | 1 + jspwiki-war/src/main/webapp/Install.jsp | 2 +- jspwiki-war/src/main/webapp/templates/210/AttachmentTab.jsp | 13 +++++++------ jspwiki-war/src/main/webapp/templates/210/DiffTab.jsp | 1 + .../src/main/webapp/templates/210/EditGroupContent.jsp | 3 ++- jspwiki-war/src/main/webapp/templates/210/FindContent.jsp | 2 +- jspwiki-war/src/main/webapp/templates/210/GroupContent.jsp | 1 + jspwiki-war/src/main/webapp/templates/210/GroupTab.jsp | 1 + jspwiki-war/src/main/webapp/templates/210/InfoContent.jsp | 5 ++++- jspwiki-war/src/main/webapp/templates/210/LoginContent.jsp | 4 ++-- .../src/main/webapp/templates/210/NewGroupContent.jsp | 2 +- jspwiki-war/src/main/webapp/templates/210/PageTab.jsp | 1 + .../src/main/webapp/templates/210/PreferencesTab.jsp | 2 ++ jspwiki-war/src/main/webapp/templates/210/ProfileTab.jsp | 1 + jspwiki-war/src/main/webapp/templates/210/SearchBox.jsp | 1 + .../src/main/webapp/templates/210/WorkflowContent.jsp | 2 ++ .../src/main/webapp/templates/210/admin/AdminTemplate.jsp | 2 ++ .../src/main/webapp/templates/210/admin/UserManagement.jsp | 1 + jspwiki-war/src/main/webapp/templates/210/commonheader.jsp | 1 + .../src/main/webapp/templates/210/editors/CKeditor.jsp | 3 ++- jspwiki-war/src/main/webapp/templates/210/editors/FCK.jsp | 1 + .../src/main/webapp/templates/210/editors/TinyMCE.jsp | 1 + jspwiki-war/src/main/webapp/templates/210/editors/plain.jsp | 1 + .../src/main/webapp/templates/210/editors/preview.jsp | 1 + .../src/main/webapp/templates/210/editors/wysiwyg.jsp | 1 + .../src/main/webapp/templates/default/AttachmentTab.jsp | 5 ++++- jspwiki-war/src/main/webapp/templates/default/DiffTab.jsp | 1 + .../src/main/webapp/templates/default/EditGroupContent.jsp | 1 + .../src/main/webapp/templates/default/FindContent.jsp | 1 + jspwiki-war/src/main/webapp/templates/default/GroupTab.jsp | 2 ++ .../src/main/webapp/templates/default/InfoContent.jsp | 5 ++++- .../src/main/webapp/templates/default/LoginContent.jsp | 4 +++- jspwiki-war/src/main/webapp/templates/default/PageTab.jsp | 1 + .../src/main/webapp/templates/default/PreferencesTab.jsp | 1 + .../src/main/webapp/templates/default/ProfileTab.jsp | 1 + jspwiki-war/src/main/webapp/templates/default/SearchBox.jsp | 1 + jspwiki-war/src/main/webapp/templates/default/UserBox.jsp | 10 +++++----- .../src/main/webapp/templates/default/WorkflowContent.jsp | 2 ++ .../main/webapp/templates/default/admin/AdminTemplate.jsp | 2 ++ .../main/webapp/templates/default/admin/UserManagement.jsp | 3 ++- .../src/main/webapp/templates/default/commonheader.jsp | 1 + .../src/main/webapp/templates/default/editors/CKeditor.jsp | 1 + .../src/main/webapp/templates/default/editors/TinyMCE.jsp | 1 + .../src/main/webapp/templates/default/editors/plain.jsp | 1 + .../src/main/webapp/templates/default/editors/preview.jsp | 2 +- .../src/main/webapp/templates/default/editors/wysiwyg.jsp | 1 + 46 files changed, 77 insertions(+), 24 deletions(-) diff --git a/jspwiki-war/src/main/webapp/Captcha.jsp b/jspwiki-war/src/main/webapp/Captcha.jsp index f44d94fb0..ed33fdf10 100644 --- a/jspwiki-war/src/main/webapp/Captcha.jsp +++ b/jspwiki-war/src/main/webapp/Captcha.jsp @@ -110,6 +110,7 @@ <p><fmt:message key="captcha.description" /></p> <form action="<wiki:Link jsp='Captcha.jsp' format='url'/>" method="post" id="mainForm" style="display: none;"> + <wiki:CsrfProtection/> <input type="hidden" value="foo" name="text" /> <input type="hidden" value='<%=reqPage%>' name='page'/> <script type="text/javascript" src="http://challenge.asirra.com/js/AsirraClientSide.js";></script> diff --git a/jspwiki-war/src/main/webapp/Install.jsp b/jspwiki-war/src/main/webapp/Install.jsp index 29fc2f319..6b2913914 100644 --- a/jspwiki-war/src/main/webapp/Install.jsp +++ b/jspwiki-war/src/main/webapp/Install.jsp @@ -109,7 +109,7 @@ if ( !installer.adminExists() ) <div class="formcontainer"> <form action="Install.jsp" method="post"> - + <wiki:CsrfProtection/> <!-- Page directory --> <h3><fmt:message key="install.jsp.basics.title" /></h3> diff --git a/jspwiki-war/src/main/webapp/templates/210/AttachmentTab.jsp b/jspwiki-war/src/main/webapp/templates/210/AttachmentTab.jsp index 9439e5b72..c732ca2b3 100644 --- a/jspwiki-war/src/main/webapp/templates/210/AttachmentTab.jsp +++ b/jspwiki-war/src/main/webapp/templates/210/AttachmentTab.jsp @@ -29,18 +29,19 @@ <% int MAXATTACHNAMELENGTH = 30; Context c = Context.findContext(pageContext); - String progressId = c.getEngine().getManager( ProgressManager.class ).getNewProgressIdentifier(); %> +<c:set var="progressId" value="<%= c.getEngine().getManager( ProgressManager.class ).getNewProgressIdentifier() %>" /> +<c:set var="csrfProtection" value="<%= c.getWikiSession().antiCsrfToken() %>" /> <div id="addattachment"> <h3><fmt:message key="attach.add"/></h3> <wiki:Permission permission="upload"> - <form action="<wiki:Link