CSRF Protection (#235)

* Fix alert class name * feature: csrf protection * Cosmetics * Fix token generate * Admin Panel: changelogs csrf protection * news/id route * Refactor admin newses + add csrf * Use admin.links instead * Admin panel: Pages csrf * Menus: better csrf + add success message on reset colors * Plugins csrf * Move definitions * add info function, same as note($message) * Update mailer.php * Fix new page/news links * clear_cache & maintenance csrf * Formatting * Fix news type * Fix changelog link * Add new changelog link * More info to confirm dialog * This is always true
2025-10-14 01:34:55 +02:00 · 2023-11-11 10:57:57 +01:00
parent a04fbde607
commit 790d85a88a
89 changed files with 789 additions and 504 deletions
--- a/system/templates/characters.html.twig
+++ b/system/templates/characters.html.twig
@@ -106,6 +106,7 @@
 							<td>{{ house.name ~ house.town ~ house.add }}</td>
 							<td>
 								<form action="?subtopic=houses&page=view" method="post">
+									{{ csrf() }}
 									<input type="hidden" name="house" value="{{ house.name }}">
 									<input type="image" name="View" alt="View" src="{{ template_path }}/images/global/buttons/sbutton_view.gif" border="0" width="120">
 								</form>
@@ -402,7 +403,8 @@
 				<td>{% if player.isOnline() %}<b><span style="color: green">Online</span></b>{% endif %}</td>
 				<td>
 					<table border="0" cellspacing="0" cellpadding="0">
-						<form action="{{ getLink('characters') }}" method=post>
+						<form action="{{ getLink('characters') }}" method="post">
+							{{ csrf() }}
 							<tr>
 								<td>
 									<input type="hidden" name="name" value="{{ player.getName() }}"/>