Add a csrf check to the Lister bookmarks form and make markup disallowed by default (with optional argument to enable it) in ProcessController ajax notification response generator (as used by some Lister errors).

Co-authored-by: filipaze <filipaze98@gmail.com> Co-authored-by: rondons <guilhermetamagnini@gmail.com>
2025-08-20 13:31:48 +02:00 · 2022-09-12 11:24:05 -04:00
parent f6558c25ac
commit 95bdbf76ba
2 changed files with 10 additions and 4 deletions
--- a/wire/modules/Process/ProcessPageLister/ProcessPageListerBookmarks.php
+++ b/wire/modules/Process/ProcessPageLister/ProcessPageListerBookmarks.php
@@ -445,6 +445,7 @@ class ProcessPageListerBookmarks extends Wire {

 		$deleteBookmarkID = $this->bookmarks->_bookmarkID($input->post('delete_bookmark'));
 		if($deleteBookmarkID) {
+			$session->CSRF()->validate();
 			if($this->bookmarks->deleteBookmarkByID($deleteBookmarkID)) {
 				$this->message($this->_('Deleted bookmark'));
 			} else {
@@ -455,7 +456,9 @@ class ProcessPageListerBookmarks extends Wire {
 		}

 		if($input->post('bookmark_title')) {
-			return $this->executeSaveBookmark();
+			$session->CSRF()->validate();
+			$this->executeSaveBookmark();
+			return '';
 		}

 		$bookmarkID = $this->bookmarks->_bookmarkID($input->get('bookmark'));