From 63ae97f694a9fa613735918be01c4481a2adc160 Mon Sep 17 00:00:00 2001
From: HDVinnie <hdinnovations@protonmail.com>
Date: Sat, 9 Oct 2021 09:58:22 -0400
Subject: [PATCH] security: cross-site request forgery

---
 resources/views/pm/inbox.blade.php | 13 +++++++------
 routes/web.php                     |  2 +-
 2 files changed, 8 insertions(+), 7 deletions(-)

diff --git a/resources/views/pm/inbox.blade.php b/resources/views/pm/inbox.blade.php
index a03c5945cb..8ca60c7867 100644
--- a/resources/views/pm/inbox.blade.php
+++ b/resources/views/pm/inbox.blade.php
@@ -36,12 +36,13 @@ class="{{ config('other.font-awesome') }} fa-eye"></i></button>
                                         data-original-title="@lang('pm.refresh')"><i
                                             class="{{ config('other.font-awesome') }} fa-sync-alt"></i></button>
                                 </a>
-                                <a href="{{ route('empty-inbox') }}">
-                                    <button type="button" id="btn_refresh" class="btn btn-danger dropdown-toggle"
-                                        data-toggle="tooltip" data-placement="top"
-                                        data-original-title="@lang('pm.empty-inbox')"><i
-                                            class="{{ config('other.font-awesome') }} fa-trash"></i> @lang('pm.empty-inbox')</button>
-                                </a>
+                                <form role="form" method="POST" action="{{ route('empty-inbox') }}" style="display: inline-block;">
+                                    @csrf
+                                    @method('DELETE')
+                                    <button type="submit" class="btn btn-danger dropdown-toggle">
+                                        <i class="{{ config('other.font-awesome') }} fa-trash"></i> @lang('pm.empty-inbox')
+                                    </button>
+                                </form>
                             </div>
                         </div>
                         <div class="col-md-4 col-xs-7">
diff --git a/routes/web.php b/routes/web.php
index 5fb3264c6b..3e7b4a818c 100755
--- a/routes/web.php
+++ b/routes/web.php
@@ -222,7 +222,7 @@
             Route::get('/outbox', [App\Http\Controllers\PrivateMessageController::class, 'getPrivateMessagesSent'])->name('outbox');
             Route::get('/create', [App\Http\Controllers\PrivateMessageController::class, 'makePrivateMessage'])->name('create');
             Route::get('/mark-all-read', [App\Http\Controllers\PrivateMessageController::class, 'markAllAsRead'])->name('mark-all-read');
-            Route::get('/empty-inbox', [App\Http\Controllers\PrivateMessageController::class, 'emptyInbox'])->name('empty-inbox');
+            Route::delete('/empty-inbox', [App\Http\Controllers\PrivateMessageController::class, 'emptyInbox'])->name('empty-inbox');
             Route::post('/send', [App\Http\Controllers\PrivateMessageController::class, 'sendPrivateMessage'])->name('send-pm');
             Route::post('/{id}/reply', [App\Http\Controllers\PrivateMessageController::class, 'replyPrivateMessage'])->name('reply-pm');
             Route::post('/{id}/destroy', [App\Http\Controllers\PrivateMessageController::class, 'deletePrivateMessage'])->name('delete-pm');