⚠️ Major security update. ⚠️

⚠️ CSRF Protection added to whole flaskBlog. ⚠️

app.py

@@ -29,6 +29,7 @@
 from routes.accountSettings import accountSettingsBlueprint
 from routes.adminPanelComments import adminPanelCommentsBlueprint
 from dbChecker import dbFolder, usersTable, postsTable, commentsTable
+from flask_wtf.csrf import CSRFProtect
 
 dbFolder()
 usersTable()
@@ -38,6 +39,7 @@
 app = Flask(__name__)
 app.secret_key = secrets.token_urlsafe(32)
 app.config["SESSION_PERMANENT"] = True
+csrf = CSRFProtect(app)
 
 
 @app.context_processor

templates/accountSettings.html

@@ -18,6 +18,7 @@ <h2>
   </h2>
   <h2>
     <form method="post">
+      <input type="hidden" name="csrf_token" value="{{ csrf_token() }}" />
       <button type="submit" name="userDeleteButton" class="toPanel textPrimary">
         delete your account
       </button>

templates/adminPanelComments.html

@@ -19,6 +19,7 @@ <h3>
   <div class="content" tag="content">{{comment[2]}}</div>
   <section>
     <form method="post">
+      <input type="hidden" name="csrf_token" value="{{ csrf_token() }}" />
       <input type="hidden" name="commentID" value="{{comment[0]}}" />
       <button
         type="submit"

templates/adminPanelUsers.html

@@ -30,6 +30,7 @@ <h1 class="textCenter">Users</h1>
     </section>
     <section class="stats">
       <form method="post">
+        <input type="hidden" name="csrf_token" value="{{ csrf_token() }}" />
         <input type="hidden" name="userName" value="{{user[1]}}" />
         <button
           type="submit"

templates/changePassword.html

@@ -7,6 +7,7 @@
 {% endblock head %} {%block body%}
 <div class="container">
   <form method="post" class="form">
+    <input type="hidden" name="csrf_token" value="{{ csrf_token() }}" />
     {{form.oldPassword(class_="input")}} {{form.password(class_="input")}}
     {{form.passwordConfirm(class_="input")}}
     <button type="submit" class="btn btnPrimary">change my password</button>

templates/changeUserName.html

@@ -7,6 +7,7 @@
 {% endblock head %} {%block body%}
 <div class="container">
   <form method="post" class="form">
+    <input type="hidden" name="csrf_token" value="{{ csrf_token() }}" />
     {{form.newUserName(class_="input")}}
     <button type="submit" class="btn btnPrimary">change my username</button>
   </form>

templates/createPost.html

@@ -3,6 +3,8 @@
 {% endblock head %} {%block body%}
 <div class="container">
   <form method="post" class="form formPost centeredHorizontally">
+    <input type="hidden" name="csrf_token" value="{{ csrf_token() }}" />
+    <input type="hidden" name="csrf_token" value="{{ csrf_token() }}" />
     {{form.postTitle(class_="input centeredHorizontally" , autocomplete="off")}}
     {{form.postTags(class_="input centeredHorizontally" , autocomplete="off")}}
     <small>(separete with comma)</small>

templates/dashboard.html

@@ -21,6 +21,7 @@ <h1 class="textCenter">Posts</h1>
   <section>
     <a href="/editpost/{{post[0]}}" class="btn btnLink textPrimary">edit</a>
     <form method="post">
+      <input type="hidden" name="csrf_token" value="{{ csrf_token() }}" />
       <input type="hidden" name="postID" value="{{post[0]}}" />
       <button
         type="submit"

templates/editPost.html

@@ -3,6 +3,7 @@
 {% endblock head %} {%block body%}
 <div class="container">
   <form method="post" class="form formPost centeredHorizontally">
+    <input type="hidden" name="csrf_token" value="{{ csrf_token() }}" />
     {{form.postTitle(class_="input centeredHorizontally" , autocomplete="off")}}
     {{form.postTags(class_="input centeredHorizontally" , autocomplete="off")}}
     <small>(separete with comma)</small>

templates/login.html

@@ -7,6 +7,7 @@
 {% endblock head %} {%block body%}
 <div class="container">
   <form method="post" class="form">
+    <input type="hidden" name="csrf_token" value="{{ csrf_token() }}" />
     {{form.userName(class_="input",autocomplete="off")}}{{form.password(autocomplete="off",class_="input")}}
     <button type="submit" class="btn btnPrimary">Login</button>
     <a href="/passwordreset/codesent=false" id="passwordReset"

templates/passwordReset.html

@@ -7,6 +7,7 @@
 {% endblock head %} {%block body%}
 <div class="container">
   <form method="post" class="form">
+    <input type="hidden" name="csrf_token" value="{{ csrf_token() }}" />
     {% if mailSent %} {{form.code(autocomplete="off",class_="input")}}
     {{form.password(autocomplete="off",class_="input")}}
     {{form.passwordConfirm(autocomplete="off",class_="input")}}

templates/post.html

@@ -31,6 +31,7 @@ <h5 class="date">{{date}}</h5>
   {% if author == session["userName"] %}
   <div class="bottomBar">
     <form method="post">
+      <input type="hidden" name="csrf_token" value="{{ csrf_token() }}" />
       <button
         type="submit"
         class="btn btnLink textPrimary"
@@ -53,12 +54,14 @@ <h5 class="date">{{date}}</h5>
     <p class="centeredHorizontally">{{comment[2]}}</p>
     {% if session["userName"] == comment[3] %}
     <form method="post">
+      <input type="hidden" name="csrf_token" value="{{ csrf_token() }}" />
       <input type="hidden" name="commentID" value="{{comment[0]}}" />
       <button type="submit" name="commentDeleteButton">🗑️</button>
     </form>
     {% endif %} {% endfor %}
   </div>
   <form method="post" class="commentForm">
+    <input type="hidden" name="csrf_token" value="{{ csrf_token() }}" />
     {% if session["userName"] %} {{form.comment(class_="comment")}}
     <button type="submit" class="btnSubmit">comment</button>
     {% else %}

templates/signup.html

@@ -7,6 +7,7 @@
 {% endblock head %} {%block body%}
 <div class="container">
   <form method="post" class="form">
+    <input type="hidden" name="csrf_token" value="{{ csrf_token() }}" />
     {{form.userName(class_="input" , autocomplete="off")}}
     {{form.email(class_="input",autocomplete="off")}}
     {{form.password(class_="input")}} {{form.passwordConfirm(class_="input")}}