*/ require_once 'lib/common.php'; use PDOException; class MyPage extends Page { protected function request() { $val = isset($_POST['field']) ? $_POST['field'] : ''; echo <<<EOT <form action='{$_SERVER['PHP_SELF']}' method=post accept-charset=UTF-8> <input type=text name=field size=115 value='{$val}'> <input type=submit name=action_go value=Submit> </form> <!-- <button type=button onclick='window.location= "member.php?csrftoken={$_SESSION['csrftoken']}";'>Go</button> <button type=button onclick="transfer('member.php', {csrftoken: '{$_SESSION['csrftoken']}'});">Go</button> --> EOT; } protected function action_go() { // ... code to save data ... $this->message('Saved', true); } } $page = new MyPage('XSS Example', true); $page->go();
$f->start(); $f->text('yubikey', 'YubiKey:', 50, '', true, true); $f->button('action_yubikey', 'Verify', false); $f->end(); } protected function action_yubikey() { $y = $_POST['yubikey']; if (strlen($y) > 34) { $identity = substr($y, 0, strlen($y) - 32); $stmt = $this->db->query('select identity from user where userid = :userid', array('userid' => $_SESSION['userid_pending'])); if (($row = $stmt->fetch()) && $row['identity'] == $identity) { $yubi = new \Auth_Yubico(CLIENT_ID, CLIENT_KEY); if ($yubi->verify($y) === true) { if (!isset($_SESSION['expired'])) { $security = new Security(); $security->store_verification($_SESSION['userid_pending'], true); } $this->is_verified(); return; } } } $this->show_form_yubikey(); $this->message('Invalid YubiKey OTP'); } } $page = new MyPage('Login'); $page->go(true);