function preview()
{
$vars = $_GET;
$vars['previewOnly'] = true;
$vars['display'] = 'overview';
$vars['bitcoinAddress'] = $vars['address'];
$vars['goal'] = new Amount($_GET['currency'], (double) $_GET['goal']);
$vars['raised'] = new Amount($_GET['currency'], (double) at($_GET, 'raised', $vars['goal']->numUnits / 4));
$this->setAltCurrencyValues($vars['goal'], $vars['raised'], $vars);
$vars['progressPercent'] = $vars['raised']->numUnits / $vars['goal']->numUnits * 100;
$ds = Widgets\allowedSizes();
$vars['width'] = at($_GET, 'width', $ds[0]->width);
$vars['height'] = at($_GET, 'height', $ds[0]->height);
$vars['color'] = at($_GET, 'color', Widgets\defaultColor());
$vars['widgetID'] = null;
return $this->renderWidgetArr($vars);
}
private function getWidget()
{
if (isset($_GET['w'])) {
# Looks like we're editing a widget...
$user = $this->getActiveUser();
if (empty($user)) {
$_SESSION['authenticationRequired'] = true;
return $this->redirect("/account/signin");
} else {
$w = Widget::getByOwnerAndID($user, $_GET['w']);
$this->storeWidgetInSession($w);
return $w;
}
} else {
$w = at($_SESSION, 'unsaved-widget', null);
if (isset($w) && isset($w->ownerID) && empty($this->user)) {
$this->clearWidgetInSession();
$w = null;
}
if (empty($w)) {
$w = new Widget();
}
$w->color = Widgets\defaultColor();
$w->width = Widgets\defaultSize()->width;
$w->height = Widgets\defaultSize()->height;
return $w;
}
}
/**
* Here we aim to assert we're not vulnerable to "CSRF" attacks. We do this simply by
* asserting a "raw" POST request will not be accepted for widget editing, as this should
* indicate the server is requiring some sort of "nonce" or "token" for accepting any
* form submission. More on CSRF here:
* https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)
*/
function testResilienceToCrossSiteRequestForgeryAttack()
{
$w = getWidget($this->user);
$this->get("/widget-wiz/step-one?w={$w->id}");
try {
$this->post("/widget-wiz/step-one", array('title' => 'Hijacked', 'goal' => '1000', 'currency' => 'USD', 'ending' => "12/15/2020", 'bitcoinAddress' => '1E3FqrQTZSvTUdw7qZ4NnZppqiqnqqNcUN'));
} catch (UnexpectedHttpResponseCode $_) {
/* That will do... */
}
try {
$this->post("/widget-wiz/step-two", array('about' => 'Show me the money!', 'color' => Widgets\defaultColor(), 'size' => (string) Widgets\defaultSize()));
} catch (UnexpectedHttpResponseCode $_) {
/* That's good... */
}
$widgetNow = Widget::getByID($w->id);
assertNotEqual('Hijacked', $widgetNow->title);
assertNotEqual('1E3FqrQTZSvTUdw7qZ4NnZppqiqnqqