diff --git a/handlers/board.go b/handlers/board.go index 8f8de81..96e7353 100644 --- a/handlers/board.go +++ b/handlers/board.go @@ -58,6 +58,11 @@ func BoardHandler(app *App) http.HandlerFunc { if r.Method == http.MethodPost && loggedIn { action := r.URL.Query().Get("action") if action == "create_thread" { + if !app.validateCSRFToken(r, session) { + http.Error(w, "Invalid CSRF token", http.StatusForbidden) + return + } + title := r.FormValue("title") if title == "" { http.Error(w, "Thread title is required", http.StatusBadRequest) @@ -118,6 +123,7 @@ func BoardHandler(app *App) http.HandlerFunc { BasePath: app.Config.ThreadrDir, StaticPath: app.Config.ThreadrDir + "/static", CurrentURL: r.URL.RequestURI(), + CSRFToken: app.csrfToken(session), }, Board: *board, Threads: threads, diff --git a/handlers/boards.go b/handlers/boards.go index 21105a3..9955b88 100644 --- a/handlers/boards.go +++ b/handlers/boards.go @@ -26,6 +26,11 @@ func BoardsHandler(app *App) http.HandlerFunc { } if r.Method == http.MethodPost && loggedIn && isAdmin { + if !app.validateCSRFToken(r, session) { + http.Error(w, "Invalid CSRF token", http.StatusForbidden) + return + } + name := r.FormValue("name") description := r.FormValue("description") boardType := r.FormValue("type") @@ -106,6 +111,7 @@ func BoardsHandler(app *App) http.HandlerFunc { BasePath: app.Config.ThreadrDir, StaticPath: app.Config.ThreadrDir + "/static", CurrentURL: r.URL.RequestURI(), + CSRFToken: app.csrfToken(session), }, PublicBoards: publicBoards, PrivateBoards: privateBoards, diff --git a/handlers/thread.go b/handlers/thread.go index 34eb4f3..1586c19 100644 --- a/handlers/thread.go +++ b/handlers/thread.go @@ -59,6 +59,11 @@ func ThreadHandler(app *App) http.HandlerFunc { if r.Method == http.MethodPost && loggedIn { action := r.URL.Query().Get("action") if action == "submit" { + if !app.validateCSRFToken(r, session) { + http.Error(w, "Invalid CSRF token", http.StatusForbidden) + return + } + content := r.FormValue("content") replyToStr := r.FormValue("reply_to") if replyToStr == "" { @@ -164,6 +169,7 @@ func ThreadHandler(app *App) http.HandlerFunc { BasePath: app.Config.ThreadrDir, StaticPath: app.Config.ThreadrDir + "/static", CurrentURL: r.URL.RequestURI(), + CSRFToken: app.csrfToken(session), }, Thread: *thread, Board: *board, diff --git a/templates/pages/board.html b/templates/pages/board.html index 3b99f93..eee6167 100644 --- a/templates/pages/board.html +++ b/templates/pages/board.html @@ -40,6 +40,7 @@

Create New Thread

+
@@ -50,4 +51,4 @@ {{template "cookie_banner" .}} -{{end}} \ No newline at end of file +{{end}} diff --git a/templates/pages/boards.html b/templates/pages/boards.html index 313f0cf..22edc85 100644 --- a/templates/pages/boards.html +++ b/templates/pages/boards.html @@ -56,6 +56,7 @@

Create New Public Board

+
@@ -73,4 +74,4 @@ {{template "cookie_banner" .}} -{{end}} \ No newline at end of file +{{end}} diff --git a/templates/pages/thread.html b/templates/pages/thread.html index 99e5b3e..773149c 100644 --- a/templates/pages/thread.html +++ b/templates/pages/thread.html @@ -62,6 +62,7 @@ +