From d2a35adf70d1b429877f4462b4823a23a16f46e7 Mon Sep 17 00:00:00 2001
From: Anders Pearson <anders@thraxil.org>
Date: Wed, 8 Feb 2023 11:39:44 +0000
Subject: [PATCH] add csrf tokens

---
 mithras/templates/abraxas/add_post.html       |  5 +-
 mithras/templates/abraxas/comment.html        |  9 +-
 mithras/templates/abraxas/edit_post.html      |  3 +-
 mithras/templates/abraxas/node.html           | 98 +++++++++----------
 .../abraxas/node_confirm_delete.html          |  1 +
 mithras/templates/abraxas/pending.html        |  5 +-
 mithras/templates/abraxas/preview.html        |  9 +-
 7 files changed, 68 insertions(+), 62 deletions(-)

diff --git a/mithras/templates/abraxas/add_post.html b/mithras/templates/abraxas/add_post.html
index de5f5c88..ff90be00 100644
--- a/mithras/templates/abraxas/add_post.html
+++ b/mithras/templates/abraxas/add_post.html
@@ -12,8 +12,9 @@
 
 {% block content %}
 
-<form action="." method="post">
-{% if node_id %}<input type="hidden" name="node_id" value="{{node_id}}" />{% endif %}
+    <form action="." method="post">
+        {% csrf_token %}
+        {% if node_id %}<input type="hidden" name="node_id" value="{{node_id}}" />{% endif %}
 <table>
 <tr>
   <th>title</th>
diff --git a/mithras/templates/abraxas/comment.html b/mithras/templates/abraxas/comment.html
index c4587bc9..75f9a841 100644
--- a/mithras/templates/abraxas/comment.html
+++ b/mithras/templates/abraxas/comment.html
@@ -21,10 +21,11 @@ <h2>Reply to: <a href="{{node.get_absolute_url}}">{{ node.title }}</a></h2>
 </div>
 
 {% if node.comments_allowed %}
-<div id="comment-form">
-<form action="{{ node.get_absolute_url }}add_comment/"
-      method="post" onsubmit="return commentSubmit()">
-<input type="hidden" name="reply_to" value="{{ comment.id }}" />
+    <div id="comment-form">
+        <form action="{{ node.get_absolute_url }}add_comment/"
+              method="post" onsubmit="return commentSubmit()">
+            {% csrf_token %}
+            <input type="hidden" name="reply_to" value="{{ comment.id }}" />
 <textarea name="content" id="comment-textarea"></textarea><br />
 <p style="font-size: .8em;">formatting is
   with Markdown syntax.
diff --git a/mithras/templates/abraxas/edit_post.html b/mithras/templates/abraxas/edit_post.html
index 020537be..2c9a9c63 100644
--- a/mithras/templates/abraxas/edit_post.html
+++ b/mithras/templates/abraxas/edit_post.html
@@ -13,7 +13,8 @@
 
     <a href="{% url 'delete-node' node.id %}">Delete</a>
     
-<form action="." method="post">
+    <form action="." method="post">
+        {% csrf_token %}
 <table>
 <tr>
   <th>title</th>
diff --git a/mithras/templates/abraxas/node.html b/mithras/templates/abraxas/node.html
index 7c1691c9..942a0032 100644
--- a/mithras/templates/abraxas/node.html
+++ b/mithras/templates/abraxas/node.html
@@ -6,14 +6,14 @@
 
 {% block breadcrumbs %}
 
-<a href="/">//thraxil.org</a>/<a href="/users/">users</a>/<a href="{{ node.user.get_absolute_url }}">{{ node.user.username }}</a>/<a href="{{ node.user.get_absolute_url }}{{node.type}}s/">{{ node.type }}s</a>/<a href="{{ node.user.get_absolute_url }}{{node.type}}s/{{node.created.year}}/">{{ node.created.year }}</a>/<a href="{{node.user.get_absolute_url}}{{node.type}}s/{{node.created.year}}/{{node.created.month}}/">{{ node.created.month}}</a>/<a href="{{node.user.get_absolute_url}}{{node.type}}s/{{node.created.year}}/{{node.created.month}}/{{node.created.day}}/">{{ node.created.day }}</a>/{{node.slug}}/
+    <a href="/">//thraxil.org</a>/<a href="/users/">users</a>/<a href="{{ node.user.get_absolute_url }}">{{ node.user.username }}</a>/<a href="{{ node.user.get_absolute_url }}{{node.type}}s/">{{ node.type }}s</a>/<a href="{{ node.user.get_absolute_url }}{{node.type}}s/{{node.created.year}}/">{{ node.created.year }}</a>/<a href="{{node.user.get_absolute_url}}{{node.type}}s/{{node.created.year}}/{{node.created.month}}/">{{ node.created.month}}</a>/<a href="{{node.user.get_absolute_url}}{{node.type}}s/{{node.created.year}}/{{node.created.month}}/{{node.created.day}}/">{{ node.created.day }}</a>/{{node.slug}}/
 {% endblock %}
 
 {% block nav %}
-{% if not request.user.is_anonymous %}
-<a href="/edit_post/{{node.id}}/">edit</a>|
-{% endif %}
-history
+    {% if not request.user.is_anonymous %}
+        <a href="/edit_post/{{node.id}}/">edit</a>|
+    {% endif %}
+    history
 {% endblock %}
 
