luci-mod-admin-full: protect network post actions with csrf tokens

[project/luci.git] / modules / luci-mod-admin-full / luasrc / view / admin_network / diagnostics.htm

diff --git a/modules/luci-mod-admin-full/luasrc/view/admin_network/diagnostics.htm b/modules/luci-mod-admin-full/luasrc/view/admin_network/diagnostics.htm
index 05c8661..685082a 100644 (file)
--- a/modules/luci-mod-admin-full/luasrc/view/admin_network/diagnostics.htm
+++ b/modules/luci-mod-admin-full/luasrc/view/admin_network/diagnostics.htm
@@ -34,7 +34,7 @@ local has_traceroute6 = fs.access("/usr/bin/traceroute6")
                        legend.parentNode.style.display = 'block';
                        legend.style.display = 'inline';
 
-                       stxhr.get('<%=luci.dispatcher.build_url("admin", "network")%>/diag_' + tool + protocol + '/' + addr, null,
+                       stxhr.post('<%=url('admin/network')%>/diag_' + tool + protocol + '/' + addr, { token: '<%=token%>' },
                                function(x)
                                {
                                        if (x.responseText)
@@ -53,9 +53,9 @@ local has_traceroute6 = fs.access("/usr/bin/traceroute6")
        }
 //]]></script>
 
-<form method="post" action="<%=pcdata(luci.http.getenv("REQUEST_URI"))%>">
+<form method="post" action="<%=url('admin/network/diagnostics')%>">
        <div class="cbi-map">
-               <h2><a id="content" name="content"><%:Diagnostics%></a></h2>
+               <h2 name="content"><%:Diagnostics%></h2>
 
                <fieldset class="cbi-section">
                        <legend><%:Network Utilities%></legend>