frank/DeclarationTVA
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add CSRF protection to declaration creation form

Browse Source 
Security Fixes:
- Added CSRF token field to form
- Added token validation in form processing
- Added proper error handling for missing dates
- Added ErrorMissingDates translation in both languages
- Form now properly validates CSRF tokens before processing

This fixes the 'Token not provided' error when submitting the form.
This commit is contained in:
Frank Cools 2025-10-02 18:14:58 +02:00
parent e64c1f5a6d
commit 54d0ceaa03
3 changed files with 20 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
declarationtva_create.php
View File

@ -45,17 +45,24 @@ $end_date = GETPOST('end_date', 'alpha');
$error = ''; $error = '';
$success = ''; $success = '';
if ($action == 'create' && !empty($start_date) && !empty($end_date)) { if ($action == 'create') {
// Create the declaration with dates // Check CSRF token
$declaration_id = $declarationtva->createDeclarationWithDates($start_date, $end_date, $declaration_name); if (!checkToken()) {
$error = $langs->trans("ErrorCSRFToken");
} elseif (!empty($start_date) && !empty($end_date)) {
// Create the declaration with dates
$declaration_id = $declarationtva->createDeclarationWithDates($start_date, $end_date, $declaration_name);
if ($declaration_id > 0) { if ($declaration_id > 0) {
$success = $langs->trans("DeclarationCreated"); $success = $langs->trans("DeclarationCreated");
// Redirect to view the created declaration // Redirect to view the created declaration
header("Location: declarationtva_view.php?id=" . $declaration_id); header("Location: declarationtva_view.php?id=" . $declaration_id);
exit; exit;
} else {
$error = $langs->trans("ErrorCreatingDeclaration") . ": " . $declarationtva->error;
}
} else { } else {
$error = $langs->trans("ErrorCreatingDeclaration") . ": " . $declarationtva->error; $error = $langs->trans("ErrorMissingDates");
} }
} }
@ -80,6 +87,7 @@ print '<div class="titre">' . $langs->trans("DeclarationDetails") . '</div>';
print '<form method="POST" action="' . $_SERVER['PHP_SELF'] . '">'; print '<form method="POST" action="' . $_SERVER['PHP_SELF'] . '">';
print '<input type="hidden" name="action" value="create">'; print '<input type="hidden" name="action" value="create">';
print '<input type="hidden" name="token" value="' . newToken() . '">';
print '<table class="noborder centpercent">'; print '<table class="noborder centpercent">';

1
langs/en_US/declarationtva.lang
View File

@ -402,6 +402,7 @@ DeclarationSubmitted = Declaration submitted successfully
ErrorCreatingDeclaration = Error creating declaration ErrorCreatingDeclaration = Error creating declaration
ErrorValidatingDeclaration = Error validating declaration ErrorValidatingDeclaration = Error validating declaration
ErrorSubmittingDeclaration = Error submitting declaration ErrorSubmittingDeclaration = Error submitting declaration
ErrorMissingDates = Please provide both start and end dates
# Create Declaration Page # Create Declaration Page
DeclarationDetails = Declaration Details DeclarationDetails = Declaration Details

1
langs/fr_FR/declarationtva.lang
View File

@ -391,6 +391,7 @@ DeclarationSubmitted = Déclaration soumise avec succès
ErrorCreatingDeclaration = Erreur lors de la création de la déclaration ErrorCreatingDeclaration = Erreur lors de la création de la déclaration
ErrorValidatingDeclaration = Erreur lors de la validation de la déclaration ErrorValidatingDeclaration = Erreur lors de la validation de la déclaration
ErrorSubmittingDeclaration = Erreur lors de la soumission de la déclaration ErrorSubmittingDeclaration = Erreur lors de la soumission de la déclaration
ErrorMissingDates = Veuillez fournir les dates de début et de fin
# Create Declaration Page # Create Declaration Page
DeclarationDetails = Détails de la déclaration DeclarationDetails = Détails de la déclaration