Merge pull request #6289 from wallabag/2.5/fix-csrf-user-deletion

Fix CSRF on user deletion
2023-02-07 21:52:51 +01:00
parent 4e023bddc3 f1b3d5cdd7
commit 268372dbbd
3 changed files with 14 additions and 8 deletions
--- a/src/Wallabag/CoreBundle/Resources/views/themes/material/Config/index.html.twig
+++ b/src/Wallabag/CoreBundle/Resources/views/themes/material/Config/index.html.twig
@ -548,7 +548,7 @@
                            </div>
                        </div>
                    </div>
-                    
+
                    <div id="set7" class="col s12">
                        <div class="row">
                            <h5>{{ 'config.reset.title'|trans }}</h5>
@ -573,9 +573,11 @@
                            <div class="row">
                                <h5>{{ 'config.form_user.delete.title'|trans }}</h5>
                                <p>{{ 'config.form_user.delete.description'|trans }}</p>
-                                <a href="{{ path('delete_account') }}" onclick="return confirm('{{ 'config.form_user.delete.confirm'|trans|escape('js') }}')" class="waves-effect waves-light btn red delete-account">
-                                    {{ 'config.form_user.delete.button'|trans }}
-                                </a>
+                                <form action="{{ path('delete_account') }}" method="post" onsubmit="return confirm('{{ 'config.form_user.delete.confirm'|trans|escape('js') }}')" name="delete-account">
+                                    <input type="hidden" name="token" value="{{ csrf_token('delete-account') }}" />
+
+                                    <button class="waves-effect waves-light btn red" type="submit">{{ 'config.form_user.delete.button'|trans }}</button>
+                                </form>
                            </div>
                        {% endif %}
                    </div>