GET replaced with POST

Issue #70
flatCore · Oct 13, 2021 · 4891673 · 4891673
1 parent 72d8373
commit 4891673
Show file tree

Hide file tree

Showing 21 changed files with 106 additions and 69 deletions.
diff --git a/acp/acp.php b/acp/acp.php
@@ -982,12 +982,13 @@ function expandHelpSidebar(){
 				$('.page-info-btn').click(function(){
 
 				   var pageid = $(this).data('id');
+				   var csrf_token = $(this).data('token');
 
 				   // AJAX request
 				   $.ajax({
 				    url: 'core/pages.info.php',
 				    type: 'post',
-				    data: {pageid: pageid},
+				    data: {pageid: pageid, csrf_token: csrf_token},
 				    success: function(response){ 
 				      // Add response in Modal body
 				      $('#pageInfoModal .modal-body').html(response);

diff --git a/acp/core/access.php b/acp/core/access.php
@@ -107,6 +107,6 @@ function fc_start_user_session($ud) {
 	}
 }
 
-$hidden_csrf_tokken = '<input type="hidden" name="csrf_token" value="'.$_SESSION['token'].'">';
+$hidden_csrf_token = '<input type="hidden" name="csrf_token" value="'.$_SESSION['token'].'">';
 
 ?>
diff --git a/acp/core/dashboard.top.php b/acp/core/dashboard.top.php
@@ -72,7 +72,7 @@
 		$user_latest5 .= '</div>';
 		$user_latest5 .= '<form class="inline" action="?tn=user&sub=edit" method="POST">';	
 		$user_latest5 .= '<button name="edituser" value='.$user_id.'" class="btn btn-fc btn-sm">'.$icon['edit'].'</button>';
-		$user_latest5 .= $hidden_csrf_tokken;
+		$user_latest5 .= $hidden_csrf_token;
 		$user_latest5 .= '</form>';
 
 		$user_latest5 .= '</div>';
@@ -130,7 +130,7 @@
 		$top5pages .= '</div>';
 		$top5pages .= '<form class="inline" action="?tn=pages&sub=edit" method="POST">';
 		$top5pages .= '<button class="btn btn-fc btn-sm" name="editpage" value="'.$allPages[$i]['page_id'].'">'.$icon['edit'].'</button>';
-		$top5pages .= $hidden_csrf_tokken;
+		$top5pages .= $hidden_csrf_token;
 		$top5pages .= '</form>';
 		$top5pages .= '</div>';
 
@@ -177,7 +177,7 @@
 		$top5posts .= '</div>';
 		$top5posts .= '<form class="inline" action="?tn=posts&sub=edit" method="POST">';
 		$top5posts .= '<button class="btn btn-fc btn-sm" name="post_id" value="'.$allPosts[$i]['post_id'].'">'.$icon['edit'].'</button>';
-		$top5posts .= $hidden_csrf_tokken;
+		$top5posts .= $hidden_csrf_token;
 		$top5posts .= '</form>';
 		$top5posts .= '</div>';
 
@@ -216,7 +216,7 @@
 		$top5comments .= '</div>';
 		$top5comments .= '<form class="inline" action="?tn=comments&sub=list#comid'.$allComments[$i]['comment_id'].'" method="POST">';
 		$top5comments .= '<button class="btn btn-fc btn-sm" name="editid" value="'.$allComments[$i]['comment_id'].'">'.$icon['edit'].'</button>';
-		$top5comments .= $hidden_csrf_tokken;
+		$top5comments .= $hidden_csrf_token;
 		$top5comments .= '</form>';
 		$top5comments .= '</div>';
 		$top5comments .= '</div>';
@@ -294,8 +294,8 @@
 $btn_page_overview = '<a href="acp.php?tn=pages" class="btn btn-fc btn-sm w-100">'.$icon['sitemap'].'</a>';
 $btn_new_page = '<a href="acp.php?tn=pages&sub=new" class="btn btn-fc btn-sm w-100">'.$icon['plus'].' '.$lang['new'].'</a>';
 
