From a369ace161db801fdff1becb8f3f0c4b4aa7ccba Mon Sep 17 00:00:00 2001
From: David Cook <dcook@prosentient.com.au>
Date: Tue, 22 Oct 2024 00:31:23 +0000
Subject: [PATCH] Bug 38065: (QA follow-up) Move csrf_token to POST body from
 URL

Signed-off-by: David Cook <dcook@prosentient.com.au>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
---
 .../prog/en/includes/cateditor-widgets-marc21.inc            | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/koha-tmpl/intranet-tmpl/prog/en/includes/cateditor-widgets-marc21.inc b/koha-tmpl/intranet-tmpl/prog/en/includes/cateditor-widgets-marc21.inc
index 67a9c120f2..1a87de386f 100644
--- a/koha-tmpl/intranet-tmpl/prog/en/includes/cateditor-widgets-marc21.inc
+++ b/koha-tmpl/intranet-tmpl/prog/en/includes/cateditor-widgets-marc21.inc
@@ -152,9 +152,10 @@ require( [ 'koha-backend', 'widget', 'text-marc' ], function( KohaBackend, Widge
                 $( this.node )
                     .find('.control-number-widget-assign').click( function() {
                         var sequence = $( widget.node ).find('.control-number-widget-sequence').val();
-                        const token = $("input[name='csrf_token']").first().val();
+                        const csrf_token = document.querySelector('meta[name="csrf-token"]').getAttribute('content');
                         $.post(
-                            '/cgi-bin/koha/svc/cataloguing/control_num_sequences/' + sequence + '?csrf_token=' + token
+                            '/cgi-bin/koha/svc/cataloguing/control_num_sequences/' + sequence,
+                            { csrf_token: csrf_token }
                         ).done( function( result ) {
                             if ( result.next_value ) widget.setControlNumber( result.next_value );
                         } );
-- 
2.39.5