Bug 1446431 - Allow Baseline scan to ignore forms that dont need CSRF Tokens

The data-no-csrf attribute is used to signify that a form is 'safe' (ie doesn't actually make any permanent changes) and so doesn't need an anti-csrf token.
author: Simon Bennetts <psiinon@gmail.com> 2018-04-04 19:21:33 +0200
committer: Israel Madueme <purelogiq@gmail.com> 2018-04-04 19:21:33 +0200
commit: fe259aba572e08df22557251ca9279f512f6862c (patch)
tree: 5f6428a14dd727c0c3136352413a0a28718f8cda /template/en/default/list
parent: 3d6e2fb15c254d2d8fe75dc0307a4b0fd3e62865 (diff)
download: bugzilla-fe259aba572e08df22557251ca9279f512f6862c.tar.gz
bugzilla-fe259aba572e08df22557251ca9279f512f6862c.tar.xz
2 files changed, 4 insertions, 4 deletions
diff --git a/template/en/default/list/change-columns.html.tmpl b/template/en/default/list/change-columns.html.tmpl
index 8edd21aee..d1aada24c 100644
--- a/template/en/default/list/change-columns.html.tmpl
+++ b/template/en/default/list/change-columns.html.tmpl
@@ -51,7 +51,7 @@
   [% available_columns.$column_desc = column %]
 [% END %]
 
-<form name="changecolumns" action="colchange.cgi" onsubmit="change_submit();">
+<form name="changecolumns" action="colchange.cgi" onsubmit="change_submit();" data-no-csrf>
   <input type="hidden" name="rememberedquery" value="[% buffer FILTER html %]">
     <table>
       <tr>
diff --git a/template/en/default/list/list.html.tmpl b/template/en/default/list/list.html.tmpl
index c17512c79..8fcb8a7ac 100644
--- a/template/en/default/list/list.html.tmpl
+++ b/template/en/default/list/list.html.tmpl
@@ -175,14 +175,14 @@
   <tr>
     [% IF bugs.size > 0 %]
       <td valign="middle" class="bz_query_buttons">
-        <form method="post" action="show_bug.cgi">
+        <form method="post" action="show_bug.cgi" data-no-csrf>
           [% FOREACH id = buglist %]
             <input type="hidden" name="id" value="[% id FILTER html %]">
           [% END %]
           <input type="hidden" name="format" value="multiple">
           <input type="submit" id="long_format" value="Long Format">
         </form>
-        <form method="post" action="show_bug.cgi">
+        <form method="post" action="show_bug.cgi" data-no-csrf>
             <input type="hidden" name="ctype" value="xml">
           [% FOREACH id = buglist %]
             <input type="hidden" name="id" value="[% id FILTER html %]">
@@ -192,7 +192,7 @@
         </form>
 
         [% IF user.is_timetracker %]
-          <form method="post" action="summarize_time.cgi">
+          <form method="post" action="summarize_time.cgi" data-no-csrf>
             <input type="hidden" name="id" value="[% buglist_joined FILTER html %]">
             <input type="submit" id="timesummary" value="Time Summary">
           </form>
author	Simon Bennetts <psiinon@gmail.com>	2018-04-04 19:21:33 +0200
committer	Israel Madueme <purelogiq@gmail.com>	2018-04-04 19:21:33 +0200
commit	fe259aba572e08df22557251ca9279f512f6862c (patch)
tree	5f6428a14dd727c0c3136352413a0a28718f8cda /template/en/default/list
parent	3d6e2fb15c254d2d8fe75dc0307a4b0fd3e62865 (diff)
download	bugzilla-fe259aba572e08df22557251ca9279f512f6862c.tar.gz bugzilla-fe259aba572e08df22557251ca9279f512f6862c.tar.xz