jsp='attach' format='url'><wiki:Param name='progressid' value='<%=progressId%>'/></wiki:Link>" + <form action="<wiki:Link jsp='attach' format='url'><wiki:Param name='progressid' value='${progressId}'/><wiki:Param name='X-XSRF-TOKEN' value='${csrfProtection}'/></wiki:Link>" class="wikiform" id="uploadform" method="post" enctype="multipart/form-data" accept-charset="<wiki:ContentEncoding/>" - onsubmit="return Wiki.submitUpload(this, '<%=progressId%>');" > + onsubmit="return Wiki.submitUpload(this, '${progressId}');" > <table> <tr> <td colspan="2"><div class="formhelp"><fmt:message key="attach.add.info" /></div></td> @@ -55,7 +56,7 @@ <input type="hidden" name="nextpage" value="<wiki:UploadLink format="url"/>" /></td> </tr> - <tr> + <tr> <td></td> <td> <input type="hidden" name="page" value="<wiki:Variable var="pagename"/>" /> @@ -66,6 +67,7 @@ </tr> </table> + <wiki:CsrfProtection/> </form> <wiki:Messages div="error" /> @@ -89,9 +91,8 @@ id="deleteForm" style="display:none;" method="post" accept-charset="<wiki:ContentEncoding />" onsubmit="return(confirm('<fmt:message key="attach.deleteconfirm"/>') && Wiki.submitOnce(this) );" > - + <wiki:CsrfProtection/> <input id="delete-all" name="delete-all" type="submit" value="Delete" /> - </form> </wiki:Permission> diff --git a/jspwiki-war/src/main/webapp/templates/210/DiffTab.jsp b/jspwiki-war/src/main/webapp/templates/210/DiffTab.jsp index 85bab3a42..257bea798 100644 --- a/jspwiki-war/src/main/webapp/templates/210/DiffTab.jsp +++ b/jspwiki-war/src/main/webapp/templates/210/DiffTab.jsp @@ -38,6 +38,7 @@ <wiki:PageExists> <form action="<wiki:Link jsp='Diff.jsp' format='url' />" method="get" accept-charset="UTF-8"> +<wiki:CsrfProtection/> <div class="collapsebox" id="diffcontent"> <h4> <input type="hidden" name="page" value="<wiki:Variable var='pagename' />" /> diff --git a/jspwiki-war/src/main/webapp/templates/210/EditGroupContent.jsp b/jspwiki-war/src/main/webapp/templates/210/EditGroupContent.jsp index 29d00c3b8..f448264d5 100644 --- a/jspwiki-war/src/main/webapp/templates/210/EditGroupContent.jsp +++ b/jspwiki-war/src/main/webapp/templates/210/EditGroupContent.jsp @@ -69,7 +69,7 @@ class="wikiform" id="editGroup" method="POST" accept-charset="UTF-8"> - + <wiki:CsrfProtection/> <!-- Members --> <% StringBuffer s = new StringBuffer(); @@ -116,6 +116,7 @@ onsubmit="return( confirm('<fmt:message key="grp.deletegroup.confirm"/>') && Wiki.submitOnce(this) );" method="POST" accept-charset="UTF-8"> + <wiki:CsrfProtection/> <input type="submit" name="ok" value="<fmt:message key="actions.deletegroup"/>" /> <input type="hidden" name="group" value="${param.group}" /> </form> diff --git a/jspwiki-war/src/main/webapp/templates/210/FindContent.jsp b/jspwiki-war/src/main/webapp/templates/210/FindContent.jsp index 9ebf4ce8e..0ceebc311 100644 --- a/jspwiki-war/src/main/webapp/templates/210/FindContent.jsp +++ b/jspwiki-war/src/main/webapp/templates/210/FindContent.jsp @@ -36,7 +36,7 @@ class="wikiform" id="searchform2" accept-charset="<wiki:ContentEncoding/>"> - + <wiki:CsrfProtection/> <h4><fmt:message key="find.input" /></h4> <p> <input type="text" diff --git a/jspwiki-war/src/main/webapp/templates/210/GroupContent.jsp b/jspwiki-war/src/main/webapp/templates/210/GroupContent.jsp index 1e5fd553e..1f37656b1 100644 --- a/jspwiki-war/src/main/webapp/templates/210/GroupContent.jsp +++ b/jspwiki-war/src/main/webapp/templates/210/GroupContent.jsp @@ -154,6 +154,7 @@ onsubmit="return( confirm('<fmt:message key="grp.deletegroup.confirm"/>') && Wiki.submitOnce(this) );" method="POST" accept-charset="UTF-8"> + <wiki:CsrfProtection/> <input type="submit" name="ok" value="<fmt:message key="actions.deletegroup"/>" /> <input type="hidden" name="group" value="${param.group}" /> </form> diff --git a/jspwiki-war/src/main/webapp/templates/210/GroupTab.jsp b/jspwiki-war/src/main/webapp/templates/210/GroupTab.jsp index 827e09cbe..df106512a 100644 --- a/jspwiki-war/src/main/webapp/templates/210/GroupTab.jsp +++ b/jspwiki-war/src/main/webapp/templates/210/GroupTab.jsp @@ -107,6 +107,7 @@ id="groupForm" method="post" accept-charset="<wiki:ContentEncoding />" > <div> + <wiki:CsrfProtection/> <input type="hidden" name="group" value="" /> <input type="hidden" name="members" value="" /> <input type="hidden" name="action" value="save" /> diff --git a/jspwiki-war/src/main/webapp/templates/210/InfoContent.jsp b/jspwiki-war/src/main/webapp/templates/210/InfoContent.jsp index 3942fe0e4..02b038bbe 100644 --- a/jspwiki-war/src/main/webapp/templates/210/InfoContent.jsp +++ b/jspwiki-war/src/main/webapp/templates/210/InfoContent.jsp @@ -140,6 +140,7 @@ onsubmit="return Wiki.submitOnce(this);" method="post" accept-charset="<wiki:ContentEncoding />" > <p> + <wiki:CsrfProtection/> <input type="hidden" name="page" value="<wiki:Variable var='pagename' />" /> <input type="submit" name="rename" value="<fmt:message