CSRF protection for cancel appointment use case

2015-05-27 23:32:26 +02:00 · 2015-05-27 23:32:26 +02:00 · daf4865c29
commit daf4865c29
parent 36d73a24c0
1 changed files with 1 additions and 0 deletions
--- a/src/application/views/appointments/book.php
+++ b/src/application/views/appointments/book.php
@ -137,6 +137,7 @@
                                    <form id="cancel-appointment-form" method="post"
                                            action="' . $this->config->item('base_url') 
                                            . '/index.php/appointments/cancel/' . $appointment_data['hash'] . '">
+                                        <input type="hidden" name="csrfToken" value="' . $this->security->get_csrf_hash() . '" />
                                        <textarea name="cancel_reason" style="display:none"></textarea>
                                        <button id="cancel-appointment" class="btn btn-inverse">' .
                                                $this->lang->line('cancel') . '</button>