Add security token to subscription manage page

2 files changed, 9 insertions, 4 deletions

diff --git a/inc/actions.php b/inc/actions.php
index 1fda0584e..b7567bc20 100644
--- a/inc/actions.php
+++ b/inc/actions.php
@@ -571,7 +571,7 @@ function act_subscription($act){
     }
 
     // any action given? if not just return and show the subscription page
-    if(!$params['action']) return $act;
+    if(!$params['action'] || !checkSecurityToken()) return $act;
 
     // Handle POST data, may throw exception.
     trigger_event('ACTION_HANDLE_SUBSCRIBE', $params, 'subscription_handle_post');
diff --git a/inc/template.php b/inc/template.php
index bab68e549..df0c94437 100644
--- a/inc/template.php
+++ b/inc/template.php
@@ -1375,9 +1375,14 @@ function tpl_subscribe() {
             if(!$sstl) $sstl = hsc($sub['style']);
             echo ' ('.$sstl.') ';
 
-            echo '<a href="'.wl($ID,array('do'=>'subscribe','sub_target'=>$sub['target'],'sub_style'=>$sub['style'],'sub_action'=>'unsubscribe')).'" class="unsubscribe">'.$lang['subscr_m_unsubscribe'].'</a>';
-
-            echo '</div></li>';
+            echo '<a href="' . wl($ID,
+                                  array('do'=>'subscribe',
+                                        'sub_target'=>$sub['target'],
+                                        'sub_style'=>$sub['style'],
+                                        'sub_action'=>'unsubscribe',
+                                        'sectok' => getSecurityToken())) .
+                 '" class="unsubscribe">'.$lang['subscr_m_unsubscribe'] .
+                 '</a></div></li>';
         }
         echo '</ul>';
     }