added CSRF protection using csurf express middleware, fixes #455

2025-11-13 08:45:50 +01:00 · 2019-03-24 22:41:53 +01:00
parent f6413d095c
commit 9fc5d328b4
11 changed files with 87 additions and 15 deletions
--- a/src/views/desktop.ejs
+++ b/src/views/desktop.ejs
@@ -237,7 +237,8 @@
        activeDialog: null,
        sourceId: '<%= sourceId %>',
        maxSyncIdAtLoad: <%= maxSyncIdAtLoad %>,
-        instanceName: '<%= instanceName %>'
+        instanceName: '<%= instanceName %>',
+        csrfToken: '<%= csrfToken %>'
    };
    window.appCssNoteIds = <%- JSON.stringify(appCssNoteIds) %>;
 </script>
--- a/src/views/mobile.ejs
+++ b/src/views/mobile.ejs
@@ -68,7 +68,9 @@

    <div class="dropdown-menu dropdown-menu-sm" id="context-menu-container"></div>

-    <form action="logout" id="logout-form" method="POST" style="display: none;"></form>
+    <form action="logout" id="logout-form" method="POST" style="display: none;">
+        <input type="hidden" name="_csrf" value="<%= csrfToken %>"/>
+    </form>
 </div>

 <script type="text/javascript">
@@ -78,7 +80,8 @@
        activeDialog: null,
        sourceId: '<%= sourceId %>',
        maxSyncIdAtLoad: <%= maxSyncIdAtLoad %>,
-        instanceName: '<%= instanceName %>'
+        instanceName: '<%= instanceName %>',
+        csrfToken: '<%= csrfToken %>'
    };
 </script>