add csrf token header to jquery requests

admin_plans.php

@@ -263,7 +263,7 @@ if ($page == '' || $page == 'overview') {
 			}
 		}
 	} elseif ($action == 'jqGetPlanValues') {
-		$planid = isset($_POST['planid']) ? (int)$_POST['planid'] : 0;
+		$planid = (int)Request::get('planid', 0);
 		try {
 			$json_result = HostingPlans::getLocal($userinfo, [
 				'id' => $planid

lib/init.php

@@ -317,7 +317,7 @@ if (CurrentUser::hasSession()) {
 	$new_token = Froxlor::genSessionId(20);
 	UI::twig()->addGlobal('csrf_token', $new_token);
 	if ($_SERVER['REQUEST_METHOD'] === 'POST') {
-		$current_token = $_POST['csrf_token'];
+		$current_token = $_POST['csrf_token'] ?? $_SERVER['HTTP_X_CSRF_TOKEN'] ?? null;
 		if ($current_token != CurrentUser::getField('csrf_token')) {
 			Response::dynamicError('CSRF validation failed');
 		}

templates/Froxlor/base.html.twig

@@ -7,6 +7,7 @@
 	<meta name="robots" content="noindex, nofollow, noarchive"/>
 	<meta name="googlebot" content="nosnippet"/>
 	<link rel="icon" type="image/x-icon" href="{{ basehref|default('') }}templates/Froxlor/assets/img/icon.png">
+	<meta name="csrf-token" content="{{ csrf_token }}" />
 
 	<!-- CSS -->
 	{% if theme_css is empty %}

templates/Froxlor/src/js/main.js

@@ -11,6 +11,12 @@ window.Chart = Chart;
 $(function () {
 	window.$theme = 'Froxlor';
 
+	$.ajaxSetup({
+		headers: {
+			'X-CSRF-TOKEN': $('meta[name="csrf-token"]').attr('content')
+		}
+	});
+
 	const tooltipTriggerList = [].slice.call(document.querySelectorAll('[data-bs-toggle="tooltip"]'))
 	const tooltipList = tooltipTriggerList.map(function (tooltipTriggerEl) {
 		return new bootstrap.Tooltip(tooltipTriggerEl)