summaryrefslogtreecommitdiff
path: root/views
diff options
context:
space:
mode:
authorAaron Parecki <aaron@parecki.com>2017-02-12 20:18:34 -0800
committerAaron Parecki <aaron@parecki.com>2017-02-12 20:18:34 -0800
commit43e8a1ef8d7586422b5d164204a57bdd5938a6d1 (patch)
tree2f832ca21f0a4cca330a763463db6c733246ae84 /views
parent2c8387b1e08bff38895c2ce8a840a13a1fed1932 (diff)
fix autosubmit vulnerability for "favorite" bookmarklet
closes #69
Diffstat (limited to 'views')
-rw-r--r--views/new-favorite.php21
-rw-r--r--views/partials/favorite-bookmarklet.php2
2 files changed, 7 insertions, 16 deletions
diff --git a/views/new-favorite.php b/views/new-favorite.php
index 9977d69..9f191e8 100644
--- a/views/new-favorite.php
+++ b/views/new-favorite.php
@@ -31,12 +31,6 @@
<script>
$(function(){
- var autosubmit = window.location.search.match('autosubmit=true');
-
- if(autosubmit) {
- $(".footer, #bookmarklet").hide();
- }
-
$("#btn_post").click(function(){
$("#btn_post").addClass("loading disabled").text("Working...");
@@ -50,13 +44,9 @@ $(function(){
}, function(response){
if(response.location != false) {
- if(autosubmit) {
- $("#btn_post").hide();
- } else {
- $("#test_success").removeClass('hidden');
- $("#test_error").addClass('hidden');
- $("#post_href").attr("href", response.location);
- }
+ $("#test_success").removeClass('hidden');
+ $("#test_error").addClass('hidden');
+ $("#post_href").attr("href", response.location);
window.location = response.location;
} else {
@@ -69,9 +59,10 @@ $(function(){
return false;
});
- if(autosubmit) {
+ <? if($this->autosubmit): ?>
+ $(".footer, #bookmarklet").hide();
$("#btn_post").click();
- }
+ <? endif ?>
bind_syndication_buttons();
});
diff --git a/views/partials/favorite-bookmarklet.php b/views/partials/favorite-bookmarklet.php
index bdee851..df68802 100644
--- a/views/partials/favorite-bookmarklet.php
+++ b/views/partials/favorite-bookmarklet.php
@@ -1,3 +1,3 @@
(function(){
- window.open("<?= Config::$base_url ?>favorite?url="+encodeURIComponent(window.location.href)+"&autosubmit=true&token=<?= $this->token ?>");
+ window.open("<?= Config::$base_url ?>favorite?url="+encodeURIComponent(window.location.href)+"&token=<?= $this->token ?>");
})();