fix csrf on core plugins ajax

2026-05-24 09:28:37 +00:00 · 2024-02-02 12:00:53 +01:00 · 2024-02-02 12:00:53 +01:00 · f3cd16ebaa
commit f3cd16ebaa
parent 1213b2f49f
21 changed files with 150 additions and 1 deletions
--- a/src/common/core/antibot/ui/template.html
+++ b/src/common/core/antibot/ui/template.html
@ -1,4 +1,12 @@
 {% extends "base.html" %} {% block content %}
+<input
+  type="csrf_token"
+  name="csrf_token"
+  value="{{ csrf_token }}"
+  class="hidden"
+  hidden
+/>
+
 <div class="col-span-12 grid grid-cols-12 gap-4">
  <!-- info-->
  <div
--- a/src/common/core/authbasic/ui/template.html
+++ b/src/common/core/authbasic/ui/template.html
@ -1,4 +1,11 @@
 {% extends "base.html" %} {% block content %}
+<input
+  type="csrf_token"
+  name="csrf_token"
+  value="{{ csrf_token }}"
+  class="hidden"
+  hidden
+/>

 <div class="col-span-12 grid grid-cols-12 gap-4">
  <!-- info-->
--- a/src/common/core/badbehavior/ui/template.html
+++ b/src/common/core/badbehavior/ui/template.html
@ -1,4 +1,12 @@
 {% extends "base.html" %} {% block content %}
+<input
+  type="csrf_token"
+  name="csrf_token"
+  value="{{ csrf_token }}"
+  class="hidden"
+  hidden
+/>
+
 <div class="col-span-12 grid grid-cols-12 gap-4">
  <!-- info-->
  <div class="col-span-12 grid grid-cols-12 gap-4">
--- a/src/common/core/blacklist/ui/template.html
+++ b/src/common/core/blacklist/ui/template.html
@ -1,4 +1,11 @@
 {% extends "base.html" %} {% block content %}
+<input
+  type="csrf_token"
+  name="csrf_token"
+  value="{{ csrf_token }}"
+  class="hidden"
+  hidden
+/>

 <div class="col-span-12 grid grid-cols-12 gap-4">
  <div class="col-span-12 grid grid-cols-12 gap-4">
--- a/src/common/core/bunkernet/ui/template.html
+++ b/src/common/core/bunkernet/ui/template.html
@ -1,4 +1,11 @@
 {% extends "base.html" %} {% block content %}
+<input
+  type="csrf_token"
+  name="csrf_token"
+  value="{{ csrf_token }}"
+  class="hidden"
+  hidden
+/>

 <div class="col-span-12 grid grid-cols-12 gap-4">
  <!-- status -->
--- a/src/common/core/cors/ui/template.html
+++ b/src/common/core/cors/ui/template.html
@ -1,5 +1,13 @@
 {% extends "base.html" %} {% block content %}

+<input
+  type="csrf_token"
+  name="csrf_token"
+  value="{{ csrf_token }}"
+  class="hidden"
+  hidden
+/>
+
 <div class="col-span-12 grid grid-cols-12 gap-4">
  <!-- info-->
  <div
--- a/src/common/core/country/ui/template.html
+++ b/src/common/core/country/ui/template.html
@ -1,4 +1,11 @@
 {% extends "base.html" %} {% block content %}
+<input
+  type="csrf_token"
+  name="csrf_token"
+  value="{{ csrf_token }}"
+  class="hidden"
+  hidden
+/>

 <div class="col-span-12 grid grid-cols-12 gap-4">
  <!-- info-->
--- a/src/common/core/customcert/ui/template.html
+++ b/src/common/core/customcert/ui/template.html
@ -1,4 +1,12 @@
 {% extends "base.html" %} {% block content %}
+<input
+  type="csrf_token"
+  name="csrf_token"
+  value="{{ csrf_token }}"
+  class="hidden"
+  hidden
+/>
+
 <div class="col-span-12 grid grid-cols-12 gap-4">
  <!-- info-->
  <div
--- a/src/common/core/db/ui/template.html
+++ b/src/common/core/db/ui/template.html
@ -1,4 +1,11 @@
 {% extends "base.html" %} {% block content %}
+<input
+  type="csrf_token"
+  name="csrf_token"
+  value="{{ csrf_token }}"
+  class="hidden"
+  hidden
+/>

 <div class="col-span-12 grid grid-cols-12 gap-4">
  <!-- info-->
--- a/src/common/core/dnsbl/ui/template.html
+++ b/src/common/core/dnsbl/ui/template.html
@ -1,4 +1,11 @@
 {% extends "base.html" %} {% block content %}
+<input
+  type="csrf_token"
+  name="csrf_token"
+  value="{{ csrf_token }}"
+  class="hidden"
+  hidden
+/>

