Merge pull request #129 from CatoTH/master

CSRF-Protection and minor changes

view/cropbody.tpl

@@ -40,6 +40,7 @@ $desc
 </script>
 
 <form action="profile_photo/$resource" id="crop-image-form" method="post" />
+<input type='hidden' name='form_security_token' value='$form_security_token'>
 
 <input type="hidden" name="cropfinal" value="1" />
 <input type="hidden" name="xstart" id="x1" />

view/profile_edit.tpl

@@ -5,9 +5,9 @@ $default
 <div id="profile-edit-links">
 <ul>
 <li><a href="profile/$profile_id/view?tab=profile" id="profile-edit-view-link" title="$viewprof">$viewprof</a></li>
-<li><a href="profiles/clone/$profile_id" id="profile-edit-clone-link" title="$cr_prof">$cl_prof</a></li>
+<li><a href="$profile_clone_link" id="profile-edit-clone-link" title="$cr_prof">$cl_prof</a></li>
 <li></li>
-<li><a href="profiles/drop/$profile_id" id="profile-edit-drop-link" title="$del_prof" $disabled >$del_prof</a></li>
+<li><a href="$profile_drop_link" id="profile-edit-drop-link" title="$del_prof" $disabled >$del_prof</a></li>
 
 </ul>
 </div>
@@ -17,6 +17,7 @@ $default
 
 <div id="profile-edit-wrapper" >
 <form id="profile-edit-form" name="form1" action="profiles/$profile_id" method="post" >
+<input type='hidden' name='form_security_token' value='$form_security_token'>
 
 <div id="profile-edit-profile-name-wrapper" >
 <label id="profile-edit-profile-name-label" for="profile-edit-profile-name" >$lbl_profname </label>

view/profile_listing_header.tpl

@@ -3,6 +3,6 @@
 <a href="profile_photo" >$chg_photo</a>
 </p>
 <div id="profile-listing-new-link-wrapper" class="button" >
-<a href="profiles/new" id="profile-listing-new-link" title="$cr_new" >$cr_new</a>
+<a href="$cr_new_link" id="profile-listing-new-link" title="$cr_new" >$cr_new</a>
 </div>
 

view/profile_photo.tpl

@@ -1,6 +1,7 @@
 <h1>$title</h1>
 
 <form enctype="multipart/form-data" action="profile_photo" method="post">
+<input type='hidden' name='form_security_token' value='$form_security_token'>
 
 <div id="profile-photo-upload-wrapper">
 <label id="profile-photo-upload-label" for="profile-photo-upload">$lbl_upfile </label>

view/settings.tpl

@@ -5,7 +5,7 @@ $tabs
 $nickname_block
 
 <form action="settings" id="settings-form" method="post" autocomplete="off" >
-
+<input type='hidden' name='form_security_token' value='$form_security_token'>
 
 <h3 class="settings-heading">$h_pass</h3>
 

view/settings_addons.tpl

@@ -4,6 +4,7 @@ $tabs
 
 
 <form action="settings/addon" method="post" autocomplete="off">
+<input type='hidden' name='form_security_token' value='$form_security_token'>
 
 $settings_addons
 

view/settings_connectors.tpl

@@ -6,6 +6,7 @@ $tabs
 <div class="connector_statusmsg">$ostat_enabled</div>
 
 <form action="settings/connectors" method="post" autocomplete="off">
+<input type='hidden' name='form_security_token' value='$form_security_token'>
 
 $settings_connectors
 

view/settings_oauth.tpl

@@ -4,7 +4,8 @@ $tabs
 
 
 <form action="settings/oauth" method="post" autocomplete="off">
-	
+<input type='hidden' name='form_security_token' value='$form_security_token'>
+
 	<div id="profile-edit-links">
 		<ul>
 			<li>
@@ -24,7 +25,7 @@ $tabs
 		{{ endif }}
 		{{ if $app.my }}
 		<a href="$baseurl/settings/oauth/edit/$app.client_id" class="icon s22 edit" title="$edit">&nbsp;</a>
-		<a href="$baseurl/settings/oauth/delete/$app.client_id" class="icon s22 delete" title="$delete">&nbsp;</a>
+		<a href="$baseurl/settings/oauth/delete/$app.client_id?t=$form_security_token" class="icon s22 delete" title="$delete">&nbsp;</a>
 		{{ endif }}		
 	</div>
 	{{ endfor }}

view/settings_oauth_edit.tpl

@@ -3,6 +3,8 @@ $tabs
 <h1>$title</h1>
 
 <form method="POST">
+<input type='hidden' name='form_security_token' value='$form_security_token'>
+
 {{ inc field_input.tpl with $field=$name }}{{ endinc }}
 {{ inc field_input.tpl with $field=$key }}{{ endinc }}
 {{ inc field_input.tpl with $field=$secret }}{{ endinc }}