key='info.rename.submit' />" /> <input type="text" name="renameto" @@ -161,6 +162,7 @@ method="post" accept-charset="<wiki:ContentEncoding />" onsubmit="return( confirm('<fmt:message key="info.confirmdelete"/>') && Wiki.submitOnce(this) );"> <p> + <wiki:CsrfProtection/> <input type="submit" name="delete-all" id="delete-all" value="<fmt:message key='info.delete.submit'/>" /> </p> @@ -291,7 +293,7 @@ <%-- Do NOT change the order of wikiname and content, otherwise the servlet won't find its parts. --%> - + <wiki:CsrfProtection/> <table> <tr> <td colspan="2"><div class="formhelp"><fmt:message key="info.uploadnew.help" /></div></td> @@ -331,6 +333,7 @@ method="post" accept-charset="<wiki:ContentEncoding />" onsubmit="return( confirm('<fmt:message key="info.confirmdelete"/>') && Wiki.submitOnce(this) );" > <div> + <wiki:CsrfProtection/> <input type="submit" name="delete-all" id="delete-all" value="<fmt:message key='info.deleteattachment.submit' />" /> </div> diff --git a/jspwiki-war/src/main/webapp/templates/210/LoginContent.jsp b/jspwiki-war/src/main/webapp/templates/210/LoginContent.jsp index 3a2e8fe7f..f0fd85df8 100644 --- a/jspwiki-war/src/main/webapp/templates/210/LoginContent.jsp +++ b/jspwiki-war/src/main/webapp/templates/210/LoginContent.jsp @@ -58,7 +58,7 @@ method="post" accept-charset="<wiki:ContentEncoding />" > <div class="center"> - + <wiki:CsrfProtection/> <h3><fmt:message key="login.heading.login"><fmt:param><wiki:Variable var="applicationname" /></fmt:param></fmt:message></h3> <div class="formhelp"><fmt:message key="login.help"></fmt:message></div> @@ -129,7 +129,7 @@ method="post" accept-charset="<wiki:ContentEncoding />" > <h3><fmt:message key="login.lostpw.heading" /></h3> - + <wiki:CsrfProtection/> <c:choose> <c:when test="${passwordreset == 'done' }"> <wiki:Messages div="information" topic="resetpw" prefix="" /> diff --git a/jspwiki-war/src/main/webapp/templates/210/NewGroupContent.jsp b/jspwiki-war/src/main/webapp/templates/210/NewGroupContent.jsp index 0b85b7251..15aa8263d 100644 --- a/jspwiki-war/src/main/webapp/templates/210/NewGroupContent.jsp +++ b/jspwiki-war/src/main/webapp/templates/210/NewGroupContent.jsp @@ -63,7 +63,7 @@ <form id="createGroup" action="<wiki:Link format="url" jsp="NewGroup.jsp"/>" method="POST" accept-charset="UTF-8"> - + <wiki:CsrfProtection/> <div class="formhelp"> <fmt:message key="newgroup.instructions.start"/> </div> diff --git a/jspwiki-war/src/main/webapp/templates/210/PageTab.jsp b/jspwiki-war/src/main/webapp/templates/210/PageTab.jsp index ac77fa7e9..ebe8ff003 100644 --- a/jspwiki-war/src/main/webapp/templates/210/PageTab.jsp +++ b/jspwiki-war/src/main/webapp/templates/210/PageTab.jsp @@ -47,6 +47,7 @@ <form action="<wiki:Link format='url' jsp='Wiki.jsp'/>" method="get" accept-charset='UTF-8'> + <wiki:CsrfProtection/> <input type="hidden" name="page" value="<wiki:Variable var='pagename' />" /> <div class="warning"> <fmt:message key="view.oldversion"> diff --git a/jspwiki-war/src/main/webapp/templates/210/PreferencesTab.jsp b/jspwiki-war/src/main/webapp/templates/210/PreferencesTab.jsp index 8cb15aa68..de28e1e70 100644 --- a/jspwiki-war/src/main/webapp/templates/210/PreferencesTab.jsp +++ b/jspwiki-war/src/main/webapp/templates/210/PreferencesTab.jsp @@ -55,6 +55,7 @@ id="setCookie" method="post" accept-charset="<wiki:ContentEncoding />" onsubmit="WikiPreferences.savePrefs(); return Wiki.submitOnce(this);" > + <wiki:CsrfProtection/> <table> <tr> @@ -210,6 +211,7 @@ onsubmit="Wiki.prefs.empty(); return Wiki.submitOnce( this );" method="post" accept-charset="<wiki:ContentEncoding />" > <div> + <wiki:CsrfProtection/> <input type="submit" name="ok" value="<fmt:message key='prefs.clear.submit'/>" /> <input type="hidden" name="action" value="clearAssertedName" /> </div> diff --git a/jspwiki-war/src/main/webapp/templates/210/ProfileTab.jsp b/jspwiki-war/src/main/webapp/templates/210/ProfileTab.jsp index 969734f69..2605a5913 100644 --- a/jspwiki-war/src/main/webapp/templates/210/ProfileTab.jsp +++ b/jspwiki-war/src/main/webapp/templates/210/ProfileTab.jsp @@ -43,6 +43,7 @@ onsubmit="return Wiki.submitOnce( this );" method="post" accept-charset="UTF-8"> + <wiki:CsrfProtection/> <h3> <wiki:UserProfile property="exists"><fmt:message key="prefs.oldprofile"/></wiki:UserProfile> <wiki:UserProfile property="new"><fmt:message key="prefs.newprofile"/></wiki:UserProfile> diff --git a/jspwiki-war/src/main/webapp/templates/210/SearchBox.jsp b/jspwiki-war/src/main/webapp/templates/210/SearchBox.jsp index 9aea7d35c..005eb8a46 100644 --- a/jspwiki-war/src/main/webapp/templates/210/SearchBox.jsp +++ b/jspwiki-war/src/main/webapp/templates/210/SearchBox.jsp @@ -35,6 +35,7 @@ name="query" id="query" size="20" accesskey="f" /> + <wiki:CsrfProtection/> <button type="submit" name="searchSubmit" id="searchSubmit" value="<fmt:message key='find.submit.go'/>" diff --git a/jspwiki-war/src/main/webapp/templates/210/WorkflowContent.jsp b/jspwiki-war/src/main/webapp/templates/210/WorkflowContent.jsp index 9bb25f979..52376524b 100644 --- a/jspwiki-war/src/main/webapp/templates/210/WorkflowContent.jsp +++ b/jspwiki-war/src/main/webapp/templates/210/WorkflowContent.jsp @@ -84,6 +84,7 @@ <td align="left"> <form id="<c:out value='decision.