Experts please help..
https://drive.google.com/file/d/1doGynuNSejJcK2z-3fZSKvYMNV0L4AO3/view?usp=sharing
what is the use of AddAntiForgeryToken in public.common.js?
see the sample code below copied form Response of Development Tools.
1 $("#AddComment").on("click", function () {
2 var postData = {
3 vendorId: '3',
4 productId: '66',
5 custComment: $("#txtComments").val(),
6 };
7 addAntiForgeryToken(postData);
$.ajax({
});
});
from line No. 2-5 the values to be posted are already exposed and then the addAntiForgeryToken is called, this utilization of this function is similar on how it's used from other pages such as Public.cshtml.
Where's nopcommerce's security when passing/posting data using ajax? since the values as we can see in the response is already exposed? this is extremely dangerous.
Anybody