*/
require_once 'lib/common.php';
use PDOException;
class MyPage extends Page
{
protected function request()
{
$val = isset($_POST['field']) ? $_POST['field'] : '';
echo <<<EOT
<form action='{$_SERVER['PHP_SELF']}' method=post
accept-charset=UTF-8>
<input type=text name=field size=115 value='{$val}'>
<input type=submit name=action_go value=Submit>
</form>
<!--
<button type=button onclick='window.location=
"member.php?csrftoken={$_SESSION['csrftoken']}";'>Go</button>
<button type=button onclick="transfer('member.php',
{csrftoken: '{$_SESSION['csrftoken']}'});">Go</button>
-->
EOT;
}
protected function action_go()
{
// ... code to save data ...
$this->message('Saved', true);
}
}
$page = new MyPage('XSS Example', true);
$page->go();
$f->start();
$f->text('yubikey', 'YubiKey:', 50, '', true, true);
$f->button('action_yubikey', 'Verify', false);
$f->end();
}
protected function action_yubikey()
{
$y = $_POST['yubikey'];
if (strlen($y) > 34) {
$identity = substr($y, 0, strlen($y) - 32);
$stmt = $this->db->query('select identity from
user where userid = :userid', array('userid' => $_SESSION['userid_pending']));
if (($row = $stmt->fetch()) && $row['identity'] == $identity) {
$yubi = new \Auth_Yubico(CLIENT_ID, CLIENT_KEY);
if ($yubi->verify($y) === true) {
if (!isset($_SESSION['expired'])) {
$security = new Security();
$security->store_verification($_SESSION['userid_pending'], true);
}
$this->is_verified();
return;
}
}
}
$this->show_form_yubikey();
$this->message('Invalid YubiKey OTP');
}
}
$page = new MyPage('Login');
$page->go(true);
