Remove invalid CSRF HTML meta tag

template/functions.go

@@ -75,7 +75,7 @@ func (f *funcMap) Map() template.FuncMap {
 		"contains": func(str, substr string) bool {
 			return strings.Contains(str, substr)
 		},
-		"replace": func(str, old string, new string) string {
+		"replace": func(str, old, new string) string {
 			return strings.Replace(str, old, new, 1)
 		},
 		"isodate": func(ts time.Time) string {
@@ -86,7 +86,7 @@ func (f *funcMap) Map() template.FuncMap {
 		},
 		"icon": func(iconName string) template.HTML {
 			return template.HTML(fmt.Sprintf(
-				`<svg class="icon" aria-hidden="true"><use xlink:href="%s#icon-%s"></svg>`,
+				`<svg class="icon" aria-hidden="true"><use xlink:href="%s#icon-%s"/></svg>`,
 				route.Path(f.router, "appIcon", "filename", "sprite.svg"),
 				iconName,
 			))

template/templates/common/layout.html

@@ -29,20 +29,17 @@
     <link rel="apple-touch-icon" sizes="167x167" href="{{ route "appIcon" "filename" "icon-167.png" }}">
     <link rel="apple-touch-icon" sizes="180x180" href="{{ route "appIcon" "filename" "icon-180.png" }}">
 
-    {{ if .csrf }}
-        <meta name="X-CSRF-Token" value="{{ .csrf }}">
-    {{ end }}
-
     <meta name="theme-color" content="{{ theme_color .theme }}">
     <link rel="stylesheet" type="text/css" href="{{ route "stylesheet" "name" .theme }}?{{ .theme_checksum }}">
     {{ if and .user .user.Stylesheet }}
     <link rel="stylesheet" type="text/css" href="{{ route "stylesheet" "name" "custom_css" }}?{{ rand }}">
     {{ end }}
 
-    <script type="text/javascript" src="{{ route "javascript" "name" "app" }}?{{ .app_js_checksum }}" defer></script>
+    <script src="{{ route "javascript" "name" "app" }}?{{ .app_js_checksum }}" defer></script>
-    <script type="text/javascript" src="{{ route "javascript" "name" "service-worker" }}?{{ .sw_js_checksum }}" defer id="service-worker-script"></script>
+    <script src="{{ route "javascript" "name" "service-worker" }}?{{ .sw_js_checksum }}" defer id="service-worker-script"></script>
 </head>
 <body
+    {{ if .csrf }}data-csrf-token="{{ .csrf }}"{{ end }}
     data-entries-status-url="{{ route "updateEntriesStatus" }}"
     data-refresh-all-feeds-url="{{ route "refreshAllFeeds" }}"
     {{ if .user }}{{ if not .user.KeyboardShortcuts }}data-disable-keyboard-shortcuts="true"{{ end }}{{ end }}>

ui/static/js/request_builder.js

@@ -30,9 +30,9 @@ class RequestBuilder {
     }
 
     getCsrfToken() {
-        let element = document.querySelector("meta[name=X-CSRF-Token]");
+        let element = document.querySelector("body[data-csrf-token");
         if (element !== null) {
-            return element.getAttribute("value");
+            return element.dataset.csrfToken;
         }
 
         return "";