${decision.id}'/>" action="<wiki:Link jsp='Workflow.jsp' format='url'/>" method="POST" accept-charset="UTF-8"> + <wiki:CsrfProtection/> <input type="hidden" name="action" value="decide" /> <input type="hidden" name="id" value="<c:out value='${decision.id}' />" /> <select name="outcome" onchange="SubmitOutcomeIfSelected(this)"> @@ -163,6 +164,7 @@ <!-- Actions --> <td align="left"> <form id="<c:out value='workflow.${workflow.id}'/>" action="<wiki:Link jsp='Workflow.jsp' format='url'/>" method="POST" accept-charset="UTF-8"> + <wiki:CsrfProtection/> <input type="submit" name="submit" value="<fmt:message key="outcome.step.abort" />" /> <input type="hidden" name="action" value="abort" /> <input type="hidden" name="id" value="<c:out value="${workflow.id}" />" /> diff --git a/jspwiki-war/src/main/webapp/templates/210/admin/AdminTemplate.jsp b/jspwiki-war/src/main/webapp/templates/210/admin/AdminTemplate.jsp index 536f8c4e4..b946808ed 100644 --- a/jspwiki-war/src/main/webapp/templates/210/admin/AdminTemplate.jsp +++ b/jspwiki-war/src/main/webapp/templates/210/admin/AdminTemplate.jsp @@ -56,6 +56,7 @@ in your <code>jspwiki.properties</code> file.</div> <div class="formcontainer"> <form action="Admin.jsp" method="post" accept-charset="UTF-8"> + <wiki:CsrfProtection/> <input type="hidden" name="tab-admin" value="core"/> <input type="hidden" name="tab-core" value="${ab.title}" /> <input type="hidden" name="bean" value="${ab.id}" /> @@ -91,6 +92,7 @@ in your <code>jspwiki.properties</code> file.</div> <div class="formcontainer"> <form action="Admin.jsp" method="post" accept-charset="UTF-8"> + <wiki:CsrfProtection/> <input type="hidden" name="tab-admin" value="editors"/> <input type="hidden" name="tab-editors" value="${ab.title}" /> <% diff --git a/jspwiki-war/src/main/webapp/templates/210/admin/UserManagement.jsp b/jspwiki-war/src/main/webapp/templates/210/admin/UserManagement.jsp index 2c681c966..8dbc8e2de 100644 --- a/jspwiki-war/src/main/webapp/templates/210/admin/UserManagement.jsp +++ b/jspwiki-war/src/main/webapp/templates/210/admin/UserManagement.jsp @@ -84,6 +84,7 @@ function addNew() onsubmit="return Wiki.submitOnce(this);" method="post" accept-charset="<wiki:ContentEncoding/>" enctype="application/x-www-form-urlencoded" > + <wiki:CsrfProtection/> <input type="hidden" name='bean' value='org.apache.wiki.ui.admin.beans.UserBean'/> <input type="hidden" id="loginid" name="loginid" value="" /> <table> diff --git a/jspwiki-war/src/main/webapp/templates/210/commonheader.jsp b/jspwiki-war/src/main/webapp/templates/210/commonheader.jsp index 873817336..346090133 100644 --- a/jspwiki-war/src/main/webapp/templates/210/commonheader.jsp +++ b/jspwiki-war/src/main/webapp/templates/210/commonheader.jsp @@ -72,6 +72,7 @@ <meta name="wikiUserName" content='<wiki:UserName />' /> <meta name="wikiTemplateUrl" content='<wiki:Link format="url" templatefile="" />' /> <meta name="wikiApplicationName" content='<wiki:Variable var="ApplicationName" />' /> +<wiki:CsrfProtection format="meta" /> <script type="text/javascript">//<![CDATA[ /* Localized javascript strings: LocalizedStrings[] */ diff --git a/jspwiki-war/src/main/webapp/templates/210/editors/CKeditor.jsp b/jspwiki-war/src/main/webapp/templates/210/editors/CKeditor.jsp index aa4864f02..d4bac805b 100644 --- a/jspwiki-war/src/main/webapp/templates/210/editors/CKeditor.jsp +++ b/jspwiki-war/src/main/webapp/templates/210/editors/CKeditor.jsp @@ -130,7 +130,8 @@ id="editform" enctype="application/x-www-form-urlencoded" > - <%-- Edit.jsp relies on these being found. So be careful, if you make changes. --%> + <wiki:CsrfProtection/> + <%-- Edit.jsp relies on these being found. So be careful, if you make changes. --%> <input type="hidden" name="page" value="<wiki:Variable var='pagename' />" /> <input type="hidden" name="action" value="save" /> <wiki:SpamFilterInputs/> diff --git a/jspwiki-war/src/main/webapp/templates/210/editors/FCK.jsp b/jspwiki-war/src/main/webapp/templates/210/editors/FCK.jsp index 792fcb476..67285cc75 100644 --- a/jspwiki-war/src/main/webapp/templates/210/editors/FCK.jsp +++ b/jspwiki-war/src/main/webapp/templates/210/editors/FCK.jsp @@ -104,6 +104,7 @@ name="editform" id="editform" enctype="application/x-www-form-urlencoded"> <p> + <wiki:CsrfProtection/> <%-- Edit.jsp relies on these being found. So be careful, if you make changes. --%> <input name="page" type="hidden" value="<wiki:Variable var="pagename"/>" /> <input