From 432488eca3998c5be6b6b9e8f8ba01f54bc12378 Mon Sep 17 00:00:00 2001 From: Marcus Hill Date: Sat, 25 Nov 2023 16:36:05 +0000 Subject: [PATCH] Require CSRF token to edit Stripe settings - thanks to @stehled --- post/setting.php | 1 + settings_online_payment.php | 5 +++-- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/post/setting.php b/post/setting.php index 3df54650..25e59e1e 100644 --- a/post/setting.php +++ b/post/setting.php @@ -331,6 +331,7 @@ if (isset($_GET['generate_cron_key'])) { if (isset($_POST['edit_online_payment_settings'])) { + validateCSRFToken($_POST['csrf_token']); validateAdminRole(); $config_stripe_enable = intval($_POST['config_stripe_enable']); diff --git a/settings_online_payment.php b/settings_online_payment.php index f8eb017e..e9e0157f 100644 --- a/settings_online_payment.php +++ b/settings_online_payment.php @@ -11,6 +11,7 @@ require_once "inc_all_settings.php";
+
@@ -53,9 +54,9 @@ require_once "inc_all_settings.php"; $sql_accounts = mysqli_query($mysqli, "SELECT * FROM accounts LEFT JOIN account_types ON account_types.account_type_id = accounts.account_type WHERE account_type_parent = 1 AND account_archived_at IS NULL ORDER BY account_name ASC"); while ($row = mysqli_fetch_array($sql_accounts)) { $account_id = intval($row['account_id']); - $account_name = nullable_htmlentities($row['account_name']); + $account_name = nullable_htmlentities($row['account_name']); ?> - +