Comment by fmavituna

9 years ago

Hey, good job there, much needed improvements. Thanks.

There is a CSRF vulnerability in the "favorite" feature.

A very quick demo, Visit this URL: https://jsfiddle.net/o9hw1u75/embedded/result/

Now visit your favs from your profile and you'll notice that "SQL Injection" post is automatically added your fav list. Just like upvote system fav needs to be protected against CSRF.

2 comments

fmavituna

dang 9 years ago

Whoops, good catch! Will fix. Edit: still can't believe I forgot about that after all these years...

sctb 9 years ago

Thanks for the report! This should now be fixed.