function preview()
 {
     $vars = $_GET;
     $vars['previewOnly'] = true;
     $vars['display'] = 'overview';
     $vars['bitcoinAddress'] = $vars['address'];
     $vars['goal'] = new Amount($_GET['currency'], (double) $_GET['goal']);
     $vars['raised'] = new Amount($_GET['currency'], (double) at($_GET, 'raised', $vars['goal']->numUnits / 4));
     $this->setAltCurrencyValues($vars['goal'], $vars['raised'], $vars);
     $vars['progressPercent'] = $vars['raised']->numUnits / $vars['goal']->numUnits * 100;
     $ds = Widgets\allowedSizes();
     $vars['width'] = at($_GET, 'width', $ds[0]->width);
     $vars['height'] = at($_GET, 'height', $ds[0]->height);
     $vars['color'] = at($_GET, 'color', Widgets\defaultColor());
     $vars['widgetID'] = null;
     return $this->renderWidgetArr($vars);
 }
 private function getWidget()
 {
     if (isset($_GET['w'])) {
         # Looks like we're editing a widget...
         $user = $this->getActiveUser();
         if (empty($user)) {
             $_SESSION['authenticationRequired'] = true;
             return $this->redirect("/account/signin");
         } else {
             $w = Widget::getByOwnerAndID($user, $_GET['w']);
             $this->storeWidgetInSession($w);
             return $w;
         }
     } else {
         $w = at($_SESSION, 'unsaved-widget', null);
         if (isset($w) && isset($w->ownerID) && empty($this->user)) {
             $this->clearWidgetInSession();
             $w = null;
         }
         if (empty($w)) {
             $w = new Widget();
         }
         $w->color = Widgets\defaultColor();
         $w->width = Widgets\defaultSize()->width;
         $w->height = Widgets\defaultSize()->height;
         return $w;
     }
 }
 /**
  * Here we aim to assert we're not vulnerable to "CSRF" attacks. We do this simply by
  * asserting a "raw" POST request will not be accepted for widget editing, as this should
  * indicate the server is requiring some sort of "nonce" or "token" for accepting any
  * form submission. More on CSRF here:
  * https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)
  */
 function testResilienceToCrossSiteRequestForgeryAttack()
 {
     $w = getWidget($this->user);
     $this->get("/widget-wiz/step-one?w={$w->id}");
     try {
         $this->post("/widget-wiz/step-one", array('title' => 'Hijacked', 'goal' => '1000', 'currency' => 'USD', 'ending' => "12/15/2020", 'bitcoinAddress' => '1E3FqrQTZSvTUdw7qZ4NnZppqiqnqqNcUN'));
     } catch (UnexpectedHttpResponseCode $_) {
         /* That will do... */
     }
     try {
         $this->post("/widget-wiz/step-two", array('about' => 'Show me the money!', 'color' => Widgets\defaultColor(), 'size' => (string) Widgets\defaultSize()));
     } catch (UnexpectedHttpResponseCode $_) {
         /* That's good... */
     }
     $widgetNow = Widget::getByID($w->id);
     assertNotEqual('Hijacked', $widgetNow->title);
     assertNotEqual('1E3FqrQTZSvTUdw7qZ4NnZppqiqnqqNcUN', $widgetNow->bitcoinAddress);
     assertNotEqual('Show me the money!', $widgetNow->about);
 }