From da5255e560adc545f94c5383964102129e3ba36b Mon Sep 17 00:00:00 2001
From: Joffrey JAFFEUX <j.jaffeux@gmail.com>
Date: Fri, 7 Jun 2019 16:46:55 +0200
Subject: [PATCH] DEV: prevents csrf-token initializer to leak session object
 (#7730)

---
 .../discourse/initializers/csrf-token.js.es6      | 15 ++++++++++-----
 1 file changed, 10 insertions(+), 5 deletions(-)

diff --git a/app/assets/javascripts/discourse/initializers/csrf-token.js.es6 b/app/assets/javascripts/discourse/initializers/csrf-token.js.es6
index fd95c274d96..b76a8b734c9 100644
--- a/app/assets/javascripts/discourse/initializers/csrf-token.js.es6
+++ b/app/assets/javascripts/discourse/initializers/csrf-token.js.es6
@@ -1,15 +1,20 @@
 //  Append our CSRF token to AJAX requests when necessary.
 export default {
   name: "csrf-token",
-  initialize: function(container) {
-    var session = container.lookup("session:main");
+
+  initialize(container) {
+    const session = container.lookup("session:main");
+
+    const csrfToken = document
+      .querySelector("meta[name=csrf-token]")
+      .getAttribute("content");
 
     // Add a CSRF token to all AJAX requests
-    session.set("csrfToken", $("meta[name=csrf-token]").attr("content"));
+    session.set("csrfToken", csrfToken);
 
-    $.ajaxPrefilter(function(options, originalOptions, xhr) {
+    $.ajaxPrefilter((options, originalOptions, xhr) => {
       if (!options.crossDomain) {
-        xhr.setRequestHeader("X-CSRF-Token", session.get("csrfToken"));
+        xhr.setRequestHeader("X-CSRF-Token", csrfToken);
       }
     });
   }