 {% block content %}
@@ -56,50 +56,50 @@ <h3>comments</h3>
                     {{ comment.body|cmarkdown:"codehilite"|safe }}
 
 
-{% if comment.has_replies %}
-{{ comment.replies_html|safe }}
-{% endif %}
-
-</div>
-{% endfor %}
-</div>
-{% endif %}
-
-{% if node.comments_allowed %}
-<div id="comment-form">
-<form action="{{ node.get_absolute_url }}add_comment/"
-      method="post" onsubmit="return commentSubmit()">
-
-<input type="text" name="name" value=""
-			 placeholder="if you can see this, leave it blank"
-			 id="name-decoy"
-/>
-
-<textarea name="content" id="comment-textarea"></textarea><br />
-<p style="font-size: .8em;">formatting is
-  with Markdown syntax. Comments are not displayed until they are approved by a
-  moderator. Moderators will not approve unless the comment
-  contributes value to the discussion.</p>
-<table>
-<tr><th>name</th><td><input type="text" name="horse"
-			    id="comment-name"/></td><td>required</td></tr>
-<tr><th>email</th><td><input type="text" name="email"
-			     id="comment-email"/></td><td>required</td></tr>
-<tr><th>url</th><td><input type="text" name="url"
-			   id="comment-url"/></td><td></td></tr>
-<tr><th></th><td><input type="checkbox" checked="checked"
-                                 name="remember" id="comment-remember"
-                                 />
-remember info?
-</td><td></td></tr>
-</table><br />
-<input type="submit" value="preview comment" />
-</form>
-</div>
-<div class="clear"></div>
-{% endif %}
-
-</div>
+                    {% if comment.has_replies %}
+                        {{ comment.replies_html|safe }}
+                    {% endif %}
+
+                </div>
+            {% endfor %}
+        </div>
+    {% endif %}
+
+    {% if node.comments_allowed %}
+        <div id="comment-form">
+            <form action="{{ node.get_absolute_url }}add_comment/"
+                  method="post" onsubmit="return commentSubmit()">
+                {% csrf_token %}
+                <input type="text" name="name" value=""
+		       placeholder="if you can see this, leave it blank"
+		       id="name-decoy"
+                />
+
+                <textarea name="content" id="comment-textarea"></textarea><br />
+                <p style="font-size: .8em;">formatting is
+                    with Markdown syntax. Comments are not displayed until they are approved by a
+                    moderator. Moderators will not approve unless the comment
+                    contributes value to the discussion.</p>
+                <table>
+                    <tr><th>name</th><td><input type="text" name="horse"
+			                        id="comment-name"/></td><td>required</td></tr>
+                    <tr><th>email</th><td><input type="text" name="email"
+			                         id="comment-email"/></td><td>required</td></tr>
+                    <tr><th>url</th><td><input type="text" name="url"
+			                       id="comment-url"/></td><td></td></tr>
+                    <tr><th></th><td><input type="checkbox" checked="checked"
+                                            name="remember" id="comment-remember"
+                                     />
+                        remember info?
+                    </td><td></td></tr>
+                </table><br />
+                <input type="submit" value="preview comment" />
+            </form>
+        </div>
+        <div class="clear"></div>
+    {% endif %}
+
+        </div>
 
 
 {% endblock %}
diff --git a/mithras/templates/abraxas/node_confirm_delete.html b/mithras/templates/abraxas/node_confirm_delete.html
index ee724e56..9d4ea2ea 100644
--- a/mithras/templates/abraxas/node_confirm_delete.html
+++ b/mithras/templates/abraxas/node_confirm_delete.html
@@ -1,4 +1,5 @@
 <form action="" method="post">{% csrf_token %}
+    {% csrf_token %}
     <p>Are you sure you want to delete "{{ object }}"?</p>
     <input type="submit" value="Confirm" />
 </form>
diff --git a/mithras/templates/abraxas/pending.html b/mithras/templates/abraxas/pending.html
index 09068f47..350ad2e6 100644
--- a/mithras/templates/abraxas/pending.html
+++ b/mithras/templates/abraxas/pending.html
@@ -9,8 +9,9 @@
 {% endblock %}
 
 {% block content %}
-<form action="delete/" method="post">
-<input type="submit" value="delete all pending comments" />
+    <form action="delete/" method="post">
+        {% csrf_token %}
+        <input type="submit" value="delete all pending comments" />
 </form>
 
 <table>
diff --git a/mithras/templates/abraxas/preview.html b/mithras/templates/abraxas/preview.html
index 3a8ba1c8..faf3a9b9 100644
--- a/mithras/templates/abraxas/preview.html
+++ b/mithras/templates/abraxas/preview.html
@@ -12,10 +12,11 @@ <h1>Preview of Comment:</h1>
     {{ content|cmarkdown:"codehilite"|safe }}
 
 
-<div id="comment-form">
-<form action="{{ node.get_absolute_url }}add_comment/"
-      method="post" onsubmit="return commentSubmit()">
-<input type="hidden" name="original_referer" value="{{ original_referer }}" />
+    <div id="comment-form">
+        <form action="{{ node.get_absolute_url }}add_comment/"
+              method="post" onsubmit="return commentSubmit()">
+            {% csrf_token %}
+            <input type="hidden" name="original_referer" value="{{ original_referer }}" />
 <input type="hidden" name="reply_to" value="{{ reply_to }}" />
 <input type="text" name="name" value=""
 			 placeholder="if you can see this, leave it blank"