summaryrefslogtreecommitdiff
path: root/elm
diff options
context:
space:
mode:
authorYorhel <git@yorhel.nl>2020-04-20 10:31:26 +0200
committerYorhel <git@yorhel.nl>2020-04-20 10:31:42 +0200
commitb6f98d51910e0a9252b18f3b160e32d97ba64b2c (patch)
treee06fa29a3e6ffd242a56437191ec19a4a8d9cf7a /elm
parentd16f10f3fc504b40bbc2ba859ca6807c77d0939d (diff)
Strengthen ?view= query parameter security with a CSRF token
Easier than moderating the site to prevent people from creating internal links to sensitive pages. It also turns out that SameSite cookies are included when opening a bookmark (okayish) or clicking on a link from outside the browser (not okay), this protects against those scenarios as well.
Diffstat (limited to 'elm')
-rw-r--r--elm/ImageFlagging.elm4
1 files changed, 3 insertions, 1 deletions
diff --git a/elm/ImageFlagging.elm b/elm/ImageFlagging.elm
index 726467bc..2ea7eb36 100644
--- a/elm/ImageFlagging.elm
+++ b/elm/ImageFlagging.elm
@@ -38,6 +38,7 @@ type alias Model =
, fullscreen: Bool
, showVotes : Bool
, myVotes : Int
+ , nsfwToken : String
, images : Array.Array GApi.ApiImageResult
, index : Int
, desc : (Maybe Int, Maybe Int)
@@ -57,6 +58,7 @@ init d =
, fullscreen= False
, showVotes = d.single
, myVotes = d.my_votes
+ , nsfwToken = d.nsfw_token
, images = Array.fromList d.images
, index = if d.single then 0 else List.length d.images
, desc = Maybe.withDefault (Nothing,Nothing) <| Maybe.map (\i -> (i.my_sexual, i.my_violence)) <| if d.single then List.head d.images else Nothing
@@ -222,7 +224,7 @@ view model =
[ td [ Ffi.innerHtml v.user ] []
, td [] [ text <| if v.sexual == 0 then "Safe" else if v.sexual == 1 then "Suggestive" else "Explicit" ]
, td [] [ text <| if v.violence == 0 then "Tame" else if v.violence == 1 then "Violent" else "Brutal" ]
- , td [] <| Maybe.withDefault [] <| Maybe.map (\u -> [ a [ href <| "/img/list?view=n&u="++String.fromInt u ] [ text "votes" ] ]) v.uid
+ , td [] <| Maybe.withDefault [] <| Maybe.map (\u -> [ a [ href <| "/img/list?view=" ++ model.nsfwToken ++ "&u=" ++ String.fromInt u ] [ text "votes" ] ]) v.uid
]
) i.votes
]