Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Browse files

fixed csrf issues (thanks to krisb78 and Angelo Dini for helping with…

… this)
  • Loading branch information...
commit d8e011aac787c74be909312014aa6b7dd28b5eaf 1 parent 397c014
@ojii ojii authored
View
1  cms/admin/placeholderadmin.py
@@ -30,6 +30,7 @@ class Media:
}
js = [os.path.join(settings.CMS_MEDIA_URL, path) for path in (
'js/lib/jquery.js',
+ 'js/csrf.js',
'js/lib/jquery.query.js',
'js/lib/ui.core.js',
'js/lib/ui.dialog.js',
View
2  cms/media/cms/js/change_list.js
@@ -93,7 +93,7 @@
};
$(document).ready(function() {
- patchCsrf($);
+ $.fn.cmsPatchCSRF();
var selected_page = false;
var action = false;
View
32 cms/media/cms/js/csrf.js
@@ -0,0 +1,32 @@
+(function($){
+ $.fn.cmsPatchCSRF = function () {
+ $.ajaxSetup({
+ beforeSend: function(xhr, settings) {
+ function getCookie(name) {
+ var cookieValue = null;
+ if (document.cookie && document.cookie != '') {
+ var cookies = document.cookie.split(';');
+ for (var i = 0; i < cookies.length; i++) {
+ var cookie = $.trim(cookies[i]);
+ // Does this cookie string begin with the name we want?
+ if (cookie.substring(0, name.length + 1) == (name + '=')) {
+ cookieValue = decodeURIComponent(cookie.substring(name.length + 1));
+ break;
+ }
+ }
+ }
+ return cookieValue;
+ }
+ var base_doc_url = document.URL.match(/^http[s]{0,1}:\/\/[^\/]+\//)[0];
+ var base_settings_url = settings.url.match(/^http[s]{0,1}:\/\/[^\/]+\//);
+ if (base_settings_url != null) {
+ base_settings_url = base_settings_url[0];
+ }
+ if (!(/^http:.*/.test(settings.url) || /^https:.*/.test(settings.url)) || base_doc_url == base_settings_url) {
+ // Only send the token to relative URLs i.e. locally.
+ xhr.setRequestHeader("X-CSRFToken", getCookie('csrftoken'));
+ }
+ }
+ });
+ };
+})(jQuery);
View
2  cms/media/cms/js/plugin_editor.js
@@ -1,7 +1,7 @@
(function($) {
$(document).ready(function() {
// Add Plugin Handler
- patchCsrf(jQuery);
+ $.fn.cmsPatchCSRF();
$('span.add-plugin').click(function(){
var select = $(this).parent().children("select[name=plugins]");
var pluginvalue = select.attr('value');
View
4 cms/media/cms/js/toolbar.js
@@ -1,6 +1,6 @@
/* javascript for the frontend editing toolbar */
-jQuery.noConflict();
+//jQuery.noConflict();
function hide_iframe(){
// needs to be a global function because it gets called
@@ -12,7 +12,7 @@ function hide_iframe(){
jQuery(document).ready(function($) {
- patchCsrf(jQuery)
+ jQuery.fn.cmsPatchCSRF()
jQuery.fn.swapWith = function(to) {
return this.each(function() {
View
2  cms/templates/admin/cms/page/change_form.html
@@ -4,7 +4,7 @@
{% block extrahead %}
{{ block.super }}
-{% include "cms/inc/csrf_js.html" %}
+<script type="text/javascript" src="{{ CMS_MEDIA_URL }}js/csrf.js"></script>
<script type="text/javascript" src="{% url admin:jsi18n %}"></script>
{% if not add %}
View
2  cms/templates/admin/cms/page/change_list.html
@@ -12,13 +12,13 @@
{% block coltype %}flex{% endblock %}
{% block extrahead %}
-{% include "cms/inc/csrf_js.html" %}
<link rel="stylesheet" type="text/css" href="{{ CMS_MEDIA_URL }}css/pages.css"/>
<link rel="stylesheet" type="text/css" href="{{ CMS_MEDIA_URL }}jstree/tree_component.css" />
<link rel="stylesheet" type="text/css" href="{{ CMS_MEDIA_URL }}css/jquery.dialog.css" />
{{ block.super }}
<script type="text/javascript" src="{{ CMS_MEDIA_URL }}js/lib/jquery.js"></script>
+<script type="text/javascript" src="{{ CMS_MEDIA_URL }}js/csrf.js"></script>
<script type="text/javascript" src="{{ CMS_MEDIA_URL }}js/lib/jquery.livequery.js"></script>
<script type="text/javascript" src="{{ CMS_MEDIA_URL }}js/lib/ui.core.js"></script>
View
1  cms/templates/admin/cms/page/widgets/plugin_editor.html
@@ -18,7 +18,6 @@
{% endif %}
{% endif %}
</div>
-{% include "cms/inc/csrf_js.html" %}
<script type="text/javascript">
jQuery(document).ready(function(){
var placeholder_element = jQuery('#placeholder-{{ placeholder.pk }}');
View
2  cms/templates/cms/toolbar/toolbar.html
@@ -1,6 +1,6 @@
{% load i18n adminmedia %}
-{% include "cms/inc/csrf_js.html" %}
<script type="text/javascript" src="{% admin_media_prefix %}js/jquery.min.js"></script>
+<script type="text/javascript" src="{{ CMS_MEDIA_URL }}js/csrf.js"></script>
<script type="text/javascript">
//<![CDATA[
// When jQuery is sourced, it's going to overwrite whatever might be in the
Please sign in to comment.
Something went wrong with that request. Please try again.