From f4fcf94b1a15eb97164b9d15c8b58ec974adb7e3 Mon Sep 17 00:00:00 2001
From: Kyle Drake <kyle@kyledrake.net>
Date: Tue, 15 Apr 2025 15:34:47 -0500
Subject: [PATCH] no csrf_token for create

---
 app.rb          | 4 +++-
 views/index.erb | 1 -
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/app.rb b/app.rb
index e68aef71..01b5439d 100644
--- a/app.rb
+++ b/app.rb
@@ -69,6 +69,8 @@ def redirect_to_internet_archive_for_geocities_sites
   end
 end
 
+WHITELISTED_POST_PATHS = ['/create_validate_all', '/create_validate', '/create'].freeze
+
 before do
   if request.path.match /^\/api\//i
     @api = true
@@ -83,7 +85,7 @@ before do
     redirect '/tutorial/html/1'
   else
     content_type :html, 'charset' => 'utf-8'
-    redirect '/' if request.post? && !csrf_safe?
+    redirect '/' if request.post? && !WHITELISTED_POST_PATHS.include?(request.path_info) && !csrf_safe?
   end
 
   if params[:page]
diff --git a/views/index.erb b/views/index.erb
index 3302ce6f..7ae0c668 100644
--- a/views/index.erb
+++ b/views/index.erb
@@ -91,7 +91,6 @@
       </div>
     <% else %>
       <form id="createSiteForm" class="signup-Form" onsubmit="return false">
-        <input type="hidden" name="csrf_token" value="<%= csrf_token %>">
         <input type="hidden" name="is_education" value="false">
         <fieldset class="content">
           <h2 class="gamma">Sign up for free</h2>