Release 1.0.5.
[csrf-magic.git] / test.php
blob3e5f4610eecec17b997d544ef59b1ae745384ee2
1 <?php
3 function csrf_startup() {
4 csrf_conf('rewrite-js', 'csrf-magic.js');
5 if (isset($_POST['ajax'])) csrf_conf('rewrite', false);
7 include dirname(__FILE__) . '/csrf-magic.php';
9 // Handle an AJAX request
10 if (isset($_POST['ajax'])) {
11 header('Content-type: text/xml;charset=utf-8');
12 echo '<?xml version="1.0" encoding="UTF-8" ?><response>Good!</response>';
13 exit;
17 <html lang="en">
18 <head>
19 <title>Test page for csrf-magic</title>
20 </head>
21 <body>
22 <h1>Test page for csrf-magic</h1>
23 <p>
24 This page might be vulnerable to CSRF, but never fear: csrf-magic is here!
25 Close by: <a href="js-test/all.php">tests for Internet Explorer support with
26 all the major JavaScript libraries!</a>
27 </p>
28 <?php if ($_SERVER['REQUEST_METHOD'] == 'POST') { ?>
29 <p>Post data:</p>
30 <pre>
31 <?php echo htmlspecialchars(var_export($_POST, true)); ?>
32 </pre>
33 <?php } ?>
34 <form action="" method="post">
35 Form field: <input type="text" name="foobar" /><br />
36 <input type="submit" value="Submit" />
37 </form>
38 <FORM METHOD = "POST" ACTION="">
39 Another form field! <INPUT TYPE="TEXT" NAME="BARFOO" /><BR />
40 <INPUT TYPE="SUBMIT" value="Submit 2" />
41 </FORM>
42 <form action="" method="post">
43 This form fails CSRF validation (we cheated and overrode the CSRF token
44 later in the form.) <br />
45 <input type="text" name="foobar[2]" />
46 <input type="submit" name="__csrf_magic" value="invalid" />
47 </form>
48 <form action="" method="get">
49 This form uses GET and is thus not protected.
50 <input type="submit" name="foo" value="Submit" />
51 </form>
52 <p>
53 How about some JavaScript?
54 </p>
55 <script type="text/javascript">
56 //<![CDATA[
57 document.writeln('<for'+'m action="" method="post">Dynamically generated form: <input type="submit" /></form>');
58 //]]>
59 </script>
60 <textarea id="js-output" cols="80" rows="2"></textarea>
61 <script type="text/javascript">
62 //<![CDATA[
63 params = 'ajax=yes&var=foo';
64 var http = new CsrfMagic();
65 http.open('POST', 'test.php', true);
66 http.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
67 http.setRequestHeader("Content-length", params.length);
68 http.setRequestHeader("Connection", "close");
69 http.onreadystatechange = function () {
70 document.getElementById('js-output').value = 'Ajax: ' + http.responseText;
72 http.send(params);
73 //]]>
74 </script>
75 </body>
76 </html>