Bug 1446431 - Allow Baseline scan to ignore forms that dont need CSRF Tokens

The data-no-csrf attribute is used to signify that a form is 'safe' (ie
doesn't actually make any permanent changes) and so doesn't need an
anti-csrf token.

2 files changed, 3 insertions, 3 deletions

diff --git a/template/en/default/reports/duplicates.html.tmpl b/template/en/default/reports/duplicates.html.tmpl
index ff1c271fe..ed3e7b8ac 100644
--- a/template/en/default/reports/duplicates.html.tmpl
+++ b/template/en/default/reports/duplicates.html.tmpl
@@ -60,7 +60,7 @@
 
 <h3 id="params">Change Parameters</h3>
 
-<form method="get" action="duplicates.cgi">
+<form method="get" action="duplicates.cgi" data-no-csrf>
   <input type="hidden" name="sortby" value="[% sortby FILTER html %]">
   <input type="hidden" name="reverse" value="[% reverse FILTER html %]">
   <input type="hidden" name="bug_id" value="[% bug_ids_string FILTER html %]">
@@ -127,7 +127,7 @@
   <input type="submit" id="change" value="Change">
 </form>
 
-<form method="post" action="buglist.cgi">
+<form method="post" action="buglist.cgi" data-no-csrf>
   <input type="hidden" name="bug_id" value="[% bug_ids_string FILTER html %]">
   Or just give this to me as a <input type="submit" id="list" 
                                       value="[% terms.bug %] list">.
diff --git a/template/en/default/reports/old-charts.html.tmpl b/template/en/default/reports/old-charts.html.tmpl
index 4bdc0cffa..38e17121b 100644
--- a/template/en/default/reports/old-charts.html.tmpl
+++ b/template/en/default/reports/old-charts.html.tmpl
@@ -32,7 +32,7 @@
     <img src="[% url_image FILTER html %]">
     <br clear="both">
   [% ELSE %]
-    <form id="choose_product" method="get" action="reports.cgi">
+    <form id="choose_product" method="get" action="reports.cgi" data-no-csrf>
       <table border="1" cellpadding="5" cellspacing="2">
         <tr>
           <th>Product:</th>