fixed potential security issue, closes #250

Erudika · Jun 21, 2021 · 5f24387 · 5f24387
1 parent 1fdfee9
commit 5f24387
Show file tree

Hide file tree

Showing 2 changed files with 4 additions and 4 deletions.
diff --git a/src/main/java/com/erudika/scoold/controllers/VoteController.java b/src/main/java/com/erudika/scoold/controllers/VoteController.java
@@ -52,8 +52,8 @@
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.stereotype.Controller;
-import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.PathVariable;
+import org.springframework.web.bind.annotation.PostMapping;
 import org.springframework.web.bind.annotation.ResponseBody;
 
 /**
@@ -83,15 +83,15 @@ public VoteController(ScooldUtils utils) {
 	}
 
 	@ResponseBody
-	@GetMapping("/voteup/{type}/{id}")
+	@PostMapping("/voteup/{type}/{id}")
 	public Boolean voteup(@PathVariable String type, @PathVariable String id, HttpServletRequest req) {
 		//addModel("voteresult", result);
 		ParaObject votable = StringUtils.isBlank(type) ? pc.read(id) : pc.read(type, id);
 		return processVoteRequest(true, votable, req);
 	}
 
 	@ResponseBody
-	@GetMapping("/votedown/{type}/{id}")
+	@PostMapping("/votedown/{type}/{id}")
 	public Boolean votedown(@PathVariable String type, @PathVariable String id, HttpServletRequest req) {
 		//addModel("voteresult", result);
 		ParaObject votable = StringUtils.isBlank(type) ? pc.read(id) : pc.read(type, id);

diff --git a/src/main/resources/static/scripts/scoold.js b/src/main/resources/static/scripts/scoold.js
@@ -323,7 +323,7 @@ $(function () {
 		var newvotes = parseInt(votes.text(), 10) || 0;
 		if (!dis.data("disabled")) {
 			dis.data("disabled", true);
-			$.get(this.href, function(data) {
+			$.post(this.href, function(data) {
 				if (data === true) {
 					if (up) {
 						newvotes++;