From fe259aba572e08df22557251ca9279f512f6862c Mon Sep 17 00:00:00 2001
From: Simon Bennetts <psiinon@gmail.com>
Date: Wed, 4 Apr 2018 18:21:33 +0100
Subject: Bug 1446431 - Allow Baseline scan to ignore forms that dont need CSRF
 Tokens

The data-no-csrf attribute is used to signify that a form is 'safe' (ie
doesn't actually make any permanent changes) and so doesn't need an
anti-csrf token.
---
 template/en/default/list/list.html.tmpl | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

(limited to 'template/en/default/list/list.html.tmpl')

diff --git a/template/en/default/list/list.html.tmpl b/template/en/default/list/list.html.tmpl
index c17512c79..8fcb8a7ac 100644
--- a/template/en/default/list/list.html.tmpl
+++ b/template/en/default/list/list.html.tmpl
@@ -175,14 +175,14 @@
   <tr>
     [% IF bugs.size > 0 %]
       <td valign="middle" class="bz_query_buttons">
-        <form method="post" action="show_bug.cgi">
+        <form method="post" action="show_bug.cgi" data-no-csrf>
           [% FOREACH id = buglist %]
             <input type="hidden" name="id" value="[% id FILTER html %]">
           [% END %]
           <input type="hidden" name="format" value="multiple">
           <input type="submit" id="long_format" value="Long Format">
         </form>
-        <form method="post" action="show_bug.cgi">
+        <form method="post" action="show_bug.cgi" data-no-csrf>
             <input type="hidden" name="ctype" value="xml">
           [% FOREACH id = buglist %]
             <input type="hidden" name="id" value="[% id FILTER html %]">
@@ -192,7 +192,7 @@
         </form>
 
         [% IF user.is_timetracker %]
-          <form method="post" action="summarize_time.cgi">
+          <form method="post" action="summarize_time.cgi" data-no-csrf>
             <input type="hidden" name="id" value="[% buglist_joined FILTER html %]">
             <input type="submit" id="timesummary" value="Time Summary">
           </form>
-- 
cgit v1.2.3-24-g4f1b