Kyle M Hall
6aa54daa3e
This patch avoids generating CSRF tokens unless the csrf-token.inc file is included in the template. Passed token doesn't need HTML escaped. The docs for WWW::CSRF state: The returned CSRF token is in a text-only form suitable for inserting into a HTML form without further escaping (assuming you did not send in strange things to the Time option). Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io> (cherry picked from commit ddf1eb6cef14da365675890920ff72f010c59527) Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
3 lines
112 B
PHP
3 lines
112 B
PHP
[%- USE Koha %]
|
|
[%- USE raw %]
|
|
<input type="hidden" name="csrf_token" value="[% Koha.GenerateCSRF | $raw %]" />
|