Added request validation for comments

madskristensen · Oct 27, 2017 · 4c8cccd · 4c8cccd
1 parent 80de0c5
commit 4c8cccd
Show file tree

Hide file tree

Showing 4 changed files with 11 additions and 20 deletions.
diff --git a/src/Controllers/BlogController.cs b/src/Controllers/BlogController.cs
@@ -13,17 +13,11 @@ public class BlogController : Controller
     {
         private IBlogService _blog;
         private IOptionsSnapshot<BlogSettings> _settings;
-        private static int _afrt;
 
         public BlogController(IBlogService blog, IOptionsSnapshot<BlogSettings> settings)
         {
             _blog = blog;
             _settings = settings;
-
-            if (_afrt == default(int))
-            {
-                _afrt = (_settings.Value.Name + DateTime.UtcNow.ToShortDateString()).GetHashCode();
-            }
         }
 
         [Route("/{page:int?}")]
@@ -66,7 +60,6 @@ public async Task<IActionResult> Post(string slug)
 
             if (post != null)
             {
-                ViewData["afrt"] = _afrt;
                 return View(post);
             }
 
@@ -165,12 +158,12 @@ public async Task<IActionResult> DeletePost(string id)
         }
 
         [Route("/blog/comment/{postId}")]
-        [HttpPost]
+        [HttpPost, AutoValidateAntiforgeryToken]
         public async Task<IActionResult> AddComment(string postId, Comment comment)
         {
             var post = await _blog.GetPostById(postId);
 
-            if (!ModelState.IsValid || Request.Form["__afrt"] != _afrt.ToString())
+            if (!ModelState.IsValid)
             {
                 return View("Post", post);
             }
@@ -191,15 +184,10 @@ public async Task<IActionResult> AddComment(string postId, Comment comment)
             return Redirect(post.GetLink() + "#" + comment.ID);
         }
 
-        [Route("/blog/comment/{postId}/{commentId}/{afrt:int}")]
+        [Route("/blog/comment/{postId}/{commentId}")]
         [Authorize]
-        public async Task<IActionResult> DeleteComment(string postId, string commentId, int afrt)
+        public async Task<IActionResult> DeleteComment(string postId, string commentId)
         {
-            if (afrt != _afrt)
-            {
-                return NotFound();
-            }
-
             var post = await _blog.GetPostById(postId);
 
             if (post == null)

diff --git a/src/Startup.cs b/src/Startup.cs
@@ -47,6 +47,7 @@ public void ConfigureServices(IServiceCollection services)
             services.TryAddSingleton<IHttpContextAccessor, HttpContextAccessor>();
             services.AddMetaWeblog<MetaWeblogService>();
 
+            // Output caching (https://github.com/madskristensen/WebEssentials.AspNetCore.OutputCaching)
             services.AddOutputCaching(options =>
             {
                 options.Profiles["default"] = new OutputCacheProfile
@@ -55,6 +56,7 @@ public void ConfigureServices(IServiceCollection services)
                 };
             });
 
+            // Cookie authentication.
             services
                 .AddAuthentication(CookieAuthenticationDefaults.AuthenticationScheme)
                 .AddCookie(options =>
@@ -63,6 +65,7 @@ public void ConfigureServices(IServiceCollection services)
                     options.LogoutPath = "/logout/";
                 });
 
+            // HTML minification (https://github.com/Taritsyn/WebMarkupMin)
             services
                 .AddWebMarkupMin(options =>
                 {
@@ -74,8 +77,9 @@ public void ConfigureServices(IServiceCollection services)
                     options.MinificationSettings.RemoveOptionalEndTags = false;
                     options.MinificationSettings.WhitespaceMinificationMode = WhitespaceMinificationMode.Safe;
                 });
-            services.AddSingleton<ILogger, NullLogger>();
+            services.AddSingleton<ILogger, NullLogger>(); // Used by HTML minifier
 
+            // Bundling, minification and Sass transpilation (https://github.com/ligershark/WebOptimizer)
             services.AddWebOptimizer(pipeline =>
             {
                 pipeline.MinifyJsFiles();

diff --git a/src/Views/Blog/Comments.cshtml b/src/Views/Blog/Comments.cshtml
@@ -35,7 +35,7 @@
                 <p>Be the first to post a comment</p>
             }
 
-            <form method="post" asp-controller="Blog" asp-action="AddComment" asp-route-postid="@Model.ID" asp-antiforgery="false">
+            <form method="post" asp-controller="Blog" asp-action="AddComment" asp-route-postid="@Model.ID">
                 <h3>Post a comment</h3>
                 <br />
 
@@ -51,7 +51,6 @@
                     <br />
 
                     <input type="submit" value="Post comment" />
-                    <input type="hidden" name="__afrt" value="@ViewData["afrt"]" />
                 </div>
             </form>
         }

diff --git a/src/wwwroot/js/site.js b/src/wwwroot/js/site.js
@@ -25,7 +25,7 @@
 
     function urlify(text) {
         return text.replace(/(((https?:\/\/)|(www\.))[^\s]+)/g, function (url, b, c) {
-            var url2 = c == 'www.' ? 'http://' + url : url;
+            var url2 = c === 'www.' ? 'http://' + url : url;
             return '<a href="' + url2 + '" rel="nofollow noreferrer">' + url + '</a>';
         });
     }