From 3068cb57885f868077bfbaad2c13ed0c4482aa11 Mon Sep 17 00:00:00 2001 From: Hypolite Petovan <hypolite@mrpetovan.com> Date: Tue, 14 Sep 2021 17:27:16 -0400 Subject: [PATCH 1/3] [frio] Fix contact deletion modal URL concatenation - The deletion URL now has an initial query string parameter in the form of a CSRF token --- view/theme/frio/templates/contact_edit.tpl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/view/theme/frio/templates/contact_edit.tpl b/view/theme/frio/templates/contact_edit.tpl index 91c6d26f43..7806425947 100644 --- a/view/theme/frio/templates/contact_edit.tpl +++ b/view/theme/frio/templates/contact_edit.tpl @@ -27,7 +27,7 @@ {{/if}} <li role="presentation"><a role="menuitem" href="{{$contact_actions.block.url}}" title="{{$contact_actions.block.title}}">{{$contact_actions.block.label}}</a></li> <li role="presentation"><a role="menuitem" href="{{$contact_actions.ignore.url}}" title="{{$contact_actions.ignore.title}}">{{$contact_actions.ignore.label}}</a></li> - {{if $contact_actions.delete.url}}<li role="presentation"><button role="menuitem" type="button" class="btn-link" title="{{$contact_actions.delete.title}}" onclick="addToModal('{{$contact_actions.delete.url}}?confirm=1');">{{$contact_actions.delete.label}}</button></li>{{/if}} + {{if $contact_actions.delete.url}}<li role="presentation"><button role="menuitem" type="button" class="btn-link" title="{{$contact_actions.delete.title}}" onclick="addToModal('{{$contact_actions.delete.url}}&confirm=1');">{{$contact_actions.delete.label}}</button></li>{{/if}} </ul> </li> </ul> From 06b8f93eae470d51e655dcdbbe715ed0c07743f5 Mon Sep 17 00:00:00 2001 From: Hypolite Petovan <hypolite@mrpetovan.com> Date: Tue, 14 Sep 2021 17:28:07 -0400 Subject: [PATCH 2/3] Add support for specific confirm value in confirm.tpl - button tags allow for a different value from the label --- view/templates/confirm.tpl | 4 ++-- view/theme/frio/templates/confirm.tpl | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/view/templates/confirm.tpl b/view/templates/confirm.tpl index ea50846990..47f231a5f9 100644 --- a/view/templates/confirm.tpl +++ b/view/templates/confirm.tpl @@ -4,8 +4,8 @@ <h3 id="confirm-message">{{$message}}</h3> - <input class="confirm-button" id="confirm-submit-button" type="submit" name="{{$confirm_name}}" value="{{$confirm}}" /> - <input class="confirm-button" id="confirm-cancel-button" type="submit" name="canceled" value="{{$cancel}}" /> + <button class="confirm-button" id="confirm-submit-button" type="submit" name="{{$confirm_name}}" value="{{$confirm_value}}">{{$confirm}}</button> + <button class="confirm-button" id="confirm-cancel-button" type="submit" name="canceled" value="{{$cancel}}">{{$cancel}}</button> </form> </center> diff --git a/view/theme/frio/templates/confirm.tpl b/view/theme/frio/templates/confirm.tpl index 187078b68a..3f8c0c3268 100644 --- a/view/theme/frio/templates/confirm.tpl +++ b/view/theme/frio/templates/confirm.tpl @@ -3,7 +3,7 @@ <div id="confirm-message">{{$message}}</div> <div class="form-group pull-right settings-submit-wrapper"> - <button type="submit" name="{{$confirm_name}}" id="confirm-submit-button" class="btn btn-primary confirm-button" value="{{$confirm}}">{{$confirm}}</button> + <button type="submit" name="{{$confirm_name}}" id="confirm-submit-button" class="btn btn-primary confirm-button" value="{{$confirm_value}}">{{$confirm}}</button> <button type="submit" name="canceled" id="confirm-cancel-button" class="btn confirm-button" data-dismiss="modal">{{$cancel}}</button> </div> </form> From 44ec4de14cc6dc3b27bd98ceec1c2705d45fc77a Mon Sep 17 00:00:00 2001 From: Hypolite Petovan <hypolite@mrpetovan.com> Date: Tue, 14 Sep 2021 17:28:42 -0400 Subject: [PATCH 3/3] Use CSRF token as name and value for contact deletion confirm form --- src/Module/Contact.php | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/Module/Contact.php b/src/Module/Contact.php index 2b17deab40..ceb2b6757c 100644 --- a/src/Module/Contact.php +++ b/src/Module/Contact.php @@ -432,7 +432,8 @@ class Contact extends BaseModule '$message' => DI::l10n()->t('Do you really want to delete this contact?'), '$confirm' => DI::l10n()->t('Yes'), '$confirm_url' => DI::args()->getCommand(), - '$confirm_name' => 'confirmed', + '$confirm_name' => 't', + '$confirm_value' => BaseModule::getFormSecurityToken('contact_action'), '$cancel' => DI::l10n()->t('Cancel'), ]); }