mirrors/nadeko_invidious
1
0
Fork 0
mirror of https://git.nadeko.net/Fijxu/invidious.git synced 2025-12-20 13:48:48 +00:00
Code Issues Actions 4 Packages Projects Releases Wiki Activity

Refactor CSRF tokens (using format in #473)

Browse Source
This commit is contained in:
Omar Roth
2019-04-15 23:23:40 -05:00
parent 698dfca319
commit 26168a9520
12 changed files with 323 additions and 307 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
src/invidious/views/components/item.ecr
View File

@@ -85,17 +85,19 @@
<div class="thumbnail">
<img class="thumbnail" src="/vi/<%= item.id %>/mqdefault.jpg"/>
<% if env.get? "show_watched" %>
<p class="watched">
<a onclick="mark_watched(this)"
data-id="<%= item.id %>"
onmouseenter='this["href"]="javascript:void(0)"'
href="/mark_watched?id=<%= item.id %>">
<i onmouseenter='this.setAttribute("class", "icon ion-ios-eye-off")'
onmouseleave='this.setAttribute("class", "icon ion-ios-eye")'
class="icon ion-ios-eye">
</i>
</a>
</p>
<form onsubmit="return false;" action="/watch_ajax?action_mark_watched=1&id=<%= item.id %>&referer=<%= env.get("current_page") %>" method="post">
<input type="hidden" name="token" value="<%= URI.escape(env.get?("token").try &.as(String) || "") %>">
<p class="watched">
<a onclick="mark_watched(this)" data-id="<%= item.id %>" href="#">
<button type="submit" style="all:unset">
<i onmouseenter='this.setAttribute("class", "icon ion-ios-eye-off")'
onmouseleave='this.setAttribute("class", "icon ion-ios-eye")'
class="icon ion-ios-eye">
</i>
</button>
</a>
</p>
</form>
<% end %>
<% if item.responds_to?(:live_now) && item.live_now %>
<p class="length"><i class="icon ion-ios-play-circle"></i> <%= translate(locale, "LIVE") %></p>

18
src/invidious/views/components/subscribe_widget.ecr
View File

@@ -1,17 +1,21 @@
<% if user %>
<% if subscriptions.includes? ucid %>
<p>
<a id="subscribe" onclick="unsubscribe()" class="pure-button pure-button-primary"
href="/subscription_ajax?action_remove_subscriptions=1&c=<%= ucid %>&referer=<%= env.get("current_page") %>">
<b><%= translate(locale, "Unsubscribe") %> | <%= sub_count_text %></b>
</a>
<form onsubmit="return false;" action="/subscription_ajax?action_remove_subscriptions=1&c=<%= ucid %>&referer=<%= env.get("current_page") %>" method="post">
<input type="hidden" name="token" value="<%= URI.escape(env.get?("token").try &.as(String) || "") %>">
<a id="subscribe" onclick="unsubscribe()" class="pure-button pure-button-primary" href="#">
<b><input style="all:unset" type="submit" value="<%= translate(locale, "Unsubscribe") %> | <%= sub_count_text %>"></b>
</a>
</form>
</p>
<% else %>
<p>
<a id="subscribe" onclick="subscribe()" class="pure-button pure-button-primary"
href="/subscription_ajax?action_create_subscription_to_channel=1&c=<%= ucid %>&referer=<%= env.get("current_page") %>">
<b><%= translate(locale, "Subscribe") %> | <%= sub_count_text %></b>
<form onsubmit="return false;" action="/subscription_ajax?action_create_subscription_to_channel=1&c=<%= ucid %>&referer=<%= env.get("current_page") %>" method="post">
<input type="hidden" name="token" value="<%= URI.escape(env.get?("token").try &.as(String) || "") %>">
<a id="subscribe" onclick="subscribe()" class="pure-button pure-button-primary" href="#">
<b><input style="all:unset" type="submit" value="<%= translate(locale, "Subscribe") %> | <%= sub_count_text %>"></b>
</a>
</form>
</p>
<% end %>
<% else %>

10
src/invidious/views/components/subscribe_widget_script.ecr
View File

@@ -15,8 +15,9 @@ function subscribe(timeouts = 0) {
var xhr = new XMLHttpRequest();
xhr.responseType = "json";
xhr.timeout = 20000;
xhr.open("GET", url, true);
xhr.send();
xhr.open("POST", url, true);
xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
xhr.send("token=<%= URI.escape(env.get?("token").try &.as(String) || "") %>");
var fallback = subscribe_button.innerHTML;
subscribe_button.onclick = unsubscribe;
@@ -50,8 +51,9 @@ function unsubscribe(timeouts = 0) {
var xhr = new XMLHttpRequest();
xhr.responseType = "json";
xhr.timeout = 20000;
xhr.open("GET", url, true);
xhr.send();
xhr.open("POST", url, true);
xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
xhr.send("token=<%= URI.escape(env.get?("token").try &.as(String) || "") %>");
var fallback = subscribe_button.innerHTML;
subscribe_button.onclick = subscribe;