Require CSRF token to edit Stripe settings - thanks to @stehled

itflow-org · Nov 25, 2023 · 432488e · 432488e
1 parent c1d0a23
commit 432488e
Show file tree

Hide file tree

Showing 2 changed files with 4 additions and 2 deletions.
diff --git a/post/setting.php b/post/setting.php
@@ -331,6 +331,7 @@
 
 if (isset($_POST['edit_online_payment_settings'])) {
 
+    validateCSRFToken($_POST['csrf_token']);
     validateAdminRole();
 
     $config_stripe_enable = intval($_POST['config_stripe_enable']);

diff --git a/settings_online_payment.php b/settings_online_payment.php
@@ -11,6 +11,7 @@
         </div>
         <div class="card-body">
             <form action="post.php" method="post" autocomplete="off">
+                <input type="hidden" name="csrf_token" value="<?php echo $_SESSION['csrf_token'] ?>">
 
                 <div class="form-group">
                     <div class="custom-control custom-switch">
@@ -53,9 +54,9 @@
                                 $sql_accounts = mysqli_query($mysqli, "SELECT * FROM accounts LEFT JOIN account_types ON account_types.account_type_id = accounts.account_type WHERE account_type_parent = 1 AND account_archived_at IS NULL ORDER BY account_name ASC");
                                 while ($row = mysqli_fetch_array($sql_accounts)) {
                                     $account_id = intval($row['account_id']);
-                                    $account_name = nullable_htmlentities($row['account_name']); 
+                                    $account_name = nullable_htmlentities($row['account_name']);
                                     ?>
-                                        
+
                                     <option value="<?php echo $account_id ?>" <?php if ($account_id == $config_stripe_account) { echo "selected"; } ?>><?php echo $account_name ?></option>
                                 <?php
                                 }