From ea91896f1531f2c042897849cf313e18aaa5bd64 Mon Sep 17 00:00:00 2001
From: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Date: Thu, 3 Aug 2023 10:01:32 +0200
Subject: [PATCH] Bug 34369: Fix 'Did you mean'

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
---
 koha-tmpl/intranet-tmpl/prog/en/modules/admin/didyoumean.tt | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/admin/didyoumean.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/admin/didyoumean.tt
index eed01c9662..3e3b66ebde 100644
--- a/koha-tmpl/intranet-tmpl/prog/en/modules/admin/didyoumean.tt
+++ b/koha-tmpl/intranet-tmpl/prog/en/modules/admin/didyoumean.tt
@@ -1,6 +1,7 @@
 [% USE raw %]
 [% USE Asset %]
 [% PROCESS 'i18n.inc' %]
+[% USE Koha %]
 [% SET footerjs = 1 %]
 [% BLOCK pluginlist %]
 <div class="pluginlist">
@@ -67,6 +68,7 @@
             plugins that you want to use.
         </div>
         <form action="/cgi-bin/koha/admin/didyoumean.pl" method="post">
+            [% INCLUDE 'csrf-token.inc' %]
             <fieldset id="didyoumeanopac">
                 <legend>OPAC</legend>
                 [% PROCESS pluginlist plugins=OPACpluginlist type='opac' %]
@@ -110,7 +112,8 @@
         function yesimeant() {
             var OPACdidyoumean = serialize_plugins('opac');
 
-            var data = "pref_OPACdidyoumean=" + encodeURIComponent(OPACdidyoumean);
+            const csrf_token = "[% Koha.GenerateCSRF | $raw %]";
+            let data = "pref_OPACdidyoumean=%s&csrf_token=%s".format(encodeURIComponent(OPACdidyoumean), csrf_token);
 
             $.ajax({
                 data: data,
-- 
2.20.1