From e80b0d4570f8d0193e36af8d4213ca55e9a9b4c0 Mon Sep 17 00:00:00 2001
From: Kijin Sung <kijin@kijinsung.com>
Date: Tue, 27 May 2025 01:03:05 +0900
Subject: [PATCH] Remove duplicate CSRF token from AJAX requests

---
 common/js/common.js | 13 +++++++++----
 1 file changed, 9 insertions(+), 4 deletions(-)

diff --git a/common/js/common.js b/common/js/common.js
index cf0c0136d..bc23964f2 100644
--- a/common/js/common.js
+++ b/common/js/common.js
@@ -441,11 +441,16 @@ Rhymix.ajax = function(action, params, success, error) {
 	}
 	*/
 
-	// Add a CSRF token.
-	const headers = {};
-	if (action !== null) {
-		headers['X-CSRF-Token'] = getCSRFToken();
+	// Add a CSRF token to the header, and remove it from the parameters
+	const headers = {
+		'X-CSRF-Token': getCSRFToken()
 	};
+	if (isFormData && params.has('_rx_csrf_token') && params.get('_rx_csrf_token') === headers['X-CSRF-Token']) {
+		params.delete('_rx_csrf_token');
+	}
+	if (typeof params._rx_csrf_token !== 'undefined' && params._rx_csrf_token === headers['X-CSRF-Token']) {
+		delete params._rx_csrf_token;
+	}
 
 	// Generate AJAX parameters
 	const args = {