Mercurial > hg > fapweb
diff msitegen.inc.php @ 359:f7a806d5060f
Add preliminary code for CSRF prevention via unique hash tokens. Not fully
implemented yet.
author | Matti Hamalainen <ccr@tnsp.org> |
---|---|
date | Tue, 03 Dec 2013 10:58:46 +0200 |
parents | 7e906c827e68 |
children | 38dfe9e0a017 |
line wrap: on
line diff
--- a/msitegen.inc.php Tue Dec 03 10:31:37 2013 +0200 +++ b/msitegen.inc.php Tue Dec 03 10:58:46 2013 +0200 @@ -245,10 +245,15 @@ function stGetFormStart($name, $action = "", $method = "post") { - return + $str = "<form name=\"".$name."\" action=\"". ($action != "" ? $action : $name). "\" method=\"".$method."\">\n"; + + if (($csrfID = stGetSessionItem("csrfID", FALSE)) !== FALSE) + $str .= stGetFormHiddenInput("csrfID", $csrfID)."\n"; + + return $str; }