Merge pull request #825 from wrongecho/csrf-stripe

Require CSRF token to edit Stripe settings - thanks to @stehled

post/setting.php

@@ -331,6 +331,7 @@ if (isset($_GET['generate_cron_key'])) {
 
 if (isset($_POST['edit_online_payment_settings'])) {
 
+    validateCSRFToken($_POST['csrf_token']);
     validateAdminRole();
 
     $config_stripe_enable = intval($_POST['config_stripe_enable']);

settings_online_payment.php

@@ -11,6 +11,7 @@ require_once "inc_all_settings.php";
         </div>
         <div class="card-body">
             <form action="post.php" method="post" autocomplete="off">
+                <input type="hidden" name="csrf_token" value="<?php echo $_SESSION['csrf_token'] ?>">
 
                 <div class="form-group">
                     <div class="custom-control custom-switch">