don't write the csrf token field to the output buffer

but return and echo it
2025-03-01 10:31:47 +00:00 · 2019-08-01 13:03:59 +02:00
parent 6f1ae104f3
commit 0a255e8b49
5 changed files with 5 additions and 5 deletions
--- a/includes/admin.php
+++ b/includes/admin.php
@@ -40,7 +40,7 @@ function DisplayAuthConfig($username, $password)
        <div class="panel-body">
          <p><?php $status->showMessages(); ?></p>
          <form role="form" action="?page=auth_conf" method="POST">
-            <?php CSRFToken() ?>
+            <?php echo CSRFToken() ?>
            <div class="row">
              <div class="form-group col-md-4">
                <label for="username"><?php echo _("Username"); ?></label>
--- a/includes/configure_client.php
+++ b/includes/configure_client.php
@@ -182,7 +182,7 @@ function DisplayWPAConfig()
            </div> 

            <form method="POST" action="?page=wpa_conf" name="wpa_conf_form">
-                <?php CSRFToken() ?>
+                <?php echo CSRFToken() ?>
              <input type="hidden" name="client_settings" ?>
              <script>
                function showPassword(index) {
--- a/includes/functions.php
+++ b/includes/functions.php
@@ -70,7 +70,7 @@ function ensureCSRFSessionToken()
 function CSRFToken()
 {
    $token = htmlspecialchars($_SESSION['csrf_token']);
-    echo '<input id="csrf_token" type="hidden" name="csrf_token" value="' . $token . '">';
+    return '<input id="csrf_token" type="hidden" name="csrf_token" value="' . $token . '">';
 }

 /**
--- a/includes/hostapd.php
+++ b/includes/hostapd.php
@@ -83,7 +83,7 @@ function DisplayHostAPDConfig()
                <div class="tab-pane fade in active" id="basic">

                <h4><?php echo _("Basic settings") ;?></h4>
-                <?php CSRFToken() ?>
+                <?php echo CSRFToken() ?>
                <div class="row">
                  <div class="form-group col-md-4">
                    <label for="cbxinterface"><?php echo _("Interface") ;?></label>
--- a/includes/system.php
+++ b/includes/system.php
@@ -200,7 +200,7 @@ if (isset($_POST['system_shutdown'])) {

    <div role="tabpanel" class="tab-pane" id="language">
      <h4><?php echo _("Language settings") ;?></h4>
-        <?php CSRFToken() ?>
+        <?php echo CSRFToken() ?>
      <div class="row">
        <div class="form-group col-md-4">
          <label for="code"><?php echo _("Select a language"); ?></label>