diff options
-rw-r--r-- | inc/actions.php | 2 | ||||
-rw-r--r-- | inc/template.php | 11 |
2 files changed, 9 insertions, 4 deletions
diff --git a/inc/actions.php b/inc/actions.php index 1fda0584e..b7567bc20 100644 --- a/inc/actions.php +++ b/inc/actions.php @@ -571,7 +571,7 @@ function act_subscription($act){ } // any action given? if not just return and show the subscription page - if(!$params['action']) return $act; + if(!$params['action'] || !checkSecurityToken()) return $act; // Handle POST data, may throw exception. trigger_event('ACTION_HANDLE_SUBSCRIBE', $params, 'subscription_handle_post'); diff --git a/inc/template.php b/inc/template.php index bab68e549..df0c94437 100644 --- a/inc/template.php +++ b/inc/template.php @@ -1375,9 +1375,14 @@ function tpl_subscribe() { if(!$sstl) $sstl = hsc($sub['style']); echo ' ('.$sstl.') '; - echo '<a href="'.wl($ID,array('do'=>'subscribe','sub_target'=>$sub['target'],'sub_style'=>$sub['style'],'sub_action'=>'unsubscribe')).'" class="unsubscribe">'.$lang['subscr_m_unsubscribe'].'</a>'; - - echo '</div></li>'; + echo '<a href="' . wl($ID, + array('do'=>'subscribe', + 'sub_target'=>$sub['target'], + 'sub_style'=>$sub['style'], + 'sub_action'=>'unsubscribe', + 'sectok' => getSecurityToken())) . + '" class="unsubscribe">'.$lang['subscr_m_unsubscribe'] . + '</a></div></li>'; } echo '</ul>'; } |