From 47ebf77f24f9c593b7b5eb0f0d0efa734e15e4ae Mon Sep 17 00:00:00 2001
From: Jocadbz <joaquimmadureira@protonmail.com>
Date: Fri, 6 Mar 2026 14:53:17 -0300
Subject: [PATCH] Add CSRF checks to profile editing.

---
 handlers/profile_edit.go          | 6 ++++++
 templates/pages/profile_edit.html | 1 +
 2 files changed, 7 insertions(+)

diff --git a/handlers/profile_edit.go b/handlers/profile_edit.go
index 4b0a43a..28e4a2a 100644
--- a/handlers/profile_edit.go
+++ b/handlers/profile_edit.go
@@ -23,6 +23,11 @@ func ProfileEditHandler(app *App) http.HandlerFunc {
 		}
 
 		if r.Method == http.MethodPost {
+			if !app.validateCSRFToken(r, session) {
+				http.Error(w, "Invalid CSRF token", http.StatusForbidden)
+				return
+			}
+
 			// Handle file upload
 			file, handler, err := r.FormFile("pfp")
 			if err == nil {
@@ -118,6 +123,7 @@ func ProfileEditHandler(app *App) http.HandlerFunc {
 				BasePath:         app.Config.ThreadrDir,
 				StaticPath:       app.Config.ThreadrDir + "/static",
 				CurrentURL:       r.URL.RequestURI(),
+				CSRFToken:        app.csrfToken(session),
 			},
 			User: *user,
 		}
diff --git a/templates/pages/profile_edit.html b/templates/pages/profile_edit.html
index 160df6e..2d0a219 100644
--- a/templates/pages/profile_edit.html
+++ b/templates/pages/profile_edit.html
@@ -14,6 +14,7 @@
         </header>
         <section>
             <form method="post" action="{{.BasePath}}/profile/edit/" enctype="multipart/form-data">
+                <input type="hidden" name="csrf_token" value="{{.CSRFToken}}">
                 <label for="display_name">Display Name:</label>
                 <input type="text" id="display_name" name="display_name" value="{{.User.DisplayName}}" maxlength="255"><br>
                 <label for="pfp">Profile Picture:</label>