Add missing CSRF Checks in admin area and settings

2026-03-11 08:14:52 +00:00 · 2026-03-02 22:15:36 -05:00
parent 6da8821f2c
commit 918b40afbe
48 changed files with 160 additions and 45 deletions
--- a/admin/modals/tag/tag_add.php
+++ b/admin/modals/tag/tag_add.php
@@ -30,7 +30,9 @@ ob_start();
    </button>
 </div>
 <form action="post.php" method="post" autocomplete="off">
+    <input type="hidden" name="csrf_token" value="<?php echo $_SESSION['csrf_token'] ?>">
    <input type="hidden" name="type" value="<?php echo $type; ?>">
+
    <div class="modal-body">
        <div class="form-group">
            <label>Name <strong class="text-danger">*</strong></label>
@@ -41,13 +43,13 @@ ob_start();
                <input type="text" class="form-control" name="name" placeholder="Tag name" maxlength="200" required autofocus>
            </div>
        </div>
-        
+
        <?php if (isset($_GET['type'])) { ?>
-        
+
        <input type="hidden" name="type" value="<?= $type ?>">
-        
+
        <?php } else { ?>
-        
+
        <div class="form-group">
            <label>Type <strong class="text-danger">*</strong></label>
            <div class="input-group">
@@ -64,7 +66,7 @@ ob_start();
                </select>
            </div>
        </div>
-    
+
        <?php } ?>

        <div class="form-group">
--- a/admin/modals/tag/tag_edit.php
+++ b/admin/modals/tag/tag_edit.php
@@ -35,7 +35,9 @@ ob_start();
    </button>
 </div>
 <form action="post.php" method="post" autocomplete="off">
+    <input type="hidden" name="csrf_token" value="<?php echo $_SESSION['csrf_token'] ?>">
    <input type="hidden" name="tag_id" value="<?php echo $tag_id; ?>">
+
    <div class="modal-body">

        <div class="form-group">