name="action" type="hidden" value="save" /> diff --git a/jspwiki-war/src/main/webapp/templates/210/editors/TinyMCE.jsp b/jspwiki-war/src/main/webapp/templates/210/editors/TinyMCE.jsp index 8e0021c8b..008876c7e 100644 --- a/jspwiki-war/src/main/webapp/templates/210/editors/TinyMCE.jsp +++ b/jspwiki-war/src/main/webapp/templates/210/editors/TinyMCE.jsp @@ -126,6 +126,7 @@ id="editform" enctype="application/x-www-form-urlencoded" > + <wiki:CsrfProtection/> <%-- Edit.jsp relies on these being found. So be careful, if you make changes. --%> <input type="hidden" name="page" value="<wiki:Variable var='pagename' />" /> <input type="hidden" name="action" value="save" /> diff --git a/jspwiki-war/src/main/webapp/templates/210/editors/plain.jsp b/jspwiki-war/src/main/webapp/templates/210/editors/plain.jsp index 4f36913f6..ae0dcf5af 100644 --- a/jspwiki-war/src/main/webapp/templates/210/editors/plain.jsp +++ b/jspwiki-war/src/main/webapp/templates/210/editors/plain.jsp @@ -88,6 +88,7 @@ method="post" accept-charset="<wiki:ContentEncoding/>" enctype="application/x-www-form-urlencoded" > + <wiki:CsrfProtection/> <%-- Edit.jsp relies on these being found. So be careful, if you make changes. --%> <p id="submitbuttons"> <input name="page" type="hidden" value="<wiki:Variable var='pagename' />" /> diff --git a/jspwiki-war/src/main/webapp/templates/210/editors/preview.jsp b/jspwiki-war/src/main/webapp/templates/210/editors/preview.jsp index 1c0036b3f..9a2a47ed3 100644 --- a/jspwiki-war/src/main/webapp/templates/210/editors/preview.jsp +++ b/jspwiki-war/src/main/webapp/templates/210/editors/preview.jsp @@ -47,6 +47,7 @@ enctype="application/x-www-form-urlencoded"> <p> + <wiki:CsrfProtection/> <%-- Edit.jsp & Comment.jsp rely on these being found. So be careful, if you make changes. --%> <input type="hidden" name="author" value="${author}" /> <input type="hidden" name="link" value="${link}" /> diff --git a/jspwiki-war/src/main/webapp/templates/210/editors/wysiwyg.jsp b/jspwiki-war/src/main/webapp/templates/210/editors/wysiwyg.jsp index 67b304c2d..e49ec3b77 100644 --- a/jspwiki-war/src/main/webapp/templates/210/editors/wysiwyg.jsp +++ b/jspwiki-war/src/main/webapp/templates/210/editors/wysiwyg.jsp @@ -93,6 +93,7 @@ Falling back to the plain editor. method="post" accept-charset="<wiki:ContentEncoding/>" enctype="application/x-www-form-urlencoded" > + <wiki:CsrfProtection/> <%-- Edit.jsp relies on these being found. So be careful, if you make changes. --%> <p id="submitbuttons"> <input name="page" type="hidden" value="<wiki:Variable var='pagename' />" /> diff --git a/jspwiki-war/src/main/webapp/templates/default/AttachmentTab.jsp b/jspwiki-war/src/main/webapp/templates/default/AttachmentTab.jsp index 9614286c5..29016589c 100644 --- a/jspwiki-war/src/main/webapp/templates/default/AttachmentTab.jsp +++ b/jspwiki-war/src/main/webapp/templates/default/AttachmentTab.jsp @@ -33,16 +33,18 @@ Context c = Context.findContext(pageContext); %> <c:set var="progressId" value="<%= c.getEngine().getManager( ProgressManager.class ).getNewProgressIdentifier() %>" /> +<c:set var="csrfProtection" value="<%= c.getWikiSession().antiCsrfToken() %>" /> <div class="page-content"> <wiki:Permission permission="upload"> - <form action="<wiki:Link jsp='attach' format='url'><wiki:Param name='progressid' value='${progressId}'/></wiki:Link>" + <form action="<wiki:Link jsp='attach' format='url'><wiki:Param name='progressid' value='${progressId}'/><wiki:Param name='X-XSRF-TOKEN' value='${csrfProtection}'/></wiki:Link>" class="accordion<wiki:HasAttachments></wiki:HasAttachments>" id="uploadform" method="post" enctype="multipart/form-data" accept-charset="<wiki:ContentEncoding/>" > <h4><span class="icon-paper-clip"></span> <fmt:message key="attach.add"/></h4> + <wiki:CsrfProtection/> <input type="hidden" name="nextpage" value="<wiki:Link context='upload' format='url'/>" /> <input type="hidden" name="page" value="<wiki:Variable var="pagename"/>" /> <input type="hidden" name="action" value="upload" /> @@ -92,6 +94,7 @@ <%--TODO: "nextpage" is not yet implemented in Delete.jsp --%> + <wiki:CsrfProtection/> <input type="hidden" name="nextpage" value="<wiki:Link context='upload' format='url'/>" /> <input id="delete-all" name="delete-all" type="submit" data-modal="+ .modal" diff --git a/jspwiki-war/src/main/webapp/templates/default/DiffTab.jsp b/jspwiki-war/src/main/webapp/templates/default/DiffTab.jsp index 126273ef1..15ff22357 100644 --- a/jspwiki-war/src/main/webapp/templates/default/DiffTab.jsp +++ b/jspwiki-war/src/main/webapp/templates/default/DiffTab.jsp @@ -37,6 +37,7 @@ class="diffbody form-inline" method="get" accept-charset="UTF-8"> <input type="hidden" name="page" value="<wiki:PageName />" /> + <wiki:CsrfProtection/> <p class="btn btn-default btn-block"> <fmt:message key="diff.difference"> diff --git