Add CSRF token as string to Ajax data in beforeSend()

LimeSurvey · Aug 5, 2021 · 15ced1b · 15ced1b
1 parent 3f99736
commit 15ced1b
Showing 1 changed file with 10 additions and 11 deletions.
diff --git a/application/extensions/LimeScript/LimeScript.php b/application/extensions/LimeScript/LimeScript.php
@@ -20,18 +20,17 @@ public function run()
             $data['language']                   = Yii::app()->language;
             $data['replacementFields']['path']  = App()->createUrl("limereplacementfields/index");
             $json = json_encode($data, JSON_FORCE_OBJECT);
-            $script = "LS.data = $json;\n"
-                    . "LS.lang = {
-                        confirm: {
-                            confirm_cancel: '".gT('Cancel')."',
-                            confirm_ok: '".gT('OK')."'
-                        }
-                    };\n"
-
-                    . "$.ajaxSetup({
+            $script = "LS.data = $json;\n
+                    // @see https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html#jquery
+                    function csrfSafeMethod(method) {
+                        // these HTTP methods do not require CSRF protection
+                        return (/^(GET|HEAD|OPTIONS)$/.test(method));
+                    }
+                    $.ajaxSetup({
                         beforeSend: function(jqXHR, settings) {
-                            if(settings.method != 'GET') {
-                                {data: {".Yii::app()->request->csrfTokenName.": LS.data.csrfToken}}
+                            if(!csrfSafeMethod(settings.type)) {
+                                // NB: This sometimes includes the CSRF token twice, when already added to data.
+                                settings.data +=  '&" . Yii::app()->request->csrfTokenName . "=" . Yii::app()->request->csrfToken ."';
                             }
                         }
                     });";