Add CSRF protection to declaration creation form

Security Fixes: - Added CSRF token field to form - Added token validation in form processing - Added proper error handling for missing dates - Added ErrorMissingDates translation in both languages - Form now properly validates CSRF tokens before processing This fixes the 'Token not provided' error when submitting the form.
2025-10-02 18:14:58 +02:00 · 2025-10-02 18:14:58 +02:00 · 54d0ceaa03
commit 54d0ceaa03
parent e64c1f5a6d
3 changed files with 20 additions and 10 deletions
--- a/declarationtva_create.php
+++ b/declarationtva_create.php
@ -45,7 +45,11 @@ $end_date = GETPOST('end_date', 'alpha');
 $error = '';
 $success = '';

-if ($action == 'create' && !empty($start_date) && !empty($end_date)) {
+if ($action == 'create') {
+    // Check CSRF token
+    if (!checkToken()) {
+        $error = $langs->trans("ErrorCSRFToken");
+    } elseif (!empty($start_date) && !empty($end_date)) {
        // Create the declaration with dates
        $declaration_id = $declarationtva->createDeclarationWithDates($start_date, $end_date, $declaration_name);
        
@ -57,6 +61,9 @@ if ($action == 'create' && !empty($start_date) && !empty($end_date)) {
        } else {
            $error = $langs->trans("ErrorCreatingDeclaration") . ": " . $declarationtva->error;
        }
+    } else {
+        $error = $langs->trans("ErrorMissingDates");
+    }
 }

 // Page title
@ -80,6 +87,7 @@ print '<div class="titre">' . $langs->trans("DeclarationDetails") . '</div>';

 print '<form method="POST" action="' . $_SERVER['PHP_SELF'] . '">';
 print '<input type="hidden" name="action" value="create">';
+print '<input type="hidden" name="token" value="' . newToken() . '">';

 print '<table class="noborder centpercent">';

--- a/langs/en_US/declarationtva.lang
+++ b/langs/en_US/declarationtva.lang
@ -402,6 +402,7 @@ DeclarationSubmitted = Declaration submitted successfully
 ErrorCreatingDeclaration = Error creating declaration
 ErrorValidatingDeclaration = Error validating declaration
 ErrorSubmittingDeclaration = Error submitting declaration
+ErrorMissingDates = Please provide both start and end dates

 # Create Declaration Page
 DeclarationDetails = Declaration Details
--- a/langs/fr_FR/declarationtva.lang
+++ b/langs/fr_FR/declarationtva.lang
@ -391,6 +391,7 @@ DeclarationSubmitted = Déclaration soumise avec succès
 ErrorCreatingDeclaration = Erreur lors de la création de la déclaration
 ErrorValidatingDeclaration = Erreur lors de la validation de la déclaration
 ErrorSubmittingDeclaration = Erreur lors de la soumission de la déclaration
+ErrorMissingDates = Veuillez fournir les dates de début et de fin

 # Create Declaration Page
 DeclarationDetails = Détails de la déclaration