From b4cb67e77f3b228c007f58caac234cae1afabe73 Mon Sep 17 00:00:00 2001
From: Andrew Dolgov <noreply@fakecake.org>
Date: Mon, 14 Sep 2020 20:00:01 +0300
Subject: [PATCH] remove csrf token from rpc method sanityCheck

---
 include/functions.php | 1 -
 index.php             | 4 ++++
 js/App.js             | 2 ++
 prefs.php             | 4 ++++
 4 files changed, 10 insertions(+), 1 deletion(-)

diff --git a/include/functions.php b/include/functions.php
index 43e9eb8f6..220a8e9d8 100644
--- a/include/functions.php
+++ b/include/functions.php
@@ -1007,7 +1007,6 @@
 
 		$params["hotkeys"] = get_hotkeys_map();
 
-		$params["csrf_token"] = $_SESSION["csrf_token"];
 		$params["widescreen"] = (int) $_COOKIE["ttrss_widescreen"];
 
 		$params['simple_update'] = defined('SIMPLE_UPDATE_MODE') && SIMPLE_UPDATE_MODE;
diff --git a/index.php b/index.php
index 543d2b008..21f727cb3 100644
--- a/index.php
+++ b/index.php
@@ -47,6 +47,10 @@
 	}
 	?>
 
+	<script type="text/javascript">
+		const __csrf_token = "<?php echo $_SESSION["csrf_token"]; ?>";
+	</script>
+
 	<?php print_user_stylesheet() ?>
 
 	<style type="text/css">
diff --git a/js/App.js b/js/App.js
index 0e1473557..7eb4b7f48 100644
--- a/js/App.js
+++ b/js/App.js
@@ -576,6 +576,8 @@ const App = {
       this.is_prefs = is_prefs;
       window.onerror = this.Error.onWindowError;
 
+      this.setInitParam("csrf_token", __csrf_token);
+
       this.setupNightModeDetection(() => {
          parser.parse();
 
diff --git a/prefs.php b/prefs.php
index 12976ad8f..51699cef9 100644
--- a/prefs.php
+++ b/prefs.php
@@ -39,6 +39,10 @@
 	}
 	?>
 
+	<script type="text/javascript">
+		const __csrf_token = "<?php echo $_SESSION["csrf_token"]; ?>";
+	</script>
+
 	<?php print_user_stylesheet() ?>
 
 	<link rel="shortcut icon" type="image/png" href="images/favicon.png"/>