 <div class="col-span-12 grid grid-cols-12 gap-4">
  <!-- info-->
--- a/src/common/core/errors/ui/template.html
+++ b/src/common/core/errors/ui/template.html
@ -1,4 +1,11 @@
 {% extends "base.html" %} {% block content %}
+<input
+  type="csrf_token"
+  name="csrf_token"
+  value="{{ csrf_token }}"
+  class="hidden"
+  hidden
+/>

 <div class="col-span-12 grid grid-cols-12 gap-4">
  <!-- info-->
--- a/src/common/core/greylist/ui/template.html
+++ b/src/common/core/greylist/ui/template.html
@ -1,4 +1,11 @@
 {% extends "base.html" %} {% block content %}
+<input
+  type="csrf_token"
+  name="csrf_token"
+  value="{{ csrf_token }}"
+  class="hidden"
+  hidden
+/>

 <div class="col-span-12 grid grid-cols-12 gap-4">
  <div class="col-span-12 grid grid-cols-12 gap-4">
--- a/src/common/core/letsencrypt/ui/template.html
+++ b/src/common/core/letsencrypt/ui/template.html
@ -1,4 +1,12 @@
 {% extends "base.html" %} {% block content %}
+<input
+  type="csrf_token"
+  name="csrf_token"
+  value="{{ csrf_token }}"
+  class="hidden"
+  hidden
+/>
+
 <div class="col-span-12 grid grid-cols-12 gap-4">
  <!-- info-->
  <div
--- a/src/common/core/limit/ui/template.html
+++ b/src/common/core/limit/ui/template.html
@ -1,4 +1,12 @@
 {% extends "base.html" %} {% block content %}
+<input
+  type="csrf_token"
+  name="csrf_token"
+  value="{{ csrf_token }}"
+  class="hidden"
+  hidden
+/>
+
 <div class="col-span-12 grid grid-cols-12 gap-4">
  <!-- info-->
  <div
--- a/src/common/core/misc/ui/template.html
+++ b/src/common/core/misc/ui/template.html
@ -1,4 +1,11 @@
 {% extends "base.html" %} {% block content %}
+<input
+  type="csrf_token"
+  name="csrf_token"
+  value="{{ csrf_token }}"
+  class="hidden"
+  hidden
+/>

 <div class="col-span-12 grid grid-cols-12 gap-4">
  <div class="col-span-12 grid grid-cols-12 gap-4">
--- a/src/common/core/modsecurity/ui/template.html
+++ b/src/common/core/modsecurity/ui/template.html
@ -1,4 +1,11 @@
 {% extends "base.html" %} {% block content %}
+<input
+  type="csrf_token"
+  name="csrf_token"
+  value="{{ csrf_token }}"
+  class="hidden"
+  hidden
+/>

 <div class="col-span-12 grid grid-cols-12 gap-4">
  <!-- info-->
--- a/src/common/core/redis/ui/template.html
+++ b/src/common/core/redis/ui/template.html
@ -1,4 +1,11 @@
 {% extends "base.html" %} {% block content %}
+<input
+  type="csrf_token"
+  name="csrf_token"
+  value="{{ csrf_token }}"
+  class="hidden"
+  hidden
+/>

 <div class="col-span-12 grid grid-cols-12 gap-4">
  <!-- status -->
--- a/src/common/core/reversescan/ui/template.html
+++ b/src/common/core/reversescan/ui/template.html
@ -1,4 +1,12 @@
 {% extends "base.html" %} {% block content %}
+<input
+  type="csrf_token"
+  name="csrf_token"
+  value="{{ csrf_token }}"
+  class="hidden"
+  hidden
+/>
+
 <div class="col-span-12 grid grid-cols-12 gap-4">
  <!-- info-->
  <div
--- a/src/common/core/selfsigned/ui/template.html
+++ b/src/common/core/selfsigned/ui/template.html
@ -1,4 +1,12 @@
 {% extends "base.html" %} {% block content %}
+<input
+  type="csrf_token"
+  name="csrf_token"
+  value="{{ csrf_token }}"
+  class="hidden"
+  hidden
+/>
+
 <div class="col-span-12 grid grid-cols-12 gap-4">
  <!-- info-->
  <div
--- a/src/common/core/whitelist/ui/template.html
+++ b/src/common/core/whitelist/ui/template.html
@ -1,4 +1,11 @@
 {% extends "base.html" %} {% block content %}
+<input
+  type="csrf_token"
+  name="csrf_token"
+  value="{{ csrf_token }}"
+  class="hidden"
+  hidden
+/>

 <div class="col-span-12 grid grid-cols-12 gap-4">
  <div class="col-span-12 grid grid-cols-12 gap-4">
--- a/src/ui/static/js/plugins/setup.js
+++ b/src/ui/static/js/plugins/setup.js
@ -47,7 +47,8 @@ class SetupPlugin {
      fetch(location.href, {
        method: "POST",
        headers: {
-          "X-CSRFToken": "{{ csrf_token() }}",
+          "X-CSRFToken": document.querySelector('input[name="csrf_token"]')
+            .value,
        },
      })
        .then((res) => res.json())