From 7f0ddd931cdbffab94963e446317692361900965 Mon Sep 17 00:00:00 2001
From: Johannes Meyer <johannes.meyer@icinga.com>
Date: Fri, 4 Feb 2022 17:20:48 +0100
Subject: [PATCH 1/3] Form: Create CSRFTokens in way that ensures id uniqueness

---
 library/Icinga/Web/Form.php                            | 2 +-
 library/Icinga/Web/Form/Element/CsrfCounterMeasure.php | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/library/Icinga/Web/Form.php b/library/Icinga/Web/Form.php
index bc7f44457..376c7e279 100644
--- a/library/Icinga/Web/Form.php
+++ b/library/Icinga/Web/Form.php
@@ -1085,7 +1085,7 @@ class Form extends Zend_Form
                 return $this;
             }
             if ($this->getElement($this->tokenElementName) === null) {
-                $this->addElement(new CsrfCounterMeasure($this->tokenElementName));
+                $this->addElement('CsrfCounterMeasure', $this->tokenElementName);
             }
         }
         return $this;
diff --git a/library/Icinga/Web/Form/Element/CsrfCounterMeasure.php b/library/Icinga/Web/Form/Element/CsrfCounterMeasure.php
index d7c31222c..c59e1f91c 100644
--- a/library/Icinga/Web/Form/Element/CsrfCounterMeasure.php
+++ b/library/Icinga/Web/Form/Element/CsrfCounterMeasure.php
@@ -40,7 +40,7 @@ class CsrfCounterMeasure extends FormElement
      */
     public function init()
     {
-        $this->addDecorator('ViewHelper');
+        $this->setDecorators(['ViewHelper']);
         $this->setValue($this->generateCsrfToken());
     }
 

From 4f501a89f56d5eb9bd0837e7433e327ebec3ac3b Mon Sep 17 00:00:00 2001
From: Johannes Meyer <johannes.meyer@icinga.com>
Date: Fri, 4 Feb 2022 17:21:41 +0100
Subject: [PATCH 2/3] monitoring: Avoid duplicate ids for check now and remove
 ack forms

---
 .../views/scripts/partials/object/quick-actions.phtml           | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/modules/monitoring/application/views/scripts/partials/object/quick-actions.phtml b/modules/monitoring/application/views/scripts/partials/object/quick-actions.phtml
index 5200923b9..415d44f4a 100644
--- a/modules/monitoring/application/views/scripts/partials/object/quick-actions.phtml
+++ b/modules/monitoring/application/views/scripts/partials/object/quick-actions.phtml
@@ -4,6 +4,7 @@
         <li>
             <?php
             $removeAckForm = clone $removeAckForm;
+            $removeAckForm->setName('quickAction_' . $removeAckForm->getName()); // Avoids id duplication
             $removeAckForm->setLabelEnabled(true);
             echo $removeAckForm;
             ?>
@@ -42,6 +43,7 @@
         </li>
     <?php endif ?>
     <?php if (isset($checkNowForm)): // Form is unset if the current user lacks the respective permission ?>
+        <?php ($checkNowForm = clone $checkNowForm)->setName('quickAction_' . $checkNowForm->getName()); // Avoids id duplication ?>
         <li><?= $checkNowForm ?></li>
     <?php endif ?>
     <?php if ($this->hasPermission('monitoring/command/comment/add')): ?>

From fe6be6a107bcc27cef3fdeb4e2641a6219af16a4 Mon Sep 17 00:00:00 2001
From: Johannes Meyer <johannes.meyer@icinga.com>
Date: Fri, 4 Feb 2022 17:22:16 +0100
Subject: [PATCH 3/3] js: Only use ids in Utils.getCSSPath() if they're truly
 unique

---
 public/js/icinga/utils.js | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/public/js/icinga/utils.js b/public/js/icinga/utils.js
index a365be753..0168b97b9 100644
--- a/public/js/icinga/utils.js
+++ b/public/js/icinga/utils.js
@@ -373,8 +373,8 @@
             while (true) {
                 var id = element.id;
 
-                // Ignore forms and form controls because id generation is unreliable :(
-                if (id && ! element.form && ! (element instanceof HTMLFormElement)) {
+                // Only use ids if they're truly unique
+                if (!! id && document.querySelectorAll('* #' + id).length === 1) {
                     path.push('#' + id);
                     break;
                 }