<?php require __DIR__ . '/../vendor/autoload.php'; $csrf = new \Riimu\Kit\CSRF\CSRFHandler(); try { $csrf->validateRequest(true); } catch (\Riimu\Kit\CSRF\InvalidCSRFTokenException $ex) { header('HTTP/1.0 400 Bad Request'); exit('Bad CSRF Token!'); } $token = $csrf->getToken(); ?> <!DOCTYPE html> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title>Simple Form</title> </head> <body> <?php if (!empty($_POST['my_name'])) { printf(" <p>Hello <strong>%s</strong>!</p>" . PHP_EOL, htmlspecialchars($_POST['my_name'], ENT_QUOTES | ENT_HTML5, 'UTF-8')); } ?> <h3>Form with a CSRF token:</h3> <form method="post"><div> <input type="hidden" name="csrf_token" value="<?php echo htmlspecialchars($token, ENT_QUOTES | ENT_HTML5, 'UTF-8'); ?> " /> What is your name?
/** * Validate the CSRF token for all unsafe request methods * * @return boolean */ private function csrfValid() { $safe_methods = ['get', 'head', 'options', 'trace']; $request_method = strtolower($this->request->getMethod()); // test for valid CSRF token on all unsafe requests if (!in_array($request_method, $safe_methods)) { try { $csrf = new \Riimu\Kit\CSRF\CSRFHandler(); $csrf->validateRequest(true); } catch (\Riimu\Kit\CSRF\InvalidCSRFTokenException $ex) { error_log('Bad or missing CSRF token: ' . $this->request->getURI()); header('HTTP/1.0 400 Bad Request'); exit('Bad CSRF Token'); } } return TRUE; }
/** * Validates a csrf enabled form */ public static function csrfValidate() { if (class_exists('\\Riimu\\Kit\\CSRF\\CSRFHandler')) { $csrf = new \Riimu\Kit\CSRF\CSRFHandler(false); try { $csrf->validateRequest(true); } catch (\Riimu\Kit\CSRF\InvalidCSRFTokenException $ex) { log::error($ex->getMessage()); http::locationHeader('/error/accessdenied', 'Bad request'); return false; } } return true; }
$cache->setPrefixSize(0); $html = $cache->getOrCreate('jade-' . sha1_file($parser->getForm($req->formID)) . '-' . sha1_file('config/config.toml'), [], function () use($req, $parser, $stringifier) { return json_encode($stringifier->makeArray($parser->parseJade($req->formID)->makeFormPart())); }); # We add asset URLs and the CSRF token outside of the getOrCreate function # so that these aren't getting cached. # Create a XSRF token $csrf = new \Riimu\Kit\CSRF\CSRFHandler(); $token = $csrf->getToken(); # Write the response $stringifier->writeArray(json_decode($html, true), $res, $token); }); $klein->respond('POST', '/submit', function ($req, $res) use($parser, $stringifier) { $res->header('X-Frame-Options', 'DENY'); # Check for XSRF $csrf = new \Riimu\Kit\CSRF\CSRFHandler(); $csrf->validateRequest(true); # The name of the form is provided in the $_POST data, # not the URL! $page = $parser->parseJade($_POST['__form_name']); $config = Config::get(); $res->header('Content-Type', 'application/json; charset=utf-8'); # Do the form submission and create data that is # compatible with the frontend. return $page->form->getSubmissionPart(Result::ok(new ClientData($_POST, $_FILES)))->ifError(function ($val) { return Result::error(['success' => false, 'errors' => $val]); })->ifOk(function ($val) use($page, $config) { ob_start(); $val = $page->outputs->run($val, $page); var_dump($val); $out = ob_get_clean();