diff options
author | Yorhel <git@yorhel.nl> | 2020-04-20 10:31:26 +0200 |
---|---|---|
committer | Yorhel <git@yorhel.nl> | 2020-04-20 10:31:42 +0200 |
commit | b6f98d51910e0a9252b18f3b160e32d97ba64b2c (patch) | |
tree | e06fa29a3e6ffd242a56437191ec19a4a8d9cf7a /elm | |
parent | d16f10f3fc504b40bbc2ba859ca6807c77d0939d (diff) |
Strengthen ?view= query parameter security with a CSRF token
Easier than moderating the site to prevent people from creating internal
links to sensitive pages. It also turns out that SameSite cookies are
included when opening a bookmark (okayish) or clicking on a link from
outside the browser (not okay), this protects against those scenarios as
well.
Diffstat (limited to 'elm')
-rw-r--r-- | elm/ImageFlagging.elm | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/elm/ImageFlagging.elm b/elm/ImageFlagging.elm index 726467bc..2ea7eb36 100644 --- a/elm/ImageFlagging.elm +++ b/elm/ImageFlagging.elm @@ -38,6 +38,7 @@ type alias Model = , fullscreen: Bool , showVotes : Bool , myVotes : Int + , nsfwToken : String , images : Array.Array GApi.ApiImageResult , index : Int , desc : (Maybe Int, Maybe Int) @@ -57,6 +58,7 @@ init d = , fullscreen= False , showVotes = d.single , myVotes = d.my_votes + , nsfwToken = d.nsfw_token , images = Array.fromList d.images , index = if d.single then 0 else List.length d.images , desc = Maybe.withDefault (Nothing,Nothing) <| Maybe.map (\i -> (i.my_sexual, i.my_violence)) <| if d.single then List.head d.images else Nothing @@ -222,7 +224,7 @@ view model = [ td [ Ffi.innerHtml v.user ] [] , td [] [ text <| if v.sexual == 0 then "Safe" else if v.sexual == 1 then "Suggestive" else "Explicit" ] , td [] [ text <| if v.violence == 0 then "Tame" else if v.violence == 1 then "Violent" else "Brutal" ] - , td [] <| Maybe.withDefault [] <| Maybe.map (\u -> [ a [ href <| "/img/list?view=n&u="++String.fromInt u ] [ text "votes" ] ]) v.uid + , td [] <| Maybe.withDefault [] <| Maybe.map (\u -> [ a [ href <| "/img/list?view=" ++ model.nsfwToken ++ "&u=" ++ String.fromInt u ] [ text "votes" ] ]) v.uid ] ) i.votes ] |