Skip to content

Commit

Permalink
Fixed issue #18885: CSRF Leading to reset Boxes (#3239)
Browse files Browse the repository at this point in the history
* Fixed issue #18884: Stored XSS in Survey Groups Function

* Fixed issue #18885: CSRF Leading to reset Boxes

* Revert "Fixed issue #18884: Stored XSS in Survey Groups Function"

This reverts commit 86d3916.

---------

Co-authored-by: lapiudevgit <devgit@lapiu.biz>
  • Loading branch information
gabrieljenik and lapiudevgit committed Jun 23, 2023
1 parent a360585 commit bc2bbb9
Show file tree
Hide file tree
Showing 4 changed files with 17 additions and 22 deletions.
10 changes: 10 additions & 0 deletions application/controllers/HomepageSettingsController.php
Expand Up @@ -27,6 +27,16 @@ public function accessRules()
);
}

/**
* @return string[] action filters
*/
public function filters()
{
return [
'postOnly + resetAllBoxes', // Only allow resetAllBoxes via POST request
];
}

/**
* Register js script before rendering
*
Expand Down
5 changes: 0 additions & 5 deletions application/views/homepageSettings/index.php
Expand Up @@ -12,11 +12,6 @@
);

?>
<script type="text/javascript">
strConfirm = '<?php eT('Please confirm', 'js');?>';
strCancel = '<?php eT('Cancel', 'js');?>';
strOK = '<?php eT('OK', 'js');?>';
</script>

<div class="row">
<div class="col-12 list-surveys">
Expand Down
Expand Up @@ -20,10 +20,15 @@
'id' => 'reset-button',
'text' => gT('Reset'),
'icon' => 'ri-refresh-line',
'link' => $this->createUrl('homepageSettings/resetAllBoxes/'),
'htmlOptions' => [
'class' => 'btn btn-warning',
'data-confirm' => gT('This will delete all current boxes to restore the default ones. Are you sure you want to continue?')
'data-bs-toggle' => "modal",
'data-bs-target' => '#confirmation-modal',
'data-btnclass' => 'btn-primary',
'data-btntext' => gT('OK'),
'data-post-url' => $this->createUrl('homepageSettings/resetAllBoxes/'),
'data-title' => gT("Please confirm"),
'data-message' => gT('This will delete all current boxes to restore the default ones. Are you sure you want to continue?'),
],
]
);
Expand Down
15 changes: 0 additions & 15 deletions assets/scripts/admin/homepagesettings.js
Expand Up @@ -128,21 +128,6 @@ $(document).on('ready pjax:scriptcomplete', function(){
});
});

/**
* Confirmation modal
*/
$('a[data-confirm]').click(function(ev) {
var href = $(this).attr('href');
if (!$('#dataConfirmModal').length) {
$('body').append('<div id="dataConfirmModal" class="modal fade" role="dialog" aria-labelledby="dataConfirmLabel"> <div class="modal-dialog"> <div class="modal-content"> <div class="modal-header"> <h4 class="modal-title">'+strConfirm+'</h4> <button type="button" class="btn-close" data-bs-dismiss="modal" aria-label="Close"></button> </div> <div class="modal-body"> </div> <div class="modal-footer"><a class="btn btn-primary" id="dataConfirmOK">'+strOK+'</a><button type="button" class="btn btn-cancel" data-bs-dismiss="modal" >'+strCancel+'</button> </div> </div><!-- /.modal-content --> </div><!-- /.modal-dialog --></div><!-- /.modal -->');
}
$('#dataConfirmModal').find('.modal-body').text($(this).attr('data-confirm'));
$('#dataConfirmOK').attr('href', href);
$('#dataConfirmModal').modal('show');
return false;
});


// Create Update : icons
if($('.option-icon').length>1){
$('.option-icon').on('click', function (ev, that) {
Expand Down

0 comments on commit bc2bbb9

Please sign in to comment.