From 8080c525fd453bfba9c35f01a08013e148bb2144 Mon Sep 17 00:00:00 2001
From: Andrew Dolgov <noreply@fakecake.org>
Date: Tue, 15 Sep 2020 16:12:53 +0300
Subject: - backend: require CSRF token to be passed via POST - do not leak
 CSRF token via GET request in feed debugger - rework Article/redirect to use
 POST

---
 js/FeedTree.js | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

(limited to 'js/FeedTree.js')

diff --git a/js/FeedTree.js b/js/FeedTree.js
index 74c29d2f7..c61d8a50f 100755
--- a/js/FeedTree.js
+++ b/js/FeedTree.js
@@ -101,8 +101,9 @@ define(["dojo/_base/declare", "dojo/dom-construct", "dojo/_base/array", "dojo/co
 					menu.addChild(new dijit.MenuItem({
 						label: __("Debug feed"),
 						onClick: function() {
-							window.open("backend.php?op=feeds&method=update_debugger&feed_id=" + this.getParent().row_id +
-								"&csrf_token=" + App.getInitParam("csrf_token"));
+							/* global __csrf_token */
+							App.postOpenWindow("backend.php", {op: "feeds", method: "update_debugger",
+								feed_id: this.getParent().row_id, csrf_token: __csrf_token});
 						}}));
 				}
 
-- 
cgit v1.2.3-54-g00ecf