@@ -193,7 +193,10 @@ function get_course_data($from, $number_of_items, $column, $direction, $dataFunc
193
193
);
194
194
$ actions [] = Display::url (
195
195
Display::return_icon ('delete.png ' , get_lang ('Delete ' )),
196
- $ path .'admin/course_list_admin.php?delete_course= ' .$ courseCode ,
196
+ $ path .'admin/course_list_admin.php? ' .http_build_query ([
197
+ 'delete_course ' => $ courseCode ,
198
+ 'sec_token ' => Security::getTokenFromSession (),
199
+ ]),
197
200
[
198
201
'onclick ' => "javascript: if (!confirm(' "
199
202
.addslashes (api_htmlentities (get_lang ('ConfirmYourChoice ' ), ENT_QUOTES ))."')) return false; " ,
@@ -287,7 +290,7 @@ function get_course_visibility_icon($visibility)
287
290
}
288
291
}
289
292
290
- if (isset ($ _POST ['action ' ])) {
293
+ if (isset ($ _POST ['action ' ]) && Security:: check_token ( ' get ' ) ) {
291
294
switch ($ _POST ['action ' ]) {
292
295
// Delete selected courses
293
296
case 'delete_courses ' :
@@ -379,7 +382,7 @@ function get_course_visibility_icon($visibility)
379
382
'name ' => get_lang ('PlatformAdmin ' ),
380
383
];
381
384
$ tool_name = get_lang ('CourseList ' );
382
- if (isset ($ _GET ['delete_course ' ])) {
385
+ if (isset ($ _GET ['delete_course ' ]) && Security:: check_token ( ' get ' ) ) {
383
386
$ result = CourseManager::delete_course ($ _GET ['delete_course ' ]);
384
387
if ($ result ) {
385
388
Display::addFlash (Display::return_message (get_lang ('Deleted ' )));
@@ -460,6 +463,7 @@ function get_course_visibility_icon($visibility)
460
463
);
461
464
462
465
$ parameters = [];
466
+ $ parameters ['sec_token ' ] = Security::get_token ();
463
467
if (isset ($ _GET ['keyword ' ])) {
464
468
$ parameters = ['keyword ' => Security::remove_XSS ($ _GET ['keyword ' ])];
465
469
} elseif (isset ($ _GET ['keyword_code ' ])) {
0 commit comments