-$btn_update_index = '<form action="?tn=dashboard" method="POST" class="d-inline"><button name="update_index" class="btn btn-fc btn-sm w-100 text-nowrap">'.$icon['sync_alt'].' Index</button>'.$hidden_csrf_tokken.'</form>';
-$btn_delete_cache = '<form action="?tn=dashboard" method="POST"><button name="delete_cache" class="btn btn-fc btn-sm w-100 text-nowrap">'.$icon['trash_alt'].' Cache</button>'.$hidden_csrf_tokken.'</form>';
+$btn_update_index = '<form action="?tn=dashboard" method="POST" class="d-inline"><button name="update_index" class="btn btn-fc btn-sm w-100 text-nowrap">'.$icon['sync_alt'].' Index</button>'.$hidden_csrf_token.'</form>';
+$btn_delete_cache = '<form action="?tn=dashboard" method="POST"><button name="delete_cache" class="btn btn-fc btn-sm w-100 text-nowrap">'.$icon['trash_alt'].' Cache</button>'.$hidden_csrf_token.'</form>';
 
 $btn_post_overview = '<a href="acp.php?tn=posts" class="btn btn-fc btn-sm w-100">'.$lang['tn_posts'].'</a>';
 $btn_new_post = '<a href="acp.php?tn=posts&sub=edit" class="btn btn-fc btn-sm w-100">'.$icon['plus'].' '.$lang['new'].'</a>';

diff --git a/acp/core/files.browser.php b/acp/core/files.browser.php
@@ -130,8 +130,9 @@
 }
 $select_dir .= '</optgroup>';
 $select_dir .= '</select>';
-$select_dir  .= '</div>';
-$select_dir  .= '</div>';
+$select_dir .= '</div>';
+$select_dir .= '</div>';
+$select_dir .= $hidden_csrf_token;
 $select_dir .= '</form>';
 
 
@@ -612,6 +613,7 @@ function delete_folder($dir) {
 	echo '<form class="inline pull-right" action="acp.php?tn=filebrowser&sub=browse&selected_folder='.dirname($disk).'" method="POST">';
 	echo '<input type="submit" value="'.$lang['delete_folder'].'" class="btn btn-danger" onclick="return confirm(\''.$lang['confirm_delete_folder'].'\')">';
 	echo '<input type="hidden" name="delete_folder" value="'.$disk.'">';
+	echo $hidden_csrf_token;
 	echo '</form>';
 	echo '</div>';
 }
@@ -794,6 +796,7 @@ function delete_folder($dir) {
 echo '<div class="btn-group d-flex" role="group">';
 echo '<button class="btn btn-sm btn-fc w-100" type="submit" name="rebuild" value="database">Database '.$icon['wrench'].'</button>';
 echo '<button class="btn btn-sm btn-fc w-100" type="submit" name="clear_tmb">Thumbnails '.$icon['trash_alt'].'</button>';
+echo $hidden_csrf_token;
 echo '</div>';
 echo '</form>';
 

diff --git a/acp/core/inc.pages.php b/acp/core/inc.pages.php
@@ -353,7 +353,7 @@
 	$kw_form .= '<div class="input-group">';
 	$kw_form .= '<span class="input-group-text">'.$icon['search'].'</span>';
 	$kw_form .= '<input class="form-control" type="text" name="kw_filter" value="" placeholder="'.$lang['button_search'].'">';
-	$kw_form .= $hidden_csrf_tokken;
+	$kw_form .= $hidden_csrf_token;
 	$kw_form .= '</div>';
 	$kw_form .= '</form>';
 

diff --git a/acp/core/pages.edit_rss.php b/acp/core/pages.edit_rss.php
@@ -7,8 +7,8 @@
 echo '<h3>RSS <small>Feed</small></h3>';
 echo '</div>';
 
