From 3068cb57885f868077bfbaad2c13ed0c4482aa11 Mon Sep 17 00:00:00 2001
From: Hypolite Petovan <hypolite@mrpetovan.com>
Date: Tue, 14 Sep 2021 17:27:16 -0400
Subject: [PATCH 1/3] [frio] Fix contact deletion modal URL concatenation

- The deletion URL now has an initial query string parameter in the form of a CSRF token
---
 view/theme/frio/templates/contact_edit.tpl | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/view/theme/frio/templates/contact_edit.tpl b/view/theme/frio/templates/contact_edit.tpl
index 91c6d26f43..7806425947 100644
--- a/view/theme/frio/templates/contact_edit.tpl
+++ b/view/theme/frio/templates/contact_edit.tpl
@@ -27,7 +27,7 @@
 							{{/if}}
 							<li role="presentation"><a role="menuitem" href="{{$contact_actions.block.url}}" title="{{$contact_actions.block.title}}">{{$contact_actions.block.label}}</a></li>
 							<li role="presentation"><a role="menuitem" href="{{$contact_actions.ignore.url}}" title="{{$contact_actions.ignore.title}}">{{$contact_actions.ignore.label}}</a></li>
-							{{if $contact_actions.delete.url}}<li role="presentation"><button role="menuitem" type="button" class="btn-link" title="{{$contact_actions.delete.title}}" onclick="addToModal('{{$contact_actions.delete.url}}?confirm=1');">{{$contact_actions.delete.label}}</button></li>{{/if}}
+							{{if $contact_actions.delete.url}}<li role="presentation"><button role="menuitem" type="button" class="btn-link" title="{{$contact_actions.delete.title}}" onclick="addToModal('{{$contact_actions.delete.url}}&confirm=1');">{{$contact_actions.delete.label}}</button></li>{{/if}}
 						</ul>
 					</li>
 				</ul>

From 06b8f93eae470d51e655dcdbbe715ed0c07743f5 Mon Sep 17 00:00:00 2001
From: Hypolite Petovan <hypolite@mrpetovan.com>
Date: Tue, 14 Sep 2021 17:28:07 -0400
Subject: [PATCH 2/3] Add support for specific confirm value in confirm.tpl

- button tags allow for a different value from the label
---
 view/templates/confirm.tpl            | 4 ++--
 view/theme/frio/templates/confirm.tpl | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/view/templates/confirm.tpl b/view/templates/confirm.tpl
index ea50846990..47f231a5f9 100644
--- a/view/templates/confirm.tpl
+++ b/view/templates/confirm.tpl
@@ -4,8 +4,8 @@
 
 	<h3 id="confirm-message">{{$message}}</h3>
 
-	<input class="confirm-button" id="confirm-submit-button" type="submit" name="{{$confirm_name}}" value="{{$confirm}}" />
-	<input class="confirm-button" id="confirm-cancel-button" type="submit" name="canceled" value="{{$cancel}}" />
+	<button class="confirm-button" id="confirm-submit-button" type="submit" name="{{$confirm_name}}" value="{{$confirm_value}}">{{$confirm}}</button>
+	<button class="confirm-button" id="confirm-cancel-button" type="submit" name="canceled" value="{{$cancel}}">{{$cancel}}</button>
 
 </form>
 </center>
diff --git a/view/theme/frio/templates/confirm.tpl b/view/theme/frio/templates/confirm.tpl
index 187078b68a..3f8c0c3268 100644
--- a/view/theme/frio/templates/confirm.tpl
+++ b/view/theme/frio/templates/confirm.tpl
@@ -3,7 +3,7 @@
 	<div id="confirm-message">{{$message}}</div>
 
 	<div class="form-group pull-right settings-submit-wrapper">
-		<button type="submit" name="{{$confirm_name}}" id="confirm-submit-button" class="btn btn-primary confirm-button" value="{{$confirm}}">{{$confirm}}</button>
+		<button type="submit" name="{{$confirm_name}}" id="confirm-submit-button" class="btn btn-primary confirm-button" value="{{$confirm_value}}">{{$confirm}}</button>
 		<button type="submit" name="canceled" id="confirm-cancel-button" class="btn confirm-button" data-dismiss="modal">{{$cancel}}</button>
 	</div>
 </form>

From 44ec4de14cc6dc3b27bd98ceec1c2705d45fc77a Mon Sep 17 00:00:00 2001
From: Hypolite Petovan <hypolite@mrpetovan.com>
Date: Tue, 14 Sep 2021 17:28:42 -0400
Subject: [PATCH 3/3] Use CSRF token as name and value for contact deletion
 confirm form

---
 src/Module/Contact.php | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/Module/Contact.php b/src/Module/Contact.php
index 2b17deab40..ceb2b6757c 100644
--- a/src/Module/Contact.php
+++ b/src/Module/Contact.php
@@ -432,7 +432,8 @@ class Contact extends BaseModule
 						'$message' => DI::l10n()->t('Do you really want to delete this contact?'),
 						'$confirm' => DI::l10n()->t('Yes'),
 						'$confirm_url' => DI::args()->getCommand(),
-						'$confirm_name' => 'confirmed',
+						'$confirm_name' => 't',
+						'$confirm_value' => BaseModule::getFormSecurityToken('contact_action'),
 						'$cancel' => DI::l10n()->t('Cancel'),
 					]);
 				}