From 8185c7322b4c0ad300f85043662de02eece4622b Mon Sep 17 00:00:00 2001
From: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Date: Thu, 3 Aug 2023 10:01:32 +0200
Subject: [PATCH] Bug 34369: Fix 'Did you mean'

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Matt Blenkinsop <matt.blenkinsop@ptfs-europe.com>
---
 koha-tmpl/intranet-tmpl/prog/en/modules/admin/didyoumean.tt | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/admin/didyoumean.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/admin/didyoumean.tt
index ae0b86856e..3323c14a21 100644
--- a/koha-tmpl/intranet-tmpl/prog/en/modules/admin/didyoumean.tt
+++ b/koha-tmpl/intranet-tmpl/prog/en/modules/admin/didyoumean.tt
@@ -1,5 +1,6 @@
 [% USE raw %]
 [% USE Asset %]
+[% USE Koha %]
 [% SET footerjs = 1 %]
 [% BLOCK pluginlist %]
 <div class="pluginlist">
@@ -62,6 +63,7 @@
             plugins that you want to use.
         </div>
         <form action="/cgi-bin/koha/admin/didyoumean.pl" method="post">
+            [% INCLUDE 'csrf-token.inc' %]
             <fieldset id="didyoumeanopac">
                 <legend>OPAC</legend>
                 [% PROCESS pluginlist plugins=OPACpluginlist type='opac' %]
@@ -105,7 +107,8 @@
         function yesimeant() {
             var OPACdidyoumean = serialize_plugins('opac');
 
-            var data = "pref_OPACdidyoumean=" + encodeURIComponent(OPACdidyoumean);
+            const csrf_token = "[% Koha.GenerateCSRF | $raw %]";
+            let data = "pref_OPACdidyoumean=%s&csrf_token=%s".format(encodeURIComponent(OPACdidyoumean), csrf_token);
 
             $.ajax({
                 data: data,
-- 
2.39.2