-if($_REQUEST['delete'] != "") {
-	$delete = (int) $_REQUEST['delete'];	
+if($_POST['delete_rss_entry'] != "") {
+	$delete = (int) $_POST['delete_rss_entry'];	
 	$db_content->delete("fc_feeds", [
 		"feed_id" => $delete
 	]);
@@ -66,8 +66,10 @@
 	echo $feed_text;
 	echo '<p><a href="'.$feed_url.'" target="_blank">'.$feed_url.'</a></p>';
 	echo '<hr>';
-	echo "<a class='btn btn-fc text-danger' href='acp.php?tn=pages&sub=rss&delete=$feed_id' onclick=\"return confirm('$lang[confirm_delete_data]')\">$lang[delete]</a>";
-
+	echo '<form action="?tn=pages&sub=rss" method="POST">';
+	echo '<button class="btn btn-danger" name="delete_rss_entry" value="'.$feed_id.'" onclick="return confirm(\''.$lang['confirm_delete_data'].'\')">'.$lang['delete'].'</button>';
+	echo $hidden_csrf_token;
+	echo '</form>';
 	echo '</div>';
 	echo '</div>';
 

diff --git a/acp/core/pages.index.php b/acp/core/pages.index.php
@@ -6,8 +6,9 @@
 $status_msg = '';
 
 /* delete items from excludes list */
-if(isset($_GET['del_exclude']) && is_numeric($_GET['del_exclude'])) {
-	fc_delete_excludes($_GET['del_exclude']);
+if(isset($_POST['del_exclude']) && is_numeric($_POST['del_exclude'])) {
+	$del_exclude = (int) $_POST['del_exclude'];
+	fc_delete_excludes($del_exclude);
 }
 
 if(isset($_POST['add_exclude_url'])) {
@@ -36,34 +37,31 @@
 echo '<div class="col-sm-8">';
 
 
-if(isset($_GET['a']) && $_GET['a'] == 'start') {
-	if(empty($_GET['id'])) {
-		fc_crawler();
-	} else {
-		fc_crawler($_GET['id']);
-	}	
+if(isset($_POST['start_index_from']) && $_POST['start_index_from'] != '') {
+	fc_crawler($_POST['start_index_from']);
 }
 
-if(isset($_POST['start_index']) && $_POST['start_index'] != '') {
-	fc_crawler($_POST['start_index']);
+
+if(isset($_POST['start_update_page']) && $_POST['start_update_page'] != '') {
+	$fc_upi = fc_update_page_index($_POST['start_update_page']);
+	$status_msg = 'Script running '.$fc_upi['duration'].' seconds';
 }
 
 
-if(isset($_GET['a']) && $_GET['a'] == 'update') {
-	$fc_upi = fc_update_page_index($_GET['id']);
-	$status_msg = 'Script running '.$fc_upi['duration'].' seconds';
+if(isset($_POST['remove_page']) && $_POST['remove_page'] != '') {
+	$fc_upi = fc_remove_page_from_index($_POST['remove_page']);
 }
 
-if(isset($_GET['a']) && $_GET['a'] == 'update_bulk') {
-	fc_update_bulk_page_index();
+if(isset($_POST['start_index']) && $_POST['start_index'] != '') {
+	fc_crawler($_POST['start_index']);
 }
 
-if(isset($_GET['a']) && $_GET['a'] == 'index_bulk') {
-	fc_crawler_bulk();
+if(isset($_POST['start_update_bulk'])) {
+	fc_update_bulk_page_index();
 }
 
-if(isset($_GET['a']) && $_GET['a'] == 'remove') {
-	$fc_upi = fc_remove_page_from_index($_GET['id']);
+if(isset($_POST['start_index_bulk'])) {
+	fc_crawler_bulk();
 }
 
 
@@ -335,6 +333,8 @@
 	$tpl = str_replace('{cnt_images_errors}', $cnt_images_errors, $tpl);
 	$tpl = str_replace('{images_str}', $img_str, $tpl);
 
