CKEDITOR-475: Add form token check to HTMLConverter

xwiki-attic · Jul 5, 2022 · 6b10531 · 6b10531
1 parent e6932ba
commit 6b10531
Show file tree

Hide file tree

Showing 2 changed files with 3 additions and 2 deletions.
diff --git a/application-ckeditor-plugins/src/main/resources/xwiki-source/plugin.js b/application-ckeditor-plugins/src/main/resources/xwiki-source/plugin.js
@@ -60,7 +60,8 @@
         htmlConverter: sourceDocument.getURL('get', $.param({
           sheet: 'CKEditor.HTMLConverter',
           outputSyntax: 'plain',
-          language: $('html').attr('lang') || ''
+          language: $('html').attr('lang') || '',
+          formToken: document.documentElement.dataset.xwikiFormToken || ''
         }))
       }, editor.config['xwiki-source']);
 

diff --git a/application-ckeditor-ui/src/main/resources/CKEditor/HTMLConverter.xml b/application-ckeditor-ui/src/main/resources/CKEditor/HTMLConverter.xml
@@ -41,7 +41,7 @@
 {{velocity wiki="false"}}
 #set ($toHTML = $request.toHTML == 'true')
 #set ($fromHTML = $request.fromHTML == 'true')
-#if ($toHTML || $fromHTML)
+#if (($toHTML || $fromHTML) &amp;&amp; $services.csrf.isTokenValid($request.formToken))
   #set ($text = "$!request.text")
   #set ($stripHTMLEnvelope = $request.stripHTMLEnvelope == 'true')
   #set ($output = "#ckeditor_convert($text $toHTML $fromHTML $stripHTMLEnvelope)")