@@ -287,8 +287,9 @@
@ <p><a href="setup_uedit?id=%d(uid))>[Bummer]</a></p>
style_footer();
return;
}
+ login_verify_csrf_secret();
db_multi_exec(
"REPLACE INTO user(uid,login,info,pw,cap) "
"VALUES(nullif(%d,0),%Q,%Q,%Q,'%s')",
uid, P("login"), P("info"), zPw, zCap
@@ -341,8 +342,9 @@
style_header("Add A New User");
}
@ <table align="left" hspace="20" vspace="10"><tr><td>
@ <form action="%s(g.zPath)" method="POST">
+ login_insert_csrf_secret();
@ <table>
@ <tr>
@ <td align="right"><nobr>User ID:</nobr></td>
if( uid ){
@@ -544,8 +546,9 @@
}
if( zQ ){
int iQ = strcmp(zQ,"on")==0 || atoi(zQ);
if( iQ!=iVal ){
+ login_verify_csrf_secret();
db_set(zVar, iQ ? "1" : "0", 0);
iVal = iQ;
}
}
@@ -568,8 +571,9 @@
){
const char *zVal = db_get(zVar, zDflt);
const char *zQ = P(zQParm);
if( zQ && strcmp(zQ,zVal)!=0 ){
+ login_verify_csrf_secret();
db_set(zVar, zQ, 0);
zVal = zQ;
}
@ <input type="text" name="%s(zQParm)" value="%h(zVal)" size="%d(width)">
@@ -589,8 +593,9 @@
){
const char *z = db_get(zVar, (char*)zDflt);
const char *zQ = P(zQP);
if( zQ && strcmp(zQ,z)!=0 ){
+ login_verify_csrf_secret();
db_set(zVar, zQ, 0);
z = zQ;
}
if( rows>0 && cols>0 ){
@@ -611,9 +616,9 @@
style_header("Access Control Settings");
db_begin_transaction();
@ <form action="%s(g.zBaseURL)/setup_access" method="POST">
-
+ login_insert_csrf_secret();
@ <hr>
onoff_attribute("Require password for local access",
"localauth", "localauth", 1);
@ <p>When enabled, the password sign-in is required for
@@ -662,8 +667,9 @@
style_header("Timeline Display Preferences");
db_begin_transaction();
@ <form action="%s(g.zBaseURL)/setup_timeline" method="POST">
+ login_insert_csrf_secret();
@ <hr>
onoff_attribute("Block markup in timeline",
"timeline-block-markup", "tbm", 0);
@@ -694,8 +700,9 @@
style_header("WWW Configuration");
db_begin_transaction();
@ <form action="%s(g.zBaseURL)/setup_config" method="POST">
+ login_insert_csrf_secret();
@ <hr />
entry_attribute("Project Name", 60, "project-name", "pn", "");
@ <p>Give your project a name so visitors know what this site is about.
@ The project name will also be used as the RSS feed title.</p>
@@ -736,8 +743,9 @@
login_needed();
}
style_header("Edit CSS");
@ <form action="%s(g.zBaseURL)/setup_editcss" method="POST">
+ login_insert_csrf_secret();
@ Edit the CSS:<br />
textarea_attribute("", 40, 80, "css", "css", zDefaultCSS);
@ <br />
@ <input type="submit" name="submit" value="Apply Changes">
@@ -766,8 +774,9 @@
textarea_attribute(0, 0, 0, "header", "header", zDefaultHeader);
}
style_header("Edit Page Header");
@ <form action="%s(g.zBaseURL)/setup_header" method="POST">
+ login_insert_csrf_secret();
@ <p>Edit HTML text with embedded TH1 (a TCL dialect) that will be used to
@ generate the beginning of every page through start of the main
@ menu.</p>
textarea_attribute("", 40, 80, "header", "header", zDefaultHeader);
@@ -800,8 +809,9 @@
textarea_attribute(0, 0, 0, "footer", "footer", zDefaultFooter);
}
style_header("Edit Page Footer");
@ <form action="%s(g.zBaseURL)/setup_footer" method="POST">
+ login_insert_csrf_secret();
@ <p>Edit HTML text with embedded TH1 (a TCL dialect) that will be used to
@ generate the end of every page.</p>
textarea_attribute("", 20, 80, "footer", "footer", zDefaultFooter);
@ <br />