Page style can be set remotely, without user's intention
coltrane - September 5, 2009 - 14:21
| Project: | Page Style |
| Version: | 6.x-1.x-dev |
| Component: | Code |
| Category: | task |
| Priority: | normal |
| Assigned: | Unassigned |
| Status: | active |
Description
pagestyle.module uses the raw POST to set the style so it is possible your page style can be changed without your own action. This is effectively a CSRF though the action is not dangerous at all. A possible solution is to use core's token generation and check before altering the style.