From 86663fd27c355c38ced04a23b6ad8446f96569be Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?C=C3=A9dric=20FAMIBELLE-PRONZOLA?= <c.pronzola@tuta.io>
Date: Thu, 17 Jul 2025 09:58:55 +0400
Subject: [PATCH] add CSRF protection for AJAX requests

---
 js/categories.js | 6 ++++++
 js/main.js       | 8 +++++++-
 2 files changed, 13 insertions(+), 1 deletion(-)

diff --git a/js/categories.js b/js/categories.js
index 66ce337..eeff00d 100644
--- a/js/categories.js
+++ b/js/categories.js
@@ -22,13 +22,19 @@ document.addEventListener("DOMContentLoaded", () => {
       this.textContent = "Chargement...";
       this.disabled = true;
 
+      // Préparer les données avec token CSRF
+      const formData = new FormData();
+      formData.append('csrf_token', document.querySelector('meta[name="csrf-token"]').getAttribute('content'));
+      
       // Faire la requête AJAX
       fetch(
         `ajax/load-more-videos.php?type=category&page=${page}&category=${categoryId}`,
         {
+          method: 'POST',
           headers: {
             "X-Requested-With": "XMLHttpRequest",
           },
+          body: formData
         }
       )
         .then((response) => response.json())
diff --git a/js/main.js b/js/main.js
index 2ea4cb4..d59f4e4 100644
--- a/js/main.js
+++ b/js/main.js
@@ -167,11 +167,17 @@ document.addEventListener('DOMContentLoaded', function() {
                 url += `&category=${categoryId}`;
             }
             
+            // Préparer les données avec token CSRF
+            const formData = new FormData();
+            formData.append('csrf_token', document.querySelector('meta[name="csrf-token"]').getAttribute('content'));
+            
             // Faire la requête AJAX
             fetch(url, {
+                method: 'POST',
                 headers: {
                     'X-Requested-With': 'XMLHttpRequest'
-                }
+                },
+                body: formData
             })
             .then(response => response.json())
             .then(data => {