3 function csrf_startup() {
4 csrf_conf('rewrite-js', 'csrf-magic.js');
5 if (isset($_POST['ajax'])) csrf_conf('rewrite', false);
7 include dirname(__FILE__
) . '/csrf-magic.php';
9 // Handle an AJAX request
10 if (isset($_POST['ajax'])) {
11 header('Content-type: text/xml;charset=utf-8');
12 echo '<?xml version="1.0" encoding="UTF-8" ?><response>Good!</response>';
19 <title
>Test page
for csrf
-magic
</title
>
22 <h1
>Test page
for csrf
-magic
</h1
>
24 This page might be vulnerable to CSRF
, but never fear
: csrf
-magic is here
!
25 Close by
: <a href
="js-test/all.php">tests
for Internet Explorer support with
26 all the major JavaScript libraries
!</a
>
28 <?php
if ($_SERVER['REQUEST_METHOD'] == 'POST') { ?
>
31 <?php
echo htmlspecialchars(var_export($_POST, true)); ?
>
34 <form action
="" method
="post">
35 Form field
: <input type
="text" name
="foobar" /><br
/>
36 <input type
="submit" value
="Submit" />
38 <FORM METHOD
= "POST" ACTION
="">
39 Another form field
! <INPUT TYPE
="TEXT" NAME
="BARFOO" /><BR
/>
40 <INPUT TYPE
="SUBMIT" value
="Submit 2" />
42 <form action
="" method
="post">
43 This form fails CSRF
validation (we cheated
and overrode the CSRF token
44 later in the form
.) <input type
="submit" name
="__csrf_magic" value
="invalid" />
46 <form action
="" method
="get">
47 This form uses GET
and is thus not
protected.
48 <input type
="submit" name
="foo" value
="Submit" />
51 How about some JavaScript?
53 <script type
="text/javascript">
55 document
.writeln('<for'+
'm action="" method="post">Dynamically generated form: <input type="submit" /></form>');
58 <textarea id
="js-output" cols
="80" rows
="2"></textarea
>
59 <script type
="text/javascript">
61 params
= 'ajax=yes&var=foo';
62 var http
= new CsrfMagic();
63 http
.open('POST', 'test.php', true);
64 http
.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
65 http
.setRequestHeader("Content-length", params
.length
);
66 http
.setRequestHeader("Connection", "close");
67 http
.onreadystatechange
= function () {
68 document
.getElementById('js-output').value
= 'Ajax: ' + http
.responseText
;