Mercurial > hg > fapweb

diff msitegen.inc.php @ 359:f7a806d5060f

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Add preliminary code for CSRF prevention via unique hash tokens. Not fully implemented yet.
author Matti Hamalainen <ccr@tnsp.org>
date Tue, 03 Dec 2013 10:58:46 +0200
parents 7e906c827e68
children 38dfe9e0a017
line wrap: on
line diff
--- a/msitegen.inc.php	Tue Dec 03 10:31:37 2013 +0200
+++ b/msitegen.inc.php	Tue Dec 03 10:58:46 2013 +0200
@@ -245,10 +245,15 @@
 
 function stGetFormStart($name, $action = "", $method = "post")
 {
-  return
+  $str =
     "<form name=\"".$name."\" action=\"".
     ($action != "" ? $action : $name).
     "\" method=\"".$method."\">\n";
+
+  if (($csrfID = stGetSessionItem("csrfID", FALSE)) !== FALSE)
+    $str .= stGetFormHiddenInput("csrfID", $csrfID)."\n";
+  
+  return $str;
 }