Fixed issue #18984: [security] CSRF in Question Themes function (#3459)

Function toggleVisibility is now requested via POST. Co-authored-by: Lapiu Dev <devgit@lapiu.biz>
LimeSurvey · Sep 19, 2023 · 454e73c · 454e73c
1 parent 11051a9
commit 454e73c
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 4 deletions.
diff --git a/application/controllers/admin/QuestionThemes.php b/application/controllers/admin/QuestionThemes.php
@@ -9,6 +9,8 @@ class QuestionThemes extends SurveyCommonAction
      */
     public function toggleVisibility($id)
     {
+        $this->requirePostRequest();
+
         if (!Permission::model()->hasGlobalPermission('templates', 'update')) {
             throw new CHttpException(403, gT("We are sorry but you don't have permissions to do this."));
         }

diff --git a/application/views/themeOptions/installedthemelist.php b/application/views/themeOptions/installedthemelist.php
@@ -92,9 +92,11 @@ function(id, data){
                                     for (let togglequestiontheme of togglequestionthemes) {
                                         togglequestiontheme.addEventListener("change", () => {
                                             let $url = togglequestiontheme.getAttribute("data-url");
+                                            let data = new FormData();
                                             let xhttp = new XMLHttpRequest();
-                                            xhttp.open("GET", $url, true);
-                                            xhttp.send();
+                                            data.append(LS.data.csrfTokenName, LS.data.csrfToken);
+                                            xhttp.open("POST", $url, true);
+                                            xhttp.send(data);
                                         });
                                     }
                                 }',
@@ -115,9 +117,11 @@ function(id, data){
                 for (let togglequestiontheme of togglequestionthemes) {
                     togglequestiontheme.addEventListener("change", () => {
                         let $url = togglequestiontheme.getAttribute("data-url");
+                        let data = new FormData();
                         let xhttp = new XMLHttpRequest();
-                        xhttp.open("GET", $url, true);
-                        xhttp.send();
+                        data.append(LS.data.csrfTokenName, LS.data.csrfToken);
+                        xhttp.open("POST", $url, true);
+                        xhttp.send(data);
                     });
                 }
                 ';