From 085c24c80c6a79f21aba768bf16955685dcc47b7 Mon Sep 17 00:00:00 2001
From: Dylan Hardison <dylan@mozilla.com>
Date: Tue, 1 Mar 2016 08:14:26 -0500
Subject: Bug 1252210 - AntiSpam configuration is vulnerable to CSRF and
 persistent XSS

---
 extensions/EditTable/template/en/default/pages/edit_table.html.tmpl | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

(limited to 'extensions/EditTable/template/en/default/pages')

diff --git a/extensions/EditTable/template/en/default/pages/edit_table.html.tmpl b/extensions/EditTable/template/en/default/pages/edit_table.html.tmpl
index d81291640..98a8f4184 100644
--- a/extensions/EditTable/template/en/default/pages/edit_table.html.tmpl
+++ b/extensions/EditTable/template/en/default/pages/edit_table.html.tmpl
@@ -30,12 +30,14 @@
       onsubmit="editTable.to_json('table_data')">
 <input type="hidden" name="id" value="edit_table.html">
 <input type="hidden" name="table" value="[% table_name FILTER html %]">
+<input type="hidden" name="token" value="[% token FILTER html %]">
 <input type="hidden" name="table_data" id="table_data">
 <input type="submit" value="Commit Changes" id="commit_btn" class="bz_default_hidden">
 </form>
 
 <script>
-  var table_data = [% table_data FILTER none %];
+  var table_data_str = "[% table_data FILTER js %]";
+  var table_data = $.parseJSON(table_data_str);
   var editTable = new EditTable('edit_table', table_data);
   editTable.render();
 </script>
-- 
cgit v1.2.3-24-g4f1b