LotusGuild/tinker_tickets
3
0
Fork 0
Code Issues 2 Pull Requests Actions Packages Projects Releases Wiki Activity
129 Commits 2 Branches 0 Tags
7462d7c50950e37378b37fe60fbb449327c0cb1a
Commit Graph

4 Commits

Author SHA1 Message Date
Jared Vititoe
58f2e9d143 feat: Add CSRF tokens to all JavaScript fetch calls and fix XSS 
Security improvements across all JavaScript files:

CSRF Protection:
- assets/js/ticket.js - Added X-CSRF-Token header to 5 fetch calls
  (update_ticket.php x3, add_comment.php, assign_ticket.php)
- assets/js/dashboard.js - Added X-CSRF-Token to 8 fetch calls
  (update_ticket.php x2, bulk_operation.php x6)
- assets/js/settings.js - Added X-CSRF-Token to user preferences save
- assets/js/advanced-search.js - Added X-CSRF-Token to filter save/delete

XSS Prevention:
- assets/js/ticket.js:183-209 - Replaced insertAdjacentHTML() with safe
  DOM API (createElement/textContent) to prevent script injection in
  comment rendering. User-supplied data (user_name, created_at) now
  auto-escaped via textContent.

All state-changing operations now include CSRF token validation.

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
 2026-01-09 16:13:13 -05:00
Jared Vititoe
61e3bd69ff Centered settings modal 2026-01-08 23:19:44 -05:00
Jared Vititoe
83a1ba393a Fix settings 2026-01-08 23:16:29 -05:00
Jared Vititoe
b781a44ed5 Added settings menu 2026-01-08 23:05:03 -05:00