a/jspwiki-war/src/main/webapp/templates/default/EditGroupContent.jsp b/jspwiki-war/src/main/webapp/templates/default/EditGroupContent.jsp index f3465c862..0092da87f 100644 --- a/jspwiki-war/src/main/webapp/templates/default/EditGroupContent.jsp +++ b/jspwiki-war/src/main/webapp/templates/default/EditGroupContent.jsp @@ -64,6 +64,7 @@ method="POST" accept-charset="UTF-8"> <input type="hidden" name="group" value="${name}" /> + <wiki:CsrfProtection/> <div class="form-group"> <button class="btn btn-success" type="submit" name="action" value="save"> diff --git a/jspwiki-war/src/main/webapp/templates/default/FindContent.jsp b/jspwiki-war/src/main/webapp/templates/default/FindContent.jsp index c85371ca6..fae834803 100644 --- a/jspwiki-war/src/main/webapp/templates/default/FindContent.jsp +++ b/jspwiki-war/src/main/webapp/templates/default/FindContent.jsp @@ -41,6 +41,7 @@ placeholder="<fmt:message key="find.input" />" autofocus="autofocus" size="32" /> + <wiki:CsrfProtection/> <div class="form-inline form-group"> diff --git a/jspwiki-war/src/main/webapp/templates/default/GroupTab.jsp b/jspwiki-war/src/main/webapp/templates/default/GroupTab.jsp index 4d8027759..c3a521266 100644 --- a/jspwiki-war/src/main/webapp/templates/default/GroupTab.jsp +++ b/jspwiki-war/src/main/webapp/templates/default/GroupTab.jsp @@ -66,6 +66,7 @@ <h4><fmt:message key="newgroup.heading.create"/></h4> <input type="hidden" name="action" value="save" /> + <wiki:CsrfProtection/> <fmt:message key='newgroup.errorprefix' var="msg"/> <wiki:Messages div="alert alert-danger form-col-offset-20 form-col-50" topic="group" prefix="${msg}"/> @@ -102,6 +103,7 @@ name="deleteGroupForm" id="deleteGroupForm" method="POST" accept-charset="UTF-8"> <input type="hidden" name="group" value="${group.name}" /> + <wiki:CsrfProtection/> <input type="submit" name="ok" data-modal="+ .modal" value="<fmt:message key="actions.deletegroup"/>" /> diff --git a/jspwiki-war/src/main/webapp/templates/default/InfoContent.jsp b/jspwiki-war/src/main/webapp/templates/default/InfoContent.jsp index 744bf0c75..89c2d2e71 100644 --- a/jspwiki-war/src/main/webapp/templates/default/InfoContent.jsp +++ b/jspwiki-war/src/main/webapp/templates/default/InfoContent.jsp @@ -120,6 +120,7 @@ id="renameform" method="post" accept-charset="<wiki:ContentEncoding />" > + <wiki:CsrfProtection/> <input type="hidden" name="page" value="<wiki:Variable var='pagename' />" /> <input class="btn btn-success" type="submit" name="rename" value="<fmt:message key='info.rename.submit' />" /> <input class="form-control form-col-50" type="text" name="renameto" @@ -142,6 +143,7 @@ <input class="btn btn-danger" type="submit" name="delete-all" id="delete-all" data-modal="+ .modal" value="<fmt:message key='info.delete.submit'/>" /> + <wiki:CsrfProtection/> <div class="modal"><fmt:message key='info.confirmdelete'/></div> </form> </wiki:Permission> @@ -262,7 +264,7 @@ <%-- Do NOT change the order of wikiname and content, otherwise the servlet won't find its parts. --%> - + <wiki:CsrfProtection/> <h4><span class="icon-paper-clip"></span> <fmt:message key="info.uploadnew"/></h4> <div class="form-group"> @@ -310,6 +312,7 @@ </fmt:message> </a> --%> + <wiki:CsrfProtection/> <wiki:Permission permission="delete"> <input class="btn btn-danger" type="submit" name="delete-all" id="delete-all" data-modal="+ .modal" diff --git a/jspwiki-war/src/main/webapp/templates/default/LoginContent.jsp b/jspwiki-war/src/main/webapp/templates/default/LoginContent.jsp index e6acc78f3..4b8cfadbe 100644 --- a/jspwiki-war/src/main/webapp/templates/default/LoginContent.jsp +++ b/jspwiki-war/src/main/webapp/templates/default/LoginContent.jsp @@ -55,7 +55,7 @@ id="login" class="login-form" method="post" accept-charset="<wiki:ContentEncoding />" > - + <wiki:CsrfProtection/> <p class="login-header"> <fmt:message key="login.heading.login"> <fmt:param><wiki:Variable var="applicationname" /></fmt:param> @@ -122,6 +122,7 @@ class="login-form" method="post" accept-charset="<wiki:ContentEncoding />" > + <wiki:CsrfProtection/> <p class="login-header"><fmt:message key="login.lostpw.title" /></p> <c:choose> @@ -190,6 +191,7 @@ class="login-form" method="post" accept-charset="UTF-8"> + <wiki:CsrfProtection/> <input type="hidden" name="redirect" value="<wiki:Variable var='redirect' default='' />" /> <p class="login-header"><fmt:message key="login.registernow.title" /></p> diff --git a/jspwiki-war/src/main/webapp/templates/default/PageTab.jsp b/jspwiki-war/src/main/webapp/templates/default/PageTab.jsp index b889a1dc1..8e7660a2b 100644 --- a/jspwiki-war/src/main/webapp/templates/default/PageTab.jsp +++ b/jspwiki-war/src/main/webapp/templates/default/PageTab.jsp @@ -48,6 +48,7 @@ method="get" accept-charset='UTF-8'> <input type="hidden" name="page" value="${param.page}" /> + <wiki:CsrfProtection/> <div class="error center"> <label> <fmt:message