I talked shortly with Mattsches about it in our meeting, but found now the corresponding code: We are doing strange things with GET and POST parameters. In fact, we are basically ignoring the difference in parts of the core. I propose to enable the distinction in out next major version
In serendipity_config,inc.php, there are these line:
Code: Select all
// We don't care who tells us what to do.
if (!isset($serendipity['GET']['action'])) {
$serendipity['GET']['action'] = (isset($serendipity['POST']['action']) ? $serendipity['POST']['action'] : '');
}
if (!isset($serendipity['GET']['adminAction'])) {
$serendipity['GET']['adminAction'] = (isset($serendipity['POST']['adminAction']) ? $serendipity['POST']['adminAction'] : '');
}
Also, we are actively using GET requests where we should use POST, for example when confirming the deletion of an image or for adding a comment-attribute to the spamblock-list. This is critical, because any browser with a prefetch-function could trigger actions by accident.