Fossil SCM

Fix /whistory page: prevent <var>csrf</var> parameter from appearing within a query string when requesting a <tt>diff</tt>. <var>csrf</var> started to appear in a query due to <tt>[/timeline?r=csrf-defense-enhancement|csrf-defense-enhancement]</tt>: <code>form_begin()</code> [/fdiff?v1=9ab558549b3ca653&v2=b86a42cf7932f1cd|unconditionally generates] a hidden input with <var>csrf</var> token since [88a402fe2a5641]. This check-in addapts /whistory page to the new behaviour.

george 2023-12-24 15:22 trunk
Commit abdf2805fef7f4bc6a1b63dda1b916424290fb397db1b9ed41f6ab3b1fbb1fb8
Parent 4bb5515caefa682…
1 file changed +4 -1
~ src/fossil.page.whistory.js
M src/fossil.page.whistory.js
+4 -1
--- src/fossil.page.whistory.js
+++ src/fossil.page.whistory.js
@@ -9,11 +9,14 @@
99
 * to avoid modern API and ECMAScript constructs. This makes it less
1010
 * readable and may be reconsidered in the future.
1111
 */
1212
 window.addEventListener( 'load', function() {
1313
14
-document.getElementById("wh-form").method = "GET";
14
+var form = document.getElementById("wh-form");
15
+form.method = "GET";
16
+var csrf = form.querySelector("input[name='csrf']");
17
+if( csrf ) form.removeChild( csrf );
1518
1619
 var wh_id = document.getElementById("wh-id" );
1720
 var wh_pid = document.getElementById("wh-pid");
1821
 var wh_cleaner = document.getElementById("wh-cleaner");
1922
 var wh_collapser = document.getElementById("wh-collapser");
2023
--- src/fossil.page.whistory.js
+++ src/fossil.page.whistory.js
@@ -9,11 +9,14 @@
9 * to avoid modern API and ECMAScript constructs. This makes it less
10 * readable and may be reconsidered in the future.
11 */
12 window.addEventListener( 'load', function() {
13
14 document.getElementById("wh-form").method = "GET";
 
 
 
15
16 var wh_id = document.getElementById("wh-id" );
17 var wh_pid = document.getElementById("wh-pid");
18 var wh_cleaner = document.getElementById("wh-cleaner");
19 var wh_collapser = document.getElementById("wh-collapser");
20
--- src/fossil.page.whistory.js
+++ src/fossil.page.whistory.js
@@ -9,11 +9,14 @@
9 * to avoid modern API and ECMAScript constructs. This makes it less
10 * readable and may be reconsidered in the future.
11 */
12 window.addEventListener( 'load', function() {
13
14 var form = document.getElementById("wh-form");
15 form.method = "GET";
16 var csrf = form.querySelector("input[name='csrf']");
17 if( csrf ) form.removeChild( csrf );
18
19 var wh_id = document.getElementById("wh-id" );
20 var wh_pid = document.getElementById("wh-pid");
21 var wh_cleaner = document.getElementById("wh-cleaner");
22 var wh_collapser = document.getElementById("wh-collapser");
23

Keyboard Shortcuts

Open search /
Next entry (timeline) j
Previous entry (timeline) k
Open focused entry Enter
Show this help ?
Toggle theme Top nav button