summaryrefslogtreecommitdiff
path: root/library/WT/Controller
diff options
context:
space:
mode:
authorGreg Roach <fisharebest@gmail.com>2013-11-03 17:35:10 +0000
committerGreg Roach <fisharebest@gmail.com>2013-11-03 17:35:10 +0000
commit5c301c36beeafbe0fcb27c10c5cd19c6b49f9e1b (patch)
treea3e097912fa1cec59d5355becff63d746862e7ac /library/WT/Controller
parentbadf3539789d15206a789c9a9cc08f7452998c64 (diff)
downloadwebtrees-5c301c36beeafbe0fcb27c10c5cd19c6b49f9e1b.tar.gz
webtrees-5c301c36beeafbe0fcb27c10c5cd19c6b49f9e1b.tar.bz2
webtrees-5c301c36beeafbe0fcb27c10c5cd19c6b49f9e1b.zip
Add CSRF checks to admin/user page
Diffstat (limited to 'library/WT/Controller')
-rw-r--r--library/WT/Controller/Page.php22
1 files changed, 12 insertions, 10 deletions
diff --git a/library/WT/Controller/Page.php b/library/WT/Controller/Page.php
index a9252847dc..d58074758d 100644
--- a/library/WT/Controller/Page.php
+++ b/library/WT/Controller/Page.php
@@ -149,18 +149,20 @@ class WT_Controller_Page extends WT_Controller_Base {
// This javascript needs to be loaded in the header, *before* the CSS.
// All other javascript should be defered until the end of the page
$javascript= '<script src="' . WT_MODERNIZR_URL . '"></script>';
+
// Give Javascript access to some PHP constants
$this->addInlineJavascript('
- var WT_STATIC_URL = "'.WT_STATIC_URL.'";
- var WT_THEME_DIR = "'.WT_THEME_DIR.'";
- var WT_MODULES_DIR = "'.WT_MODULES_DIR.'";
- var WT_GEDCOM = "'.WT_GEDCOM.'";
- var WT_GED_ID = "'.WT_GED_ID.'";
- var WT_USER_ID = "'.WT_USER_ID.'";
- var textDirection = "'.$TEXT_DIRECTION.'";
- var browserType = "'.$BROWSERTYPE.'";
- var WT_SCRIPT_NAME = "'.WT_SCRIPT_NAME.'";
- var WT_LOCALE = "'.WT_LOCALE.'";
+ var WT_STATIC_URL = "' . WT_Filter::escapeJs(WT_STATIC_URL) . '";
+ var WT_THEME_DIR = "' . WT_Filter::escapeJs(WT_THEME_DIR) . '";
+ var WT_MODULES_DIR = "' . WT_Filter::escapeJs(WT_MODULES_DIR) . '";
+ var WT_GEDCOM = "' . WT_Filter::escapeJs(WT_GEDCOM) . '";
+ var WT_GED_ID = "' . WT_Filter::escapeJs(WT_GED_ID) . '";
+ var WT_USER_ID = "' . WT_Filter::escapeJs(WT_USER_ID) . '";
+ var textDirection = "' . WT_Filter::escapeJs($TEXT_DIRECTION) . '";
+ var browserType = "' . WT_Filter::escapeJs($BROWSERTYPE) . '";
+ var WT_SCRIPT_NAME = "' . WT_Filter::escapeJs(WT_SCRIPT_NAME) . '";
+ var WT_LOCALE = "' . WT_Filter::escapeJs(WT_LOCALE) . '";
+ var WT_CSRF_TOKEN = "' . WT_Filter::escapeJs(WT_Filter::getCsrfToken()) . '";
', self::JS_PRIORITY_HIGH);
// Temporary fix for access to main menu hover elements on android/blackberry touch devices