From 2d596aa92aa1e352cc4150ff8164a65a6143cdcd Mon Sep 17 00:00:00 2001
From: Aimeos <aimeos@aimeos.org>
Date: Sat, 18 Sep 2021 08:30:27 +0200
Subject: [PATCH] Use POST instead of GET for managing favorite/pinned/watched
 items

---
 .../Client/Html/Account/Favorite/Standard.php |  2 +-
 .../Client/Html/Account/Watch/Standard.php    |  2 +-
 .../Html/Catalog/Session/Pinned/Standard.php  | 79 ++++++++++---------
 .../account/favorite/body-standard.php        |  7 +-
 .../templates/account/watch/body-standard.php |  5 +-
 .../catalog/actions-partial-standard.php      |  7 +-
 .../catalog/session/pinned-body-standard.php  |  7 +-
 client/html/tests/TestHelperHtml.php          |  2 +-
 client/html/themes/default/aimeos.css         | 31 ++++----
 9 files changed, 76 insertions(+), 66 deletions(-)

diff --git a/client/html/src/Client/Html/Account/Favorite/Standard.php b/client/html/src/Client/Html/Account/Favorite/Standard.php
index bcf6af4da..13d3c5dd3 100644
--- a/client/html/src/Client/Html/Account/Favorite/Standard.php
+++ b/client/html/src/Client/Html/Account/Favorite/Standard.php
@@ -285,7 +285,7 @@ public function process()
 
 		try
 		{
-			if( $context->getUserId() != null && !empty( $ids ) )
+			if( $context->getUserId() != null && !empty( $ids ) && $view->request()->getMethod() === 'POST' )
 			{
 				switch( $view->param( 'fav_action' ) )
 				{
diff --git a/client/html/src/Client/Html/Account/Watch/Standard.php b/client/html/src/Client/Html/Account/Watch/Standard.php
index cd46ccf5e..a87e5626b 100644
--- a/client/html/src/Client/Html/Account/Watch/Standard.php
+++ b/client/html/src/Client/Html/Account/Watch/Standard.php
@@ -286,7 +286,7 @@ public function process()
 
 		try
 		{
-			if( $context->getUserId() != null && !empty( $ids ) )
+			if( $context->getUserId() != null && !empty( $ids ) && $view->request()->getMethod() === 'POST' )
 			{
 				switch( $view->param( 'wat_action' ) )
 				{
diff --git a/client/html/src/Client/Html/Catalog/Session/Pinned/Standard.php b/client/html/src/Client/Html/Catalog/Session/Pinned/Standard.php
index a37d6b27a..132995090 100644
--- a/client/html/src/Client/Html/Catalog/Session/Pinned/Standard.php
+++ b/client/html/src/Client/Html/Catalog/Session/Pinned/Standard.php
@@ -229,45 +229,48 @@ public function process()
 		$session = $context->getSession();
 		$pinned = $session->get( 'aimeos/catalog/session/pinned/list', [] );
 
-		switch( $view->param( 'pin_action' ) )
+		if( $view->request()->getMethod() === 'POST' )
 		{
-			case 'add':
-
-				foreach( (array) $view->param( 'pin_id', [] ) as $id ) {
-					$pinned[$id] = $id;
-				}
-
-				/** client/html/catalog/session/pinned/maxitems
-				 * Maximum number of products displayed in the "pinned" section
-				 *
-				 * This option limits the number of products that are shown in the
-				 * "pinned" section after the users added the product to their list
-				 * of pinned products. It must be a positive integer value greater
-				 * than 0.
-				 *
-				 * Note: The higher the value is the more data has to be transfered
-				 * to the client each time the user loads a page with the list of
-				 * pinned products.
-				 *
-				 * @param integer Number of products
-				 * @since 2014.09
-				 * @category User
-				 * @category Developer
-				 */
-				$max = $context->getConfig()->get( 'client/html/catalog/session/pinned/maxitems', 50 );
-
-				$pinned = array_slice( $pinned, -$max, $max, true );
-				$refresh = true;
-				break;
-
-			case 'delete':
-
-				foreach( (array) $view->param( 'pin_id', [] ) as $id ) {
-					unset( $pinned[$id] );
-				}
-
-				$refresh = true;
-				break;
+			switch( $view->param( 'pin_action' ) )
+			{
+				case 'add':
+
+					foreach( (array) $view->param( 'pin_id', [] ) as $id ) {
+						$pinned[$id] = $id;
+					}
+
+					/** client/html/catalog/session/pinned/maxitems
+					* Maximum number of products displayed in the "pinned" section
+					*
+					* This option limits the number of products that are shown in the
+					* "pinned" section after the users added the product to their list
+					* of pinned products. It must be a positive integer value greater
+					* than 0.
+					*
+					* Note: The higher the value is the more data has to be transfered
+					* to the client each time the user loads a page with the list of
+					* pinned products.
+					*
+					* @param integer Number of products
+					* @since 2014.09
+					* @category User
+					* @category Developer
+					*/
+					$max = $context->getConfig()->get( 'client/html/catalog/session/pinned/maxitems', 50 );
+
+					$pinned = array_slice( $pinned, -$max, $max, true );
+					$refresh = true;
+					break;
+
+				case 'delete':
+
+					foreach( (array) $view->param( 'pin_id', [] ) as $id ) {
+						unset( $pinned[$id] );
+					}
+
+					$refresh = true;
+					break;
+			}
 		}
 
