Remove invalid CSRF HTML meta tag

09be3d2b · Frédéric Guillot · fguillot · 1fd4c4ef · 09be3d2b · 09be3d2b
Commit 09be3d2b authored 3 years ago by Frédéric Guillot Committed by fguillot 3 years ago
--- a/template/functions.go
+++ b/template/functions.go
@@ -75,7 +75,7 @@ func (f *funcMap) Map() template.FuncMap {
 		"contains": func(str, substr string) bool {
 			return strings.Contains(str, substr)
 		},
-		"replace": func(str, old string, new string) string {
+		"replace": func(str, old, new string) string {
 			return strings.Replace(str, old, new, 1)
 		},
 		"isodate": func(ts time.Time) string {
@@ -86,7 +86,7 @@ func (f *funcMap) Map() template.FuncMap {
 		},
 		"icon": func(iconName string) template.HTML {
 			return template.HTML(fmt.Sprintf(
-				`<svg class="icon" aria-hidden="true"><use xlink:href="%s#icon-%s"></svg>`,
+				`<svg class="icon" aria-hidden="true"><use xlink:href="%s#icon-%s"/></svg>`,
 				route.Path(f.router, "appIcon", "filename", "sprite.svg"),
 				iconName,
 			))

--- a/template/templates/common/layout.html
+++ b/template/templates/common/layout.html
@@ -29,20 +29,17 @@
    <link rel="apple-touch-icon" sizes="167x167" href="{{ route "appIcon" "filename" "icon-167.png" }}">
    <link rel="apple-touch-icon" sizes="180x180" href="{{ route "appIcon" "filename" "icon-180.png" }}">

-    {{ if .csrf }}
-        <meta name="X-CSRF-Token" value="{{ .csrf }}">
-    {{ end }}
-
    <meta name="theme-color" content="{{ theme_color .theme }}">
    <link rel="stylesheet" type="text/css" href="{{ route "stylesheet" "name" .theme }}?{{ .theme_checksum }}">
    {{ if and .user .user.Stylesheet }}
    <link rel="stylesheet" type="text/css" href="{{ route "stylesheet" "name" "custom_css" }}?{{ rand }}">
    {{ end }}

-    <script type="text/javascript" src="{{ route "javascript" "name" "app" }}?{{ .app_js_checksum }}" defer></script>
-    <script type="text/javascript" src="{{ route "javascript" "name" "service-worker" }}?{{ .sw_js_checksum }}" defer id="service-worker-script"></script>
+    <script src="{{ route "javascript" "name" "app" }}?{{ .app_js_checksum }}" defer></script>
+    <script src="{{ route "javascript" "name" "service-worker" }}?{{ .sw_js_checksum }}" defer id="service-worker-script"></script>
 </head>
 <body
+    {{ if .csrf }}data-csrf-token="{{ .csrf }}"{{ end }}
    data-entries-status-url="{{ route "updateEntriesStatus" }}"
    data-refresh-all-feeds-url="{{ route "refreshAllFeeds" }}"
    {{ if .user }}{{ if not .user.KeyboardShortcuts }}data-disable-keyboard-shortcuts="true"{{ end }}{{ end }}>

--- a/ui/static/js/request_builder.js
+++ b/ui/static/js/request_builder.js
@@ -30,9 +30,9 @@ class RequestBuilder {
    }

    getCsrfToken() {
-        let element = document.querySelector("meta[name=X-CSRF-Token]");
+        let element = document.querySelector("body[data-csrf-token");
        if (element !== null) {
-            return element.getAttribute("value");
+            return element.dataset.csrfToken;
        }

        return "";