Fixes #4010 not sending naked query strings into add ajax tokens and also fixed a few related bugs in JavaScript

1 files changed, 5 insertions, 1 deletions

diff --git a/js/lib/ajax.js b/js/lib/ajax.js
index 6f6ae052f..b3f39cc42 100644
--- a/js/lib/ajax.js
+++ b/js/lib/ajax.js
@@ -187,7 +187,11 @@ elgg.action = function(action, options) {
 
 	options = elgg.ajax.handleOptions(action, options);
 
-	options.data = elgg.security.addToken(options.data);
+	// This is a misuse of elgg.security.addToken() because it is not always a
+	// full query string with a ?. As such we need a special check for the tokens.
+	if (!elgg.isString(options.data) || options.data.indexOf('__elgg_ts') == -1) {
+		options.data = elgg.security.addToken(options.data);
+	}
 	options.dataType = 'json';
 
 	//Always display system messages after actions