/** * @see sfWebRequest */ public function checkCSRFProtection() { try { parent::checkCSRFProtection(); } catch (sfValidatorErrorSchema $e) { // retry checking for using sfForm (just for BC) $form = new sfForm(); $form->bind($form->isCSRFProtected() ? array($form->getCSRFFieldName() => $this->getParameter($form->getCSRFFieldName())) : array()); if (!$form->isValid()) { throw $form->getErrorSchema(); } } }
public function checkCSRFProtection() { $form = new sfForm(); $form->bind($form->isCSRFProtected() ? array($form->getCSRFFieldName() => $this->getParameter($form->getCSRFFieldName())) : array()); if (!$form->isValid()) { throw $form->getErrorSchema(); } }
function _method_javascript_function($method) { $function = "var f = document.createElement('form'); f.style.display = 'none'; this.parentNode.appendChild(f); f.method = 'post'; f.action = this.href;"; if ('post' != strtolower($method)) { $function .= "var m = document.createElement('input'); m.setAttribute('type', 'hidden'); "; $function .= sprintf("m.setAttribute('name', 'sf_method'); m.setAttribute('value', '%s'); f.appendChild(m);", strtolower($method)); } // CSRF protection $form = new sfForm(); if ($form->isCSRFProtected()) { $function .= "var m = document.createElement('input'); m.setAttribute('type', 'hidden'); "; $function .= sprintf("m.setAttribute('name', '%s'); m.setAttribute('value', '%s'); f.appendChild(m);", $form->getCSRFFieldName(), $form->getCSRFToken()); } $function .= "f.submit();"; return $function; }
/** * Returns the javascript needed for a remote function. * Takes the same arguments as 'link_to_remote()'. * * Example: * <select id="options" onchange="<?php echo remote_function(array('update' => 'options', 'url' => '@update_options')) ?>"> * <option value="0">Hello</option> * <option value="1">World</option> * </select> */ function jq_remote_function($options) { // Defining elements to update if (isset($options['update']) && is_array($options['update'])) { // On success, update the element with returned data if (isset($options['update']['success'])) { $update_success = "#" . $options['update']['success']; } // On failure, execute a client-side function if (isset($options['update']['failure'])) { $update_failure = $options['update']['failure']; } } else { if (isset($options['update'])) { $update_success = "#" . $options['update']; } } // Update method $updateMethod = _update_method(isset($options['position']) ? $options['position'] : ''); // Callbacks if (isset($options['loading'])) { $callback_loading = $options['loading']; } if (isset($options['complete'])) { $callback_complete = $options['complete']; } if (isset($options['success'])) { $callback_success = $options['success']; } $execute = 'false'; if (isset($options['script']) && $options['script'] == '1') { $execute = 'true'; } // Data Type if (isset($options['dataType'])) { $dataType = $options['dataType']; } elseif ($execute) { $dataType = 'html'; } else { $dataType = 'text'; } // POST or GET ? $method = 'POST'; if (isset($options['method']) && strtoupper($options['method']) == 'GET') { $method = $options['method']; } // async or sync, async is default if (isset($options['type']) && $options['type'] == 'synchronous') { $type = 'false'; } // Is it a form submitting if (isset($options['form'])) { $formData = 'jQuery(this).serialize()'; } elseif (isset($options['submit'])) { $formData = '{\'#' . $options['submit'] . '\'}.serialize()'; } elseif (isset($options['with'])) { $formData = $options['with']; } elseif (isset($options['csrf']) && $options['csrf'] == '1') { $form = new sfForm(); if ($form->isCSRFProtected()) { $formData = '{' . $form->getCSRFFieldName() . ': \'' . $form->getCSRFToken() . '\'}'; } } // build the function $function = "jQuery.ajax({"; $function .= 'type:\'' . $method . '\''; $function .= ',dataType:\'' . $dataType . '\''; if (isset($type)) { $function .= ',async:' . $type; } if (isset($formData)) { $function .= ',data:' . $formData; } if (isset($update_success) and !isset($callback_success)) { $function .= ',success:function(data, textStatus){jQuery(\'' . $update_success . '\').' . $updateMethod . '(data);}'; } if (isset($update_failure)) { $function .= ',error:function(XMLHttpRequest, textStatus, errorThrown){' . $update_failure . '}'; } if (isset($callback_loading)) { $function .= ',beforeSend:function(XMLHttpRequest){' . $callback_loading . '}'; } if (isset($callback_complete)) { $function .= ',complete:function(XMLHttpRequest, textStatus){' . $callback_complete . '}'; } if (isset($callback_success)) { $function .= ',success:function(data, textStatus){' . $callback_success . '}'; } $function .= ',url:\'' . url_for($options['url']) . '\''; $function .= '})'; if (isset($options['before'])) { $function = $options['before'] . '; ' . $function; } if (isset($options['after'])) { $function = $function . '; ' . $options['after']; } if (isset($options['condition'])) { $function = 'if (' . $options['condition'] . ') { ' . $function . '; }'; } if (isset($options['confirm'])) { $function = "if (confirm('" . escape_javascript($options['confirm']) . "')) { {$function}; }"; if (isset($options['cancel'])) { $function = $function . ' else { ' . $options['cancel'] . ' }'; } } return $function; }
<select name="batch_action"> <option value="">[?php echo __('Choose an action', array(), 'sf_admin') ?]</option> <?php foreach ((array) $listActions as $action => $params) { ?> <?php echo $this->addCredentialCondition('<option value="' . $action . '">[?php echo __(\'' . $params['label'] . '\', array(), \'sf_admin\') ?]</option>', $params); ?> <?php } ?> </select> <?php $form = new sfForm(); if ($form->isCSRFProtected()) { ?> <input type="hidden" name="<?php echo $form->getCSRFFieldName(); ?> " value="<?php echo $form->getCSRFToken(); ?> " /> <?php } ?> <input type="submit" value="[?php echo __('go', array(), 'sf_admin') ?]" /> </div> <?php }
function _get_json_data_token() { // CSRF protection $form = new sfForm(); if ($form->isCSRFProtected()) { $token = sprintf("', %s: '%s", $form->getCSRFFieldName(), $form->getCSRFToken()); return $token; } else { return ''; } }