pagestyle.module uses the raw POST to set the style so it is possible your page style can be changed without your own action. This is effectively a CSRF though the action is not dangerous at all. A possible solution is to use core's token generation and check before altering the style.

Comments

CZ’s picture

CZ commented
Status: Active » Postponed (maintainer needs more info)

Hi coltrane

You mean hook_submit()? This is possible for the forms, but for links?

CZ’s picture

CZ commented
Status: Postponed (maintainer needs more info) » Closed (won't fix)