From 7d2e079fd4ee30367edb7a8503d3b323741d8310 Mon Sep 17 00:00:00 2001 From: Andrew O'Neil Date: Sun, 28 Oct 2007 21:44:38 +0000 Subject: [PATCH] #941 - Security flaw: SS prone to CSRF attack git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/cms/trunk@43901 467b73ca-7a2a-4603-9d3b-597d59a354a9 --- javascript/CommentTableField.js | 2 +- javascript/MemberTableField.js | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/javascript/CommentTableField.js b/javascript/CommentTableField.js index 928a7da0..3582950a 100644 --- a/javascript/CommentTableField.js +++ b/javascript/CommentTableField.js @@ -121,7 +121,7 @@ CommentFilterButton.prototype = { updateURL += this.inputFields[index].name + '=' + encodeURIComponent( this.inputFields[index].value ) + '&'; } } - updateURL += 'ajax=1'; + updateURL += 'ajax=1' + ($('SecurityID') ? '&SecurityID=' + $('SecurityID').value : ''); new Ajax.Request( updateURL, { onSuccess: Ajax.Evaluator, diff --git a/javascript/MemberTableField.js b/javascript/MemberTableField.js index 91b46ebc..b7d49f5c 100755 --- a/javascript/MemberTableField.js +++ b/javascript/MemberTableField.js @@ -254,7 +254,7 @@ MemberFilterButton.prototype = { updateURL += this.inputFields[index].name + '=' + encodeURIComponent( this.inputFields[index].value ) + '&'; } } - updateURL += 'ajax=1'; + updateURL += 'ajax=1' + ($('SecurityID') ? '&SecurityID=' + $('SecurityID').value : ''); new Ajax.Request( updateURL, { onSuccess: Ajax.Evaluator,