diff options
| author | Greg Roach <fisharebest@gmail.com> | 2013-11-03 17:35:10 +0000 |
|---|---|---|
| committer | Greg Roach <fisharebest@gmail.com> | 2013-11-03 17:35:10 +0000 |
| commit | 5c301c36beeafbe0fcb27c10c5cd19c6b49f9e1b (patch) | |
| tree | a3e097912fa1cec59d5355becff63d746862e7ac /library/WT/Controller | |
| parent | badf3539789d15206a789c9a9cc08f7452998c64 (diff) | |
| download | webtrees-5c301c36beeafbe0fcb27c10c5cd19c6b49f9e1b.tar.gz webtrees-5c301c36beeafbe0fcb27c10c5cd19c6b49f9e1b.tar.bz2 webtrees-5c301c36beeafbe0fcb27c10c5cd19c6b49f9e1b.zip | |
Add CSRF checks to admin/user page
Diffstat (limited to 'library/WT/Controller')
| -rw-r--r-- | library/WT/Controller/Page.php | 22 |
1 files changed, 12 insertions, 10 deletions
diff --git a/library/WT/Controller/Page.php b/library/WT/Controller/Page.php index a9252847dc..d58074758d 100644 --- a/library/WT/Controller/Page.php +++ b/library/WT/Controller/Page.php @@ -149,18 +149,20 @@ class WT_Controller_Page extends WT_Controller_Base { // This javascript needs to be loaded in the header, *before* the CSS. // All other javascript should be defered until the end of the page $javascript= '<script src="' . WT_MODERNIZR_URL . '"></script>'; + // Give Javascript access to some PHP constants $this->addInlineJavascript(' - var WT_STATIC_URL = "'.WT_STATIC_URL.'"; - var WT_THEME_DIR = "'.WT_THEME_DIR.'"; - var WT_MODULES_DIR = "'.WT_MODULES_DIR.'"; - var WT_GEDCOM = "'.WT_GEDCOM.'"; - var WT_GED_ID = "'.WT_GED_ID.'"; - var WT_USER_ID = "'.WT_USER_ID.'"; - var textDirection = "'.$TEXT_DIRECTION.'"; - var browserType = "'.$BROWSERTYPE.'"; - var WT_SCRIPT_NAME = "'.WT_SCRIPT_NAME.'"; - var WT_LOCALE = "'.WT_LOCALE.'"; + var WT_STATIC_URL = "' . WT_Filter::escapeJs(WT_STATIC_URL) . '"; + var WT_THEME_DIR = "' . WT_Filter::escapeJs(WT_THEME_DIR) . '"; + var WT_MODULES_DIR = "' . WT_Filter::escapeJs(WT_MODULES_DIR) . '"; + var WT_GEDCOM = "' . WT_Filter::escapeJs(WT_GEDCOM) . '"; + var WT_GED_ID = "' . WT_Filter::escapeJs(WT_GED_ID) . '"; + var WT_USER_ID = "' . WT_Filter::escapeJs(WT_USER_ID) . '"; + var textDirection = "' . WT_Filter::escapeJs($TEXT_DIRECTION) . '"; + var browserType = "' . WT_Filter::escapeJs($BROWSERTYPE) . '"; + var WT_SCRIPT_NAME = "' . WT_Filter::escapeJs(WT_SCRIPT_NAME) . '"; + var WT_LOCALE = "' . WT_Filter::escapeJs(WT_LOCALE) . '"; + var WT_CSRF_TOKEN = "' . WT_Filter::escapeJs(WT_Filter::getCsrfToken()) . '"; ', self::JS_PRIORITY_HIGH); // Temporary fix for access to main menu hover elements on android/blackberry touch devices |
