diff options
| author | Greg Roach <fisharebest@gmail.com> | 2013-11-03 18:20:13 +0000 |
|---|---|---|
| committer | Greg Roach <fisharebest@gmail.com> | 2013-11-03 18:20:13 +0000 |
| commit | f0d22ed13b9c15b881d565b370ddcb377a759eec (patch) | |
| tree | da37e302e2c7616e9f2c2d4583e50fb4b44bc11a /includes | |
| parent | 5c301c36beeafbe0fcb27c10c5cd19c6b49f9e1b (diff) | |
| download | webtrees-f0d22ed13b9c15b881d565b370ddcb377a759eec.tar.gz webtrees-f0d22ed13b9c15b881d565b370ddcb377a759eec.tar.bz2 webtrees-f0d22ed13b9c15b881d565b370ddcb377a759eec.zip | |
Add CSRF checks to inline editing
Diffstat (limited to 'includes')
| -rw-r--r-- | includes/functions/functions_edit.php | 6 |
1 files changed, 3 insertions, 3 deletions
diff --git a/includes/functions/functions_edit.php b/includes/functions/functions_edit.php index f73041b9fc..2e18dc4a09 100644 --- a/includes/functions/functions_edit.php +++ b/includes/functions/functions_edit.php @@ -31,7 +31,7 @@ require_once WT_ROOT.'includes/functions/functions_import.php'; // Create an edit control for inline editing using jeditable function edit_field_inline($name, $value, $controller=null) { $html='<span class="editable" id="' . $name . '">' . WT_Filter::escapeHtml($value) . '</span>'; - $js='jQuery("#' . $name . '").editable("' . WT_SERVER_NAME . WT_SCRIPT_PATH . 'save.php", {submit:" ' . /* I18N: button label */ WT_I18N::translate('save') . ' ", style:"inherit", placeholder: "'.WT_I18N::translate('click to edit').'"});'; + $js='jQuery("#' . $name . '").editable("' . WT_SERVER_NAME . WT_SCRIPT_PATH . 'save.php", {submitdata: {csrf: WT_CSRF_TOKEN}, submit:" ' . /* I18N: button label */ WT_I18N::translate('save') . ' ", style:"inherit", placeholder: "'.WT_I18N::translate('click to edit').'"});'; if ($controller) { $controller->addInlineJavascript($js); @@ -45,7 +45,7 @@ function edit_field_inline($name, $value, $controller=null) { // Create a text area for inline editing using jeditable function edit_text_inline($name, $value, $controller=null) { $html='<span class="editable" style="white-space:pre-wrap;" id="' . $name . '">' . WT_Filter::escapeHtml($value) . '</span>'; - $js='jQuery("#' . $name . '").editable("' . WT_SERVER_NAME . WT_SCRIPT_PATH . 'save.php", {submit:" ' . WT_I18N::translate('save') . ' ", style:"inherit", placeholder: "'.WT_I18N::translate('click to edit').'", type: "textarea", rows:4, cols:60 });'; + $js='jQuery("#' . $name . '").editable("' . WT_SERVER_NAME . WT_SCRIPT_PATH . 'save.php", {submitdata: {csrf: WT_CSRF_TOKEN}, submit:" ' . WT_I18N::translate('save') . ' ", style:"inherit", placeholder: "'.WT_I18N::translate('click to edit').'", type: "textarea", rows:4, cols:60 });'; if ($controller) { $controller->addInlineJavascript($js); @@ -104,7 +104,7 @@ function select_edit_control_inline($name, $values, $empty, $selected, $controll $values['selected']=WT_Filter::escapeHtml($selected); $html='<span class="editable" id="' . $name . '">' . (array_key_exists($selected, $values) ? $values[$selected] : '') . '</span>'; - $js='jQuery("#' . $name . '").editable("' . WT_SERVER_NAME . WT_SCRIPT_PATH . 'save.php", {type:"select", data:' . json_encode($values) . ', submit:" ' . WT_I18N::translate('save') . ' ", style:"inherit", placeholder: "'.WT_I18N::translate('click to edit').'", callback:function(value, settings) {jQuery(this).html(settings.data[value]);} });'; + $js='jQuery("#' . $name . '").editable("' . WT_SERVER_NAME . WT_SCRIPT_PATH . 'save.php", {submitdata: {csrf: WT_CSRF_TOKEN}, type:"select", data:' . json_encode($values) . ', submit:" ' . WT_I18N::translate('save') . ' ", style:"inherit", placeholder: "'.WT_I18N::translate('click to edit').'", callback:function(value, settings) {jQuery(this).html(settings.data[value]);} });'; if ($controller) { $controller->addInlineJavascript($js); |
