Fix broken secret-detection algorithm, making anonymous users vulnerable.
[csrf-magic.git] / test.php
blob35f1a4f0dcc1558f01e33dbf4b9e8885ba3f595e
1 <?php
3 function csrf_startup() {
4 csrf_conf('rewrite-js', 'csrf-magic.js');
5 if (isset($_POST['ajax'])) csrf_conf('rewrite', false);
7 include dirname(__FILE__) . '/csrf-magic.php';
9 // Handle an AJAX request
10 if (isset($_POST['ajax'])) {
11 header('Content-type: text/xml;charset=utf-8');
12 echo '<?xml version="1.0" encoding="UTF-8" ?><response>Good!</response>';
13 exit;
17 <html lang="en">
18 <head>
19 <title>Test page for csrf-magic</title>
20 </head>
21 <body>
22 <h1>Test page for csrf-magic</h1>
23 <p>
24 This page might be vulnerable to CSRF, but never fear: csrf-magic is here!
25 Close by: <a href="js-test/all.php">tests for Internet Explorer support with
26 all the major JavaScript libraries!</a>
27 </p>
28 <?php if ($_SERVER['REQUEST_METHOD'] == 'POST') { ?>
29 <p>Post data:</p>
30 <pre>
31 <?php echo htmlspecialchars(var_export($_POST, true)); ?>
32 </pre>
33 <?php } ?>
34 <form action="" method="post">
35 Form field: <input type="text" name="foobar" /><br />
36 <input type="submit" value="Submit" />
37 </form>
38 <FORM METHOD = "POST" ACTION="">
39 Another form field! <INPUT TYPE="TEXT" NAME="BARFOO" /><BR />
40 <INPUT TYPE="SUBMIT" value="Submit 2" />
41 </FORM>
42 <form action="" method="post">
43 This form fails CSRF validation (we cheated and overrode the CSRF token
44 later in the form.) <input type="submit" name="__csrf_magic" value="invalid" />
45 </form>
46 <form action="" method="get">
47 This form uses GET and is thus not protected.
48 <input type="submit" name="foo" value="Submit" />
49 </form>
50 <p>
51 How about some JavaScript?
52 </p>
53 <script type="text/javascript">
54 //<![CDATA[
55 document.writeln('<for'+'m action="" method="post">Dynamically generated form: <input type="submit" /></form>');
56 //]]>
57 </script>
58 <textarea id="js-output" cols="80" rows="2"></textarea>
59 <script type="text/javascript">
60 //<![CDATA[
61 params = 'ajax=yes&var=foo';
62 var http = new CsrfMagic();
63 http.open('POST', 'test.php', true);
64 http.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
65 http.setRequestHeader("Content-length", params.length);
66 http.setRequestHeader("Connection", "close");
67 http.onreadystatechange = function () {
68 document.getElementById('js-output').value = 'Ajax: ' + http.responseText;
70 http.send(params);
71 //]]>
72 </script>
73 </body>
74 </html>