FSN#22720 FOX#24 Cross Site Request Forgery voorkomen

svn path=/Website/trunk/; revision=17242
2013-03-19 07:31:46 +00:00
parent da19fe8543
commit b85b327a60
6 changed files with 48 additions and 24 deletions
--- a/APPL/FIN/fin_approve.asp
+++ b/APPL/FIN/fin_approve.asp
@@ -20,6 +20,7 @@ DOCTYPE_Disable = 1;
 <!-- #include file="fin.inc" -->

 <%
+protectRequest.validateToken();
 /***** Get webform parameters *****/
 var fin_key_arr = getFParamIntArray("fin_key");
 var accept = getQParamInt("a", -1) == 1;
--- a/APPL/FIN/fin_delete.asp
+++ b/APPL/FIN/fin_delete.asp
@@ -14,6 +14,7 @@ DOCTYPE_Disable = 1;
 <!-- #include file="fin.inc" -->

 <%
+protectRequest.validateToken();
 /***** Get webform parameters *****/
 var fin_key_arr = getFParamIntArray("fin_key");
 var message = "";
--- a/APPL/FIN/fin_list.js
+++ b/APPL/FIN/fin_list.js
@@ -41,8 +41,10 @@ function finApprove(rowArray, isMulti)

  if (isMulti || confirm(L("lcl_fin_approve")))
  {
+    var data = { fin_key: finKeyString };
+    protectRequest.dataToken(data);
    $.post("fin_approve.asp?a=1",
-           { fin_key: finKeyString },
+           data,
           FcltCallbackRefresh,
           "json");
  }
@@ -54,8 +56,10 @@ function finUnapprove(rowArray, isMulti)

  if (isMulti || confirm(L("lcl_fin_unapprove")))
  {
+    var data = { fin_key: finKeyString };
+    protectRequest.dataToken(data);
    $.post("fin_unapprove.asp",
-           { fin_key: finKeyString },
+           data,
           FcltCallbackRefresh,
           "json");
  }
@@ -67,8 +71,10 @@ function finReject(rowArray, isMulti)

  if (isMulti || confirm(L("lcl_fin_reject")))
  {
+    var data = { fin_key: finKeyString };
+    protectRequest.dataToken(data);
    $.post("fin_approve.asp?r=1",
-           { fin_key: finKeyString },
+           data,
           FcltCallbackRefresh,
           "json");
  }
@@ -80,8 +86,10 @@ function finUnreject(rowArray, isMulti)

  if (isMulti || confirm(L("lcl_fin_unreject")))
  {
+    var data = { fin_key: finKeyString };
+    protectRequest.dataToken(data);
    $.post("fin_unreject.asp",
-           { fin_key: finKeyString },
+           data,
           FcltCallbackRefresh,
           "json");
  }
@@ -93,8 +101,10 @@ function finDelete(rowArray, isMulti)

  if (isMulti || confirm(L("lcl_shared_row_delete_confirm")))
  {
+    var data = { fin_key: finKeyString };
+    protectRequest.dataToken(data);
    $.post("fin_delete.asp",
-           { fin_key: finKeyString },
+           data,
           FcltCallbackRefresh,
           "json");
  }
--- a/APPL/FIN/fin_show_factuur.js
+++ b/APPL/FIN/fin_show_factuur.js
@@ -27,10 +27,12 @@ function fin_approve()
  if (confirm(L("lcl_fin_approve_1") + fin_key + L("lcl_fin_approve_2")))
  {
    // Goedkeuren scherm
+    var data = { fin_key: fin_key };
+    protectRequest.dataToken(data);
    $.post("fin_approve.asp?a=1",
-           { fin_key: fin_key },
-             FcltCallbackRefresh,
-             "json");
+           data,
+           FcltCallbackRefresh,
+           "json");
  }
 }

@@ -39,10 +41,12 @@ function fin_unapprove()
  if (confirm(L("lcl_fin_unapprove_1") + fin_key + L("lcl_fin_unapprove_2")))
  {
    // Goedkeuren scherm
+    var data = { fin_key: fin_key };
+    protectRequest.dataToken(data);
    $.post("fin_unapprove.asp",
-           { fin_key: fin_key },
-             FcltCallbackRefresh,
-             "json");
+           data,
+           FcltCallbackRefresh,
+           "json");
  }
 }

@@ -51,10 +55,12 @@ function fin_reject()
  if (confirm(L("lcl_fin_reject_1") + fin_key + L("lcl_fin_reject_2")))
  {
    // Goedkeuren scherm
+    var data = { fin_key: fin_key };
+    protectRequest.dataToken(data);
    $.post("fin_approve.asp?r=1",
-           { fin_key: fin_key },
-             FcltCallbackRefresh,
-             "json");
+           data,
+           FcltCallbackRefresh,
+           "json");
  }
 }

@@ -63,22 +69,26 @@ function fin_unreject()
  if (confirm(L("lcl_fin_unreject_1") + fin_key + L("lcl_fin_unreject_2")))
  {
    // Goedkeuren scherm
+    var data = { fin_key: fin_key };
+    protectRequest.dataToken(data);
    $.post("fin_unreject.asp",
-           { fin_key: fin_key },
-             FcltCallbackRefresh,
-             "json");
+           data,
+           FcltCallbackRefresh,
+           "json");
  }
 }

 function fin_delete()
 {
-   if (confirm(L("lcl_fin_delete_1") + fin_key + L("lcl_fin_delete_2")))
-   {
-       $.post("fin_delete.asp",
-              { fin_key: fin_key },
-              FcltCallbackClose,
-              "json");
-   }
+    if (confirm(L("lcl_fin_delete_1") + fin_key + L("lcl_fin_delete_2")))
+    {
+        var data = { fin_key: fin_key };
+        protectRequest.dataToken(data);
+        $.post("fin_delete.asp",
+               data,
+               FcltCallbackClose,
+               "json");
+    }
 }

 function fin_copy()
--- a/APPL/FIN/fin_unapprove.asp
+++ b/APPL/FIN/fin_unapprove.asp
@@ -19,6 +19,7 @@ DOCTYPE_Disable = 1;
 <!-- #include file="fin.inc" -->

 <%
+protectRequest.validateToken();
 /***** Get webform parameters *****/
 var fin_key_arr = getFParamIntArray("fin_key");
 /***** End get webform parameters *****/
--- a/APPL/FIN/fin_unreject.asp
+++ b/APPL/FIN/fin_unreject.asp
@@ -20,6 +20,7 @@ DOCTYPE_Disable = 1;
 <!-- #include file="fin.inc" -->

 <%
+protectRequest.validateToken();
 /***** Get webform parameters *****/
 var fin_key_arr = getFParamIntArray("fin_key");
 /***** End get webform parameters *****/