key="view.oldversion"> diff --git a/jspwiki-war/src/main/webapp/templates/default/PreferencesTab.jsp b/jspwiki-war/src/main/webapp/templates/default/PreferencesTab.jsp index d1b1a4fe5..4da7bbb17 100644 --- a/jspwiki-war/src/main/webapp/templates/default/PreferencesTab.jsp +++ b/jspwiki-war/src/main/webapp/templates/default/PreferencesTab.jsp @@ -47,6 +47,7 @@ method="post" accept-charset="<wiki:ContentEncoding />" > <input type="hidden" name="redirect" value="${redirect}" /> + <wiki:CsrfProtection/> <div class="form-group "> diff --git a/jspwiki-war/src/main/webapp/templates/default/ProfileTab.jsp b/jspwiki-war/src/main/webapp/templates/default/ProfileTab.jsp index 36a7befbe..d58b051a3 100644 --- a/jspwiki-war/src/main/webapp/templates/default/ProfileTab.jsp +++ b/jspwiki-war/src/main/webapp/templates/default/ProfileTab.jsp @@ -43,6 +43,7 @@ id="editProfile"> <input type="hidden" name="redirect" value="<wiki:Variable var='redirect' default='' />" /> + <wiki:CsrfProtection/> <div class="form-group"> <span class="form-col-20 control-label"></span> diff --git a/jspwiki-war/src/main/webapp/templates/default/SearchBox.jsp b/jspwiki-war/src/main/webapp/templates/default/SearchBox.jsp index cf7144e32..53df644a2 100644 --- a/jspwiki-war/src/main/webapp/templates/default/SearchBox.jsp +++ b/jspwiki-war/src/main/webapp/templates/default/SearchBox.jsp @@ -28,6 +28,7 @@ id="searchForm" tabindex="0" role="search" accept-charset="<wiki:ContentEncoding />"> + <wiki:CsrfProtection/> <%-- FFS <div onclick="" class="btn"> the onclick="" is needed for hover effect on ipad https://www.codehaven.co.uk/fix-css-hover-on-iphone-ipad/ --%> <a href="#" aria-label="<fmt:message key='sbox.search.button'/>" class="btn"> diff --git a/jspwiki-war/src/main/webapp/templates/default/UserBox.jsp b/jspwiki-war/src/main/webapp/templates/default/UserBox.jsp index 1ce74e48d..4b7ab6c63 100644 --- a/jspwiki-war/src/main/webapp/templates/default/UserBox.jsp +++ b/jspwiki-war/src/main/webapp/templates/default/UserBox.jsp @@ -105,13 +105,13 @@ --%> <wiki:UserCheck status="authenticated"> <a href="<wiki:Link jsp='Logout.jsp' format='url' />" - class="btn btn-default btn-block logout" data-modal=".logout > .modal"> + class="btn btn-default btn-block logout" data-modal="+ .modal"> <span class="icon-signout"></span> <fmt:message key="actions.logout"/> - <div class="modal"> - <h4><fmt:message key="actions.logout"/></h4> - <p><fmt:message key='actions.confirmlogout'/></p> - </div> </a> + <div class="modal"> + <h4><fmt:message key="actions.logout"/></h4> + <p><fmt:message key='actions.confirmlogout'/></p> + </div> </wiki:UserCheck> </li> </ul> diff --git a/jspwiki-war/src/main/webapp/templates/default/WorkflowContent.jsp b/jspwiki-war/src/main/webapp/templates/default/WorkflowContent.jsp index a8e2b0d46..8eb39bdcb 100644 --- a/jspwiki-war/src/main/webapp/templates/default/WorkflowContent.jsp +++ b/jspwiki-war/src/main/webapp/templates/default/WorkflowContent.jsp @@ -84,6 +84,7 @@ <form action="<wiki:Link jsp='Workflow.jsp' format='url'/>" id="decision.${decision.id}" method="POST" accept-charset="UTF-8"> + <wiki:CsrfProtection/> <input type="hidden" name="action" value="decide" /> <input type="hidden" name="id" value="${decision.id}" /> <c:forEach var="outcome" items="${decision.availableOutcomes}"> @@ -163,6 +164,7 @@ <form id="workflow.${workflow.id}" action="<wiki:Link jsp='Workflow.jsp' format='url'/>" method="POST" accept-charset="UTF-8"> + <wiki:CsrfProtection/> <input class="btn btn-danger btn-xs" type="submit" name="submit" value="<fmt:message key="outcome.step.abort" />" /> <input type="hidden" name="action" value="abort" /> <input type="hidden" name="id" value="${workflow.id}" /> diff --git a/jspwiki-war/src/main/webapp/templates/default/admin/AdminTemplate.jsp b/jspwiki-war/src/main/webapp/templates/default/admin/AdminTemplate.jsp index c3b4f826a..184f2e626 100644 --- a/jspwiki-war/src/main/webapp/templates/default/admin/AdminTemplate.jsp +++ b/jspwiki-war/src/main/webapp/templates/default/admin/AdminTemplate.jsp @@ -56,6 +56,7 @@ in your <code>jspwiki.properties</code> file.</div> <div class="formcontainer"> <form action="Admin.jsp" method="post" accept-charset="UTF-8"> + <wiki:CsrfProtection/> <input type="hidden" name="tab-admin" value="core"/> <input type="hidden" name="tab-core" value="${ab.title}" /> <input type="hidden" name="bean" value="${ab.id}" /> @@ -88,6 +89,7 @@ in your <code>jspwiki.properties</code> file.