luci-base: protect CBI forms with CSRF tokens

Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
author: Jo-Philipp Wich <jow@openwrt.org> 2015-10-06 18:54:35 +0200
committer: Jo-Philipp Wich <jow@openwrt.org> 2015-10-06 18:54:35 +0200
commit: 8d46c20327509dbafa3fd0dc4e4426765244c5a1 (patch)
tree: 3bf13d177475b1f347530c93813e2d86f1bec1e4 /modules/luci-base/luasrc/view/cbi/header.htm
parent: 5a6382171da2c941e17d050cd357629f40541cb6 (diff)
1 files changed, 1 insertions, 0 deletions
diff --git a/modules/luci-base/luasrc/view/cbi/header.htm b/modules/luci-base/luasrc/view/cbi/header.htm
index 2bddaba61..302df1d2f 100644
--- a/modules/luci-base/luasrc/view/cbi/header.htm
+++ b/modules/luci-base/luasrc/view/cbi/header.htm
@@ -2,6 +2,7 @@
 <form method="post" name="cbi" action="<%=REQUEST_URI%>" enctype="multipart/form-data" onreset="return cbi_validate_reset(this)" onsubmit="return cbi_validate_form(this, '<%:Some fields are invalid, cannot save values!%>')">
 	<div>
 		<script type="text/javascript" src="<%=resource%>/cbi.js"></script>
+		<input type="hidden" name="token" value="<%=token%>" />
 		<input type="hidden" name="cbi.submit" value="1" />
 		<input type="submit" value="<%:Save%>" class="hidden" />
 	</div>
author	Jo-Philipp Wich <jow@openwrt.org>	2015-10-06 18:54:35 +0200
committer	Jo-Philipp Wich <jow@openwrt.org>	2015-10-06 18:54:35 +0200
commit	8d46c20327509dbafa3fd0dc4e4426765244c5a1 (patch)
tree	3bf13d177475b1f347530c93813e2d86f1bec1e4 /modules/luci-base/luasrc/view/cbi/header.htm
parent	5a6382171da2c941e17d050cd357629f40541cb6 (diff)