function phabricator_render_form(PhabricatorUser $user, $attributes, $content) { if (strcasecmp(idx($attributes, 'method'), 'POST') == 0 && !preg_match('#^(https?:|//)#', idx($attributes, 'action'))) { $content = phutil_render_tag('input', array('type' => 'hidden', 'name' => AphrontRequest::getCSRFTokenName(), 'value' => $user->getCSRFToken())) . phutil_render_tag('input', array('type' => 'hidden', 'name' => '__form__', 'value' => true)) . $content; } return javelin_render_tag('form', $attributes, $content); }
function phabricator_form(PhabricatorUser $user, $attributes, $content) { $body = array(); $http_method = idx($attributes, 'method'); $is_post = strcasecmp($http_method, 'POST') === 0; $http_action = idx($attributes, 'action'); $is_absolute_uri = preg_match('#^(https?:|//)#', $http_action); if ($is_post) { // NOTE: We only include CSRF tokens if a URI is a local URI on the same // domain. This is an important security feature and prevents forms which // submit to foreign sites from leaking CSRF tokens. // In some cases, we may construct a fully-qualified local URI. For example, // we can construct these for download links, depending on configuration. // These forms do not receive CSRF tokens, even though they safely could. // This can be confusing, if you're developing for Phabricator and // manage to construct a local form with a fully-qualified URI, since it // won't get CSRF tokens and you'll get an exception at the other end of // the request which is a bit disconnected from the actual root cause. // However, this is rare, and there are reasonable cases where this // construction occurs legitimately, and the simplest fix is to omit CSRF // tokens for these URIs in all cases. The error message you receive also // gives you some hints as to this potential source of error. if (!$is_absolute_uri) { $body[] = phutil_tag('input', array('type' => 'hidden', 'name' => AphrontRequest::getCSRFTokenName(), 'value' => $user->getCSRFToken())); $body[] = phutil_tag('input', array('type' => 'hidden', 'name' => '__form__', 'value' => true)); } } if (is_array($content)) { $body = array_merge($body, $content); } else { $body[] = $content; } return javelin_tag('form', $attributes, $body); }
function phabricator_render_form(PhabricatorUser $user, $attributes, $content) { return javelin_render_tag('form', $attributes, phutil_render_tag('input', array('type' => 'hidden', 'name' => AphrontRequest::getCSRFTokenName(), 'value' => $user->getCSRFToken())) . phutil_render_tag('input', array('type' => 'hidden', 'name' => '__form__', 'value' => true)) . $content); }