+	$tpl = str_replace('{csrf_token}', $hidden_csrf_token, $tpl);
+
 	echo $tpl;
 }
 
@@ -371,10 +371,15 @@
 echo '</div>';
 echo '</form>';
 
+
+echo '<form action="?tn=pages&sub=index" method="POST">';
 echo '<div class="btn-group d-flex mt-3" role="group">';
-echo '<a href="acp.php?tn=pages&sub=index&a=index_bulk" class="btn btn-save">'.$icon['sitemap'].' '.$lang['btn_bulk_index'].'</a>';
-echo '<a href="acp.php?tn=pages&sub=index&a=update_bulk" class="btn btn-save">'.$icon['sync_alt'].' '.$lang['btn_bulk_update'].'</a>';
+echo '<button name="start_index_bulk" class="btn btn-save">'.$icon['sitemap'].' '.$lang['btn_bulk_index'].'</button>';
+echo '<button name="start_update_bulk" class="btn btn-save">'.$icon['sync_alt'].' '.$lang['btn_bulk_update'].'</button>';
 echo '</div>';
+echo $hidden_csrf_token;
+echo '</form>';
+
 
 echo '<hr>';
 
@@ -427,16 +432,20 @@
 
 echo '<h5 class="mt-3">Exclude elements</h5>';
 
+echo '<form action="acp.php?tn=pages&sub=index" method="POST">';
 echo '<table class="table table-sm">';
 foreach($exclude_items as $ex_item) {
 	echo '<tr>';
 	echo '<td><code>'.$ex_item['item_element'].'</code></td>';
 	echo '<td><code>'.$ex_item['item_attributes'].'</code></td>';
-	echo '<td class="text-end"><a href="acp.php?tn=pages&sub=index&del_exclude='.$ex_item['item_id'].'" class="btn btn-danger btn-sm">'.$icon['trash_alt'].'</a></td>';
+	echo '<td class="text-end">';
+	echo '<button name="del_exclude" value="'.$ex_item['item_id'].'" class="btn btn-danger btn-sm">'.$icon['trash_alt'].'</button>';
+	echo '</td>';
 	echo '<tr>';
 }
 echo '</table>';
-
+echo $hidden_csrf_token;
+echo '</form>';
 
 /* form for exclude elements */
 
@@ -468,18 +477,19 @@
 
 echo '<h5>Exclude URLs</h5>';
 
-
-
-
-
+echo '<form action="acp.php?tn=pages&sub=index" method="POST">';
 echo '<table class="table table-sm">';
 foreach($exclude_urls as $ex_url) {
 	echo '<tr>';
 	echo '<td><code>'.$ex_url['item_url'].'</code></td>';
-	echo '<td class="text-end"><a href="acp.php?tn=pages&sub=index&del_exclude='.$ex_url['item_id'].'" class="btn btn-danger btn-sm">'.$icon['trash_alt'].'</a></td>';
+	echo '<td class="text-end">';
+	echo '<button name="del_exclude" value="'.$ex_url['item_id'].'" class="btn btn-danger btn-sm">'.$icon['trash_alt'].'</button>';
+	echo '</td>';
 	echo '<tr>';
 }
 echo '</table>';
+echo $hidden_csrf_token;
+echo '</form>';
 
 
 /* form for exclude urls */

diff --git a/acp/core/pages.info.php b/acp/core/pages.info.php
@@ -121,6 +121,7 @@
 	echo '<form action="?tn=pages&sub=edit" method="POST">';
 	echo '<button class="btn btn-sm btn-fc ms-auto" name="editpage" value="'.$page_data['page_id'].'" title="'.$lang['edit'].'">'.$lang['edit'].'</button>';
 	echo '<button type="button" class="btn btn-sm btn-fc" data-bs-dismiss="modal">Close</button>';
+	echo $hidden_csrf_token;
 	echo '</form>';
 } else {
 	echo '<button type="button" class="btn btn-sm btn-fc" data-bs-dismiss="modal">Close</button>';

diff --git a/acp/core/pages.list.php b/acp/core/pages.list.php
@@ -142,7 +142,7 @@
 		$duplicate_button = '';
 	}
 
