summaryrefslogtreecommitdiff
path: root/includes
diff options
context:
space:
mode:
authorGreg Roach <fisharebest@gmail.com>2013-11-03 18:20:13 +0000
committerGreg Roach <fisharebest@gmail.com>2013-11-03 18:20:13 +0000
commitf0d22ed13b9c15b881d565b370ddcb377a759eec (patch)
treeda37e302e2c7616e9f2c2d4583e50fb4b44bc11a /includes
parent5c301c36beeafbe0fcb27c10c5cd19c6b49f9e1b (diff)
downloadwebtrees-f0d22ed13b9c15b881d565b370ddcb377a759eec.tar.gz
webtrees-f0d22ed13b9c15b881d565b370ddcb377a759eec.tar.bz2
webtrees-f0d22ed13b9c15b881d565b370ddcb377a759eec.zip
Add CSRF checks to inline editing
Diffstat (limited to 'includes')
-rw-r--r--includes/functions/functions_edit.php6
1 files changed, 3 insertions, 3 deletions
diff --git a/includes/functions/functions_edit.php b/includes/functions/functions_edit.php
index f73041b9fc..2e18dc4a09 100644
--- a/includes/functions/functions_edit.php
+++ b/includes/functions/functions_edit.php
@@ -31,7 +31,7 @@ require_once WT_ROOT.'includes/functions/functions_import.php';
// Create an edit control for inline editing using jeditable
function edit_field_inline($name, $value, $controller=null) {
$html='<span class="editable" id="' . $name . '">' . WT_Filter::escapeHtml($value) . '</span>';
- $js='jQuery("#' . $name . '").editable("' . WT_SERVER_NAME . WT_SCRIPT_PATH . 'save.php", {submit:"&nbsp;&nbsp;' . /* I18N: button label */ WT_I18N::translate('save') . '&nbsp;&nbsp;", style:"inherit", placeholder: "'.WT_I18N::translate('click to edit').'"});';
+ $js='jQuery("#' . $name . '").editable("' . WT_SERVER_NAME . WT_SCRIPT_PATH . 'save.php", {submitdata: {csrf: WT_CSRF_TOKEN}, submit:"&nbsp;&nbsp;' . /* I18N: button label */ WT_I18N::translate('save') . '&nbsp;&nbsp;", style:"inherit", placeholder: "'.WT_I18N::translate('click to edit').'"});';
if ($controller) {
$controller->addInlineJavascript($js);
@@ -45,7 +45,7 @@ function edit_field_inline($name, $value, $controller=null) {
// Create a text area for inline editing using jeditable
function edit_text_inline($name, $value, $controller=null) {
$html='<span class="editable" style="white-space:pre-wrap;" id="' . $name . '">' . WT_Filter::escapeHtml($value) . '</span>';
- $js='jQuery("#' . $name . '").editable("' . WT_SERVER_NAME . WT_SCRIPT_PATH . 'save.php", {submit:"&nbsp;&nbsp;' . WT_I18N::translate('save') . '&nbsp;&nbsp;", style:"inherit", placeholder: "'.WT_I18N::translate('click to edit').'", type: "textarea", rows:4, cols:60 });';
+ $js='jQuery("#' . $name . '").editable("' . WT_SERVER_NAME . WT_SCRIPT_PATH . 'save.php", {submitdata: {csrf: WT_CSRF_TOKEN}, submit:"&nbsp;&nbsp;' . WT_I18N::translate('save') . '&nbsp;&nbsp;", style:"inherit", placeholder: "'.WT_I18N::translate('click to edit').'", type: "textarea", rows:4, cols:60 });';
if ($controller) {
$controller->addInlineJavascript($js);
@@ -104,7 +104,7 @@ function select_edit_control_inline($name, $values, $empty, $selected, $controll
$values['selected']=WT_Filter::escapeHtml($selected);
$html='<span class="editable" id="' . $name . '">' . (array_key_exists($selected, $values) ? $values[$selected] : '') . '</span>';
- $js='jQuery("#' . $name . '").editable("' . WT_SERVER_NAME . WT_SCRIPT_PATH . 'save.php", {type:"select", data:' . json_encode($values) . ', submit:"&nbsp;&nbsp;' . WT_I18N::translate('save') . '&nbsp;&nbsp;", style:"inherit", placeholder: "'.WT_I18N::translate('click to edit').'", callback:function(value, settings) {jQuery(this).html(settings.data[value]);} });';
+ $js='jQuery("#' . $name . '").editable("' . WT_SERVER_NAME . WT_SCRIPT_PATH . 'save.php", {submitdata: {csrf: WT_CSRF_TOKEN}, type:"select", data:' . json_encode($values) . ', submit:"&nbsp;&nbsp;' . WT_I18N::translate('save') . '&nbsp;&nbsp;", style:"inherit", placeholder: "'.WT_I18N::translate('click to edit').'", callback:function(value, settings) {jQuery(this).html(settings.data[value]);} });';
if ($controller) {
$controller->addInlineJavascript($js);