 
diff --git a/client/html/templates/account/favorite/body-standard.php b/client/html/templates/account/favorite/body-standard.php
index 81acdcba9..62c9c5b73 100644
--- a/client/html/templates/account/favorite/body-standard.php
+++ b/client/html/templates/account/favorite/body-standard.php
@@ -114,9 +114,10 @@
 
 					<li class="favorite-item">
 						<?php $params = ['fav_action' => 'delete', 'fav_id' => $listItem->getRefId()] + $this->get( 'favoriteParams', [] ) ?>
-						<a class="modify" href="<?= $enc->attr( $this->url( $favTarget, $favController, $favAction, $params, [], $favConfig ) ) ?>">
-							<?= $this->translate( 'client', 'X' ) ?>
-						</a>
+						<form method="POST" action="<?= $enc->attr( $this->url( $favTarget, $favController, $favAction, $params, [], $favConfig ) ) ?>">
+							<button class="minibutton delete" title="<?= $this->translate( 'client', 'Delete item' ) ?>"></button>
+							<?= $this->csrf()->formfield() ?>
+						</form>
 
 						<?php $params = array_diff_key( ['d_name' => $productItem->getName( 'url' ), 'd_prodid' => $productItem->getId(), 'd_pos' => ''], $detailFilter ) ?>
 						<a href="<?= $enc->attr( $this->url( $detailTarget, $detailController, $detailAction, $params, [], $detailConfig ) ) ?>">
diff --git a/client/html/templates/account/watch/body-standard.php b/client/html/templates/account/watch/body-standard.php
index 9cf7a10d3..e8fe5a3d1 100644
--- a/client/html/templates/account/watch/body-standard.php
+++ b/client/html/templates/account/watch/body-standard.php
@@ -113,7 +113,10 @@
 
 					<li class="watch-item">
 						<?php $params = ['wat_action' => 'delete', 'wat_id' => $listItem->getRefId()] + $this->get( 'watchParams', [] ) ?>
-						<a class="modify" href="<?= $this->url( $watchTarget, $watchController, $watchAction, $params, [], $watchConfig ) ?>"></a>
+						<form method="POST" action="<?= $enc->attr( $this->url( $watchTarget, $watchController, $watchAction, $params, [], $watchConfig ) ) ?>">
+							<button class="minibutton delete" title="<?= $this->translate( 'client', 'Delete item' ) ?>"></button>
+							<?= $this->csrf()->formfield() ?>
+						</form>
 
 						<?php $params = array_diff_key( ['d_name' => $productItem->getName( 'url' ), 'd_prodid' => $productItem->getId(), 'd_pos' => ''], $detailFilter ) ?>
 						<a class="watch-item" href="<?= $enc->attr( $this->url( $detailTarget, $detailController, $detailAction, $params, [], $detailConfig ) ) ?>">
diff --git a/client/html/templates/catalog/actions-partial-standard.php b/client/html/templates/catalog/actions-partial-standard.php
index e4ec0c456..0cbc59bea 100644
--- a/client/html/templates/catalog/actions-partial-standard.php
+++ b/client/html/templates/catalog/actions-partial-standard.php
@@ -58,8 +58,11 @@
 <div class="catalog-actions">
 	<?php foreach( $this->config( 'client/html/catalog/actions/list', ['pin', 'watch', 'favorite'] ) as $entry ) : ?>
 		<?php if( isset( $urls[$entry] ) ) : ?>
-			<a class="actions-button actions-button-<?= $enc->attr( $entry ) ?>" href="<?= $enc->attr( $urls[$entry] ) ?>" title="<?= $enc->attr( $this->translate( 'client/code', $entry ) ) ?>"></a>
-
+			<form method="POST" action="<?= $enc->attr( $urls[$entry] ) ?>">
+				<button class="actions-button actions-button-<?= $enc->attr( $entry ) ?>"
+					title="<?= $enc->attr( $this->translate( 'client/code', $entry ) ) ?>">
+				</button>
+			</form>
 		<?php endif ?>
 	<?php endforeach ?>
 </div>
diff --git a/client/html/templates/catalog/session/pinned-body-standard.php b/client/html/templates/catalog/session/pinned-body-standard.php
index 28188dad2..cb035b89b 100644
--- a/client/html/templates/catalog/session/pinned-body-standard.php
+++ b/client/html/templates/catalog/session/pinned-body-standard.php
@@ -118,9 +118,10 @@
 			<?php $detailParams = array_diff_key( ['d_name' => $productItem->getName( 'url' ), 'd_prodid' => $id, 'd_pos' => ''], $detailFilter ) ?>
 
