implementing csrf in the frontend, adding spambot protection using javascript. Fixes #16. Fixes #9.

2024-05-03 14:33:10 +02:00 · 2020-11-04 20:01:55 +01:00 · 2020-11-04 20:01:55 +01:00 · 6db862848f
parent 3b764f2ac7
commit 6db862848f
1 changed files with 126 additions and 96 deletions
--- a/templates/index.html
+++ b/templates/index.html
@ -7,8 +7,30 @@
        <meta name="description" content="{{ "meta_description"|tr(lang) }}" />
        <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
        <link rel="icon" type="image/png" sizes="48x48" href="/assets/favicon.ico" />
-        <link rel="stylesheet" href="/assets/index.css?v=1.1" />
+        <link rel="stylesheet" href="/assets/index.css?v=1.2" />
        <link rel="stylesheet" href="/assets/cloud.css?v=1.0" />
+        <noscript><style> .jsonly { display: none } </style></noscript>
+            <script>
+                /* junk javascript with basic spambot protection features.
+                Drunk indentation is vim's fault.
+               unsatisifed? Please make a PR. : ) */
+                window.onload = function() {
+                                    // retrieved from server-side template
+                                    let csrf_token = "{{ csrf_token }}";
+                                    document.getElementById('new_link_button').addEventListener('click', function () {
+                                                        new_link(csrf_token);
+                                                    });
+                                }
+
+                function new_link(csrf) {
+                                    document.getElementById("csrf_token").value = csrf;
+                                    document.getElementById('new_link').submit();
+                                    document.getElementById('new_link_button').classList.add("hidden");
+                                    document.getElementById('loading_ring').classList.remove("hidden");
+                                }
+
+            </script>
+    </head>
    <body>
        <div class="flex page-heading fullheight">
            <div class="flex page-heading-text">
@ -21,7 +43,15 @@
                </div>
            </div>
            <div class="fullwidth flex">
-                    <a class="ncstyle-button margin-bottom" href="/link">{{ "index_createform_button"|tr(lang) }}</a>
+            </div>
+            <div class="fullwidth flex">
+                <noscript>
+                    <a class="ncstyle-button margin-bottom">{{ "index_nojs"|tr(lang) }}</a>
+                </noscript>
+                <form id="new_link" action="/link" method="post">
+                    <input id="csrf_token" name="csrf_token" type="text" class="hidden">
+                    <a id="new_link_button" class="click jsonly ncstyle-button margin-bottom">{{ "index_createform_button"|tr(lang) }}</a> </form>
+                <div id="loading_ring" class="hidden lds-ring"><div></div><div></div><div></div><div></div></div>
            </div>
            <a class="scroll-down-link scroll-down-arrow"></a>
        </div>