-	$info_button = '<a href="#" class="btn btn-sm btn-fc w-100 page-info-btn" data-bs-target="pageInfoModal" data-id="'.$page_id.'" title="'.$lang['info'].'">'.$icon['info_circle'].'</a>';
+	$info_button = '<a href="#" class="btn btn-sm btn-fc w-100 page-info-btn" data-bs-target="pageInfoModal" data-id="'.$page_id.'" data-token="'.$_SESSION['token'].'" title="'.$lang['info'].'">'.$icon['info_circle'].'</a>';
 
 	$arr_checked_admins = explode(",",$page_authorized_users);
 	if(in_array("$_SESSION[user_nick]", $arr_checked_admins)) {
@@ -195,7 +195,7 @@
 		$status_label,$page_linkname,$page_title,
 		$show_mod,$item_class,$indent,$edit_button,$duplicate_button,$info_button,
 		$page_comments_link,$page_permalink,$last_edit,$page_sort, $show_template_name,
-		$page_redirect,$frontend_link,$page_description,$page_lang_thumb,$label,$pi,$hidden_csrf_tokken
+		$page_redirect,$frontend_link,$page_description,$page_lang_thumb,$label,$pi,$hidden_csrf_token
 		);
 
 
@@ -322,7 +322,7 @@
 		$duplicate_button = '';
 	}
 
-	$info_button = '<a href="#" class="btn btn-sm btn-fc w-100 page-info-btn" data-bs-target="pageInfoModal" data-id="'.$page_id.'" title="'.$lang['info'].'">'.$icon['info_circle'].'</a>';
+	$info_button = '<a href="#" class="btn btn-sm btn-fc w-100 page-info-btn" data-bs-target="pageInfoModal" data-id="'.$page_id.'" data-token="'.$_SESSION['token'].'" title="'.$lang['info'].'">'.$icon['info_circle'].'</a>';
 
 	$arr_checked_admins = explode(",",$page_authorized_users);
 	if(in_array("$_SESSION[user_nick]", $arr_checked_admins)) {
@@ -374,7 +374,7 @@
 		$status_label,$page_linkname,$page_title,
 		$show_mod,$item_class,$indent,$edit_button,$duplicate_button,$info_button,
 		$page_comments_link,$page_permalink,$last_edit,$page_sort, $show_template_name,
-		$page_redirect,$frontend_link,$page_description,$page_lang_thumb,$label,$pi,$hidden_csrf_tokken
+		$page_redirect,$frontend_link,$page_description,$page_lang_thumb,$label,$pi,$hidden_csrf_token
 		);
 
 

diff --git a/acp/core/pages.shortcodes.php b/acp/core/pages.shortcodes.php
@@ -223,7 +223,7 @@
 
 	$btn_delete  = '<form action="?tn=pages&sub=shortcodes" method="POST" class="d-inline">';
 	$btn_delete .= '<button type="submit" name="delete" value="'.$shortcodes[$i]['textlib_id'].'" class="btn btn-danger btn-sm">'.$icon['trash_alt'].'</button>';
-	$btn_delete .= $hidden_csrf_tokken;
+	$btn_delete .= $hidden_csrf_token;
 	$btn_delete .= '</form>';
 
