Added new modules to help prevent Cross Site Request Forgery

Made changes to prevent arbitrary code exection on AdmPortal. Issue-ID: OJSI-40 Change-Id: I5ec60e2585413f3948c2540bd502dd1393794267 Signed-off-by: Rotundo, Al (ar3165) <ar3165@att.com> Former-commit-id: 3d54c9ad35ef5e7a4b13948e718a4ad2830cbb04
author: Rotundo, Al (ar3165) <ar3165@att.com> 2019-07-31 14:46:56 +0000
committer: Timoney, Dan (dt5972) <dtimoney@att.com> 2019-07-31 14:31:07 -0400
commit: 18dcbec3a5a99a57d0ef43a06a99c2ab17c2eed6 (patch)
tree: 39c938d972c6a3fefbb5c8350c2141fb8ee1e5eb /admportal/views/partials/new_parameter.ejs
parent: 33e9f85700d3ba17f95a69011d2d2932d4b98df0 (diff)
1 files changed, 36 insertions, 35 deletions
diff --git a/admportal/views/partials/new_parameter.ejs b/admportal/views/partials/new_parameter.ejs
index b6d1f5be..4a2c0fe3 100644
--- a/admportal/views/partials/new_parameter.ejs
+++ b/admportal/views/partials/new_parameter.ejs
@@ -1,36 +1,37 @@
-   <div class="modal fade" id="new_parameter" tabindex="-1" role="dialog" 
+<div class="modal fade" id="new_parameter" tabindex="-1" role="dialog" 
 		aria-labelledby="new_parameter_label" aria-hidden="true">
-      <div class="modal-dialog">
-        <div class="modal-content">
-          <div class="modal-header">
-            <button type="button" class="close" data-dismiss="modal" aria-hidden="true">&times;</button>
-            <h4 class="modal-title">Add Parameter</h4>
-          </div>
-          <div class="modal-body">
-            <form name="addForm" role="form" action="/admin/addParameter" method="POST">
-              <div class="form-group">
-                <label for="nf_name">*Name</label>
-                <input maxlength="100" type="text" class="form-control" name="nf_name" id="nf_name" placeholder="varchar(100)">
-              </div>
-              <div class="form-group">
-                <label for="nf_value">*Value</label>
-                <input maxlength="100" type="text" class="form-control" name="nf_value" id="nf_value" placeholder="varchar(100)">
-              </div>
-              <div class="form-group">
-                <label for="nf_category">Category</label>
-                <input maxlength="24" type="text" class="form-control" name="nf_category" id="nf_category" placeholder="varchar(24)">
-              </div>
-              <div class="form-group">
-                <label for="nf_memo">Memo</label>
-                <input maxlength="128" type="text" class="form-control" name="nf_memo" id="nf_memo" placeholder="varchar(128)">
-              </div>
-			  <div class="form-group">
-                  <input type="hidden" name="nf_action" id="nf_action">
-                  <button type="button" class="btn btn-primary" onclick="submitParam(this.form);">Submit</button>
-                  <button type="button" class="btn btn-default" data-dismiss="modal">Cancel</button>
-              </div>
-           </form>
-          </div>
-      </div>
-    </div>
-  </div>
+	<div class="modal-dialog">
+		<div class="modal-content">
+			<div class="modal-header">
+				<button type="button" class="close" data-dismiss="modal" aria-hidden="true">&times;</button>
+				<h4 class="modal-title">Add Parameter</h4>
+			</div>
+			<div class="modal-body">
+				<form name="addForm" role="form" action="/admin/addParameter" method="POST">
+					<div class="form-group">
+						<label for="nf_name">*Name</label>
+						<input maxlength="100" type="text" class="form-control" name="nf_name" id="nf_name" placeholder="varchar(100)" />
+					</div>
+					<div class="form-group">
+						<label for="nf_value">*Value</label>
+						<input maxlength="100" type="text" class="form-control" name="nf_value" id="nf_value" placeholder="varchar(100)" />
+					</div>
+					<div class="form-group">
+						<label for="nf_category">Category</label>
+						<input maxlength="24" type="text" class="form-control" name="nf_category" id="nf_category" placeholder="varchar(24)" />
+					</div>
+					<div class="form-group">
+						<label for="nf_memo">Memo</label>
+						<input maxlength="128" type="text" class="form-control" name="nf_memo" id="nf_memo" placeholder="varchar(128)" />
+					</div>
+					<div class="form-group">
+						<input type="hidden" name="_csrf" value="<%= privilege.csrfToken %>" />
+          	<input type="hidden" name="nf_action" id="nf_action">
+          	<button type="button" class="btn btn-primary" onclick="submitParam(this.form);">Submit</button>
+          	<button type="button" class="btn btn-default" data-dismiss="modal">Cancel</button>
+        	</div>
+        </form>
+			</div>
+		</div>
+	</div>
+</div>
author	Rotundo, Al (ar3165) <ar3165@att.com>	2019-07-31 14:46:56 +0000
committer	Timoney, Dan (dt5972) <dtimoney@att.com>	2019-07-31 14:31:07 -0400
commit	18dcbec3a5a99a57d0ef43a06a99c2ab17c2eed6 (patch)
tree	39c938d972c6a3fefbb5c8350c2141fb8ee1e5eb /admportal/views/partials/new_parameter.ejs
parent	33e9f85700d3ba17f95a69011d2d2932d4b98df0 (diff)