</div> <div class="formcontainer"> <form action="Admin.jsp" method="post" accept-charset="UTF-8"> + <wiki:CsrfProtection/> <input type="hidden" name="tab-admin" value="editors"/> <input type="hidden" name="tab-editors" value="${ab.title}" /> <% diff --git a/jspwiki-war/src/main/webapp/templates/default/admin/UserManagement.jsp b/jspwiki-war/src/main/webapp/templates/default/admin/UserManagement.jsp index abd32b545..30217d23c 100644 --- a/jspwiki-war/src/main/webapp/templates/default/admin/UserManagement.jsp +++ b/jspwiki-war/src/main/webapp/templates/default/admin/UserManagement.jsp @@ -76,6 +76,7 @@ function addNew() id="adminuserform" method="post" accept-charset="<wiki:ContentEncoding/>" enctype="application/x-www-form-urlencoded" > + <wiki:CsrfProtection/> <input type="hidden" name='bean' value='org.apache.wiki.ui.admin.beans.UserBean'/> <input type="hidden" id="loginid" name="loginid" value="" /> <table> @@ -131,7 +132,7 @@ function addNew() </table> <div id="useractions"> - <input type="submit" name="action" value="Remove" data-modal="#useractions > .modal" /> + <input type="submit" name="action" value="Remove" data-modal="+ .modal" /> <div class="modal"> <p>Are you sure you wish to remove this user?</p> </div> diff --git a/jspwiki-war/src/main/webapp/templates/default/commonheader.jsp b/jspwiki-war/src/main/webapp/templates/default/commonheader.jsp index 8aceb2298..5539cb90d 100644 --- a/jspwiki-war/src/main/webapp/templates/default/commonheader.jsp +++ b/jspwiki-war/src/main/webapp/templates/default/commonheader.jsp @@ -100,6 +100,7 @@ String.I18N.PREFIX = "javascript."; <meta name="wikiUserName" content="<wiki:UserName />" /> <meta name="wikiTemplateUrl" content='<wiki:Link format="url" templatefile="" />' /> <meta name="wikiApplicationName" content='<wiki:Variable var="ApplicationName" />' /> +<wiki:CsrfProtection format="meta" /> <%--CHECKME <wiki:link> seems not to lookup the right jsp from the right template directory EG when a templatefile is not present, the generated link should point to the default template. diff --git a/jspwiki-war/src/main/webapp/templates/default/editors/CKeditor.jsp b/jspwiki-war/src/main/webapp/templates/default/editors/CKeditor.jsp index 0e76da44b..6a973858f 100644 --- a/jspwiki-war/src/main/webapp/templates/default/editors/CKeditor.jsp +++ b/jspwiki-war/src/main/webapp/templates/default/editors/CKeditor.jsp @@ -134,6 +134,7 @@ id="editform" enctype="application/x-www-form-urlencoded" > + <wiki:CsrfProtection/> <%-- Edit.jsp relies on these being found. So be careful, if you make changes. --%> <input type="hidden" name="page" value="<wiki:Variable var='pagename' />" /> <input type="hidden" name="action" value="save" /> diff --git a/jspwiki-war/src/main/webapp/templates/default/editors/TinyMCE.jsp b/jspwiki-war/src/main/webapp/templates/default/editors/TinyMCE.jsp index 9fd7c8a41..ec156fa62 100644 --- a/jspwiki-war/src/main/webapp/templates/default/editors/TinyMCE.jsp +++ b/jspwiki-war/src/main/webapp/templates/default/editors/TinyMCE.jsp @@ -136,6 +136,7 @@ id="editform" enctype="application/x-www-form-urlencoded" > + <wiki:CsrfProtection/> <%-- Edit.jsp relies on these being found. So be careful, if you make changes. --%> <input type="hidden" name="page" value="<wiki:Variable var='pagename' />" /> <input type="hidden" name="action" value="save" /> diff --git a/jspwiki-war/src/main/webapp/templates/default/editors/plain.jsp b/jspwiki-war/src/main/webapp/templates/default/editors/plain.jsp index 7b10ced7f..0187b60db 100644 --- a/jspwiki-war/src/main/webapp/templates/default/editors/plain.jsp +++ b/jspwiki-war/src/main/webapp/templates/default/editors/plain.jsp @@ -84,6 +84,7 @@ id="editform" enctype="application/x-www-form-urlencoded" > + <wiki:CsrfProtection/> <%-- Edit.jsp relies on these being found. So be careful, if you make changes. --%> <input type="hidden" name="page" value="<wiki:Variable var='pagename' />" /> <input type="hidden" name="action" value="save" /> diff --git a/jspwiki-war/src/main/webapp/templates/default/editors/preview.jsp b/jspwiki-war/src/main/webapp/templates/default/editors/preview.jsp index f39a0af1c..1baf06904 100644 --- a/jspwiki-war/src/main/webapp/templates/default/editors/preview.jsp +++ b/jspwiki-war/src/main/webapp/templates/default/editors/preview.jsp @@ -45,7 +45,7 @@ id="editform" enctype="application/x-www-form-urlencoded"> - + <wiki:CsrfProtection/> <%-- Edit.jsp & Comment.jsp rely on these being found. So be careful, if you make changes. --%> <input type="hidden" name="author" value="${author}" /> <input type="hidden" name="link" value="${link}" /> diff --git a/jspwiki-war/src/main/webapp/templates/default/editors/wysiwyg.jsp b/jspwiki-war/src/main/webapp/templates/default/editors/wysiwyg.jsp index 387bd70c0..2c4617a50 100644 --- a/jspwiki-war/src/main/webapp/templates/default/editors/wysiwyg.jsp +++ b/jspwiki-war/src/main/webapp/templates/default/editors/wysiwyg.jsp @@ -128,6 +128,7 @@ id="editform" enctype="application/x-www-form-urlencoded" > + <wiki:CsrfProtection/> <%-- Edit.jsp relies on these being found. So be careful, if you make changes. --%> <input type="hidden" name="page" value="<wiki:Variable var='pagename' />" /> <input type="hidden" name="action" value="save" />
