vérificatio CSRF et mise en page

1 files changed, 9 insertions, 4 deletions

diff --git a/index.php b/index.php
index 1cb32f58..d477d699 100755
--- a/index.php
+++ b/index.php
@@ -10,12 +10,16 @@
 
 include dirname(__FILE__).'/inc/config.php';
 
-$action = (isset ($_GET['action'])) ? htmlspecialchars($_GET['action']) : '';
-$view   = (isset ($_GET['view'])) ? htmlspecialchars($_GET['view']) : 'index';
-$id     = (isset ($_GET['id'])) ? htmlspecialchars($_GET['id']) : '';
+$action = (isset ($_REQUEST['action'])) ? htmlentities($_REQUEST['action']) : '';
+$view   = (isset ($_GET['view'])) ? htmlentities($_GET['view']) : 'index';
+$id     = (isset ($_REQUEST['id'])) ? htmlspecialchars($_REQUEST['id']) : '';
 $url    = (isset ($_GET['url'])) ? $_GET['url'] : '';
+$token    = (isset ($_POST['token'])) ? $_POST['token'] : '';
+
+if ($action != '') {
+    action_to_do($action, $id, $url, $token);
+}
 
-action_to_do($action, $id);
 $entries = display_view($view);
 
 $tpl->assign('title', 'poche, a read it later open source system');
@@ -23,4 +27,5 @@ $tpl->assign('view', $view);
 $tpl->assign('poche_url', get_poche_url());
 $tpl->assign('entries', $entries);
 $tpl->assign('load_all_js', 1);
+$tpl->assign('token', $_SESSION['token_poche']);
 $tpl->draw('home');
\ No newline at end of file