 	$get_sc_labels = explode(',',$shortcodes[$i]['textlib_labels']);

diff --git a/acp/core/posts.list.php b/acp/core/posts.list.php
@@ -306,7 +306,7 @@
 		} else {
 			$icon_fixed_form .= '<button type="submit" class="btn btn-link" name="sfixed" value="'.$get_posts[$i]['post_id'].'">'.$icon['star_outline'].'</button>';
 		}
-		$icon_fixed_form .= $hidden_csrf_tokken;
+		$icon_fixed_form .= $hidden_csrf_token;
 		$icon_fixed_form .= '</form>';
 
 		if($get_posts[$i]['post_status'] == '2') {
@@ -392,7 +392,7 @@
 		$prio_form  = '<form action="acp.php?tn=posts&a=start" method="POST">';
 		$prio_form .= $select_priority;
 		$prio_form .= '<input type="hidden" name="prio_id" value="'.$get_posts[$i]['post_id'].'">';
-		$prio_form .= $hidden_csrf_tokken;
+		$prio_form .= $hidden_csrf_token;
 		$prio_form .= '</form>';
 
 
@@ -495,11 +495,11 @@
 		echo '<nav class="nav justify-content-end">';
 		echo '<form class="form-inline mr-1" action="?tn=posts&sub=edit" method="POST">';
 		echo '<button class="btn btn-fc btn-sm text-success" type="submit" name="post_id" value="'.$get_posts[$i]['post_id'].'">'.$lang['edit'].'</button>';
-		echo $hidden_csrf_tokken;
+		echo $hidden_csrf_token;
 		echo '</form> ';
 		echo '<form class="form-inline" action="acp.php?tn=posts" method="POST">';
 		echo '<button class="btn btn-danger btn-sm" type="submit" name="delete_id" value="'.$get_posts[$i]['post_id'].'">'.$icon['trash_alt'].'</button>';
-		echo $hidden_csrf_tokken;
+		echo $hidden_csrf_token;
 		echo '</form>';
 		echo '</nav>';
 		echo '</td>';

diff --git a/acp/core/reactions.comments.php b/acp/core/reactions.comments.php
@@ -198,6 +198,7 @@
 
 	echo '<form class="form-inline" action="?tn=reactions&sub=comments#comid'.$comment_id.'" method="POST">';
 	echo '<button type="submit" class="btn btn-sm w-100 btn-fc" name="editid" value="'.$comment_id.'">'.$lang['edit'].'</button>';
+	echo $hidden_csrf_token;
 	echo '</form>';
 	echo '</div>';
 	echo '<div class="col-md-1">';
@@ -207,11 +208,13 @@
 	}
 	echo '<form class="form-inline" action="?tn=reactions&sub=comments" method="POST">';
 	echo '<button type="submit" class="btn btn-sm w-100 '.$btn_class.'" name="change_status" value="'.$comment_id.'">'.$icon['check'].'</button>';
+	echo $hidden_csrf_token;
 	echo '</form>';
 	echo '</div>';
 	echo '<div class="col-md-1">';	
 	echo '<form class="form-inline" action="?tn=reactions&sub=comments" method="POST">';
 	echo '<button type="submit" class="btn btn-sm w-100 btn-danger" name="delid" value="'.$comment_id.'">'.$icon['trash_alt'].'</button>';
+	echo $hidden_csrf_token;
 	echo '</form>';
 	echo '</div>';
 	echo '</div>';
@@ -275,6 +278,7 @@
 echo '<option value="all" '.$sel_status_all.'>'.$lang['label_all_comments'].'</option>';
 echo '<option value="1" '.$sel_status_1.'>'.$lang['label_comments_status1'].'</option>';
 echo '<option value="2" '.$sel_status_2.'>'.$lang['label_comments_status2'].'</option>';
+echo $hidden_csrf_token;
 echo '</select>';
 echo '</form>';
 echo '</fieldset>';
@@ -296,6 +300,7 @@
 }
 
 echo '</select>';
+echo $hidden_csrf_token;
 echo '</form>';
 echo '</fieldset>';
 
@@ -316,6 +321,7 @@
 }
 
 echo '</select>';
+echo $hidden_csrf_token;
 echo '</form>';
 echo '</fieldset>';