Skip to content
Permalink
Browse files
Fix CSRF protection for adding new phrases and switch to generic JS f…
…unction for looking up GET header variables.
  • Loading branch information
drn05r authored and EPrints Services committed Jun 2, 2020
1 parent b76ed2a commit 95ed6bee24fb3c138ada80684f0503e54f739c41
Showing 3 changed files with 17 additions and 13 deletions.
@@ -73,3 +73,17 @@ function human_filesize(size_in_bytes)
return size_in_tb + 'Tb';
}

/*
* Get paramaters set in the HTTP GET header
*/
function get_header_variable(variable) {
var query = window.location.search.substring(1);
var vars = query.split("&");
for (var i=0;i<vars.length;i++) {
var pair = vars[i].split("=");
if (pair[0] == variable) {
return decodeURIComponent(pair[1]);
}
}
}

@@ -68,7 +68,8 @@ function ep_phraseedit_addphrase( event, base_id )
parameters: {
screen: "Admin::Phrases",
phraseid: base_id,
phrase: $('ep_phraseedit_newid').value
phrase: $('ep_phraseedit_newid').value,
csrf_token: get_header_variable( 'csrf_token' )
}
}
);
@@ -4,17 +4,6 @@ Event.observe(window,'load',function () {
});
});

function js_admin_storagemanager_get_variable(variable) {
var query = window.location.search.substring(1);
var vars = query.split("&");
for (var i=0;i<vars.length;i++) {
var pair = vars[i].split("=");
if (pair[0] == variable) {
return decodeURIComponent(pair[1]);
}
}
}

function js_admin_storagemanager_load_stats(div)
{
var pluginid = div.id.substring(6);
@@ -45,7 +34,7 @@ function js_admin_storagemanager_load_stats(div)
ajax: "stats",
screen: "Admin::StorageManager",
store: pluginid,
csrf_token: js_admin_storagemanager_get_variable( "csrf_token" )
csrf_token: get_header_variable( "csrf_token" )
}
}
);

0 comments on commit 95ed6be

Please sign in to comment.