 			<li class="pinned-item">
-				<a class="modify" title="<?= $enc->attr( $this->translate( 'client', 'Delete' ) ) ?>"
-					href="<?= $this->url( $pinTarget, $pinController, $pinAction, $pinParams, [], $pinConfig ) ?>">
-				</a>
+				<form method="POST" action="<?= $enc->attr( $this->url( $pinTarget, $pinController, $pinAction, $pinParams, [], $pinConfig ) ) ?>">
+					<button class="minibutton delete" title="<?= $this->translate( 'client', 'Delete item' ) ?>"></button>
+					<?= $this->csrf()->formfield() ?>
+				</form>
 
 				<a href="<?= $enc->attr( $this->url( $detailTarget, $detailController, $detailAction, $detailParams, [], $detailConfig ) ) ?>">
 
diff --git a/client/html/tests/TestHelperHtml.php b/client/html/tests/TestHelperHtml.php
index a47b845d0..e36c6f70d 100644
--- a/client/html/tests/TestHelperHtml.php
+++ b/client/html/tests/TestHelperHtml.php
@@ -58,7 +58,7 @@ public static function getView( $site = 'unittest', \Aimeos\MW\Config\Iface $con
 		$view->addHelper( 'csrf', $helper );
 
 		$psr17Factory = new \Nyholm\Psr7\Factory\Psr17Factory();
-		$helper = new \Aimeos\MW\View\Helper\Request\Standard( $view, $psr17Factory->createServerRequest( 'GET', 'https://aimeos.org' ) );
+		$helper = new \Aimeos\MW\View\Helper\Request\Standard( $view, $psr17Factory->createServerRequest( 'POST', 'https://aimeos.org' ) );
 		$view->addHelper( 'request', $helper );
 
 		$helper = new \Aimeos\MW\View\Helper\Response\Standard( $view, $psr17Factory->createResponse() );
diff --git a/client/html/themes/default/aimeos.css b/client/html/themes/default/aimeos.css
index 073a7fdde..1eb6154ca 100644
--- a/client/html/themes/default/aimeos.css
+++ b/client/html/themes/default/aimeos.css
@@ -447,6 +447,12 @@ body .main-section {
 	border: 0;
 }
 
+.aimeos .minibutton.delete:after {
+	font: normal normal normal 14px/1 bootstrap-icons;
+	font-size: 100%;
+	content: "\f5de";
+}
+
 .aimeos .button-group {
 	text-align: center;
 	padding: 1rem 0;
@@ -2705,6 +2711,14 @@ html.no-js .catalog-filter-price:hover .price-lists {
 
 
 /* Watched, favorite, suggested products and session items */
+
+.account-watch .minibutton.delete,
+.account-favorite .minibutton.delete {
+	position: absolute;
+	right: 1%;
+	top: 1%;
+}
+
 .account-watch,
 .account-favorite,
 .basket-related-bought,
@@ -3146,10 +3160,8 @@ html.no-js .catalog-filter-price:hover .price-lists {
 }
 
 .basket-standard-coupon .minibutton.delete:after {
-	font: normal normal normal 14px/1 FontAwesome;
-	font-size: 125%;
-	content: "\f2ed";
 	display: inline-block;
+	font-size: 125%;
 }
 
 @media (max-width: 480px) {
@@ -3220,13 +3232,6 @@ html.no-js .catalog-filter-price:hover .price-lists {
 	width: 2rem;
 }
 
-.basket-bulk .minibutton.delete:after {
-	font: normal normal normal 14px/1 bootstrap-icons;
-	display: inline-block;
-	content: "\f5de";
-	font-size: 100%;
-}
-
 
 /* Checkout */
 .checkout-standard .steps {
@@ -3369,12 +3374,6 @@ html.no-js .catalog-filter-price:hover .price-lists {
 	top: 1%;
 }
 
-.checkout-standard-address .minibutton.delete:after {
-	font: normal normal normal 14px/1 FontAwesome;
-	font-size: 100%;
-	content: "\f00d";
-}
-
 .checkout-standard-address .item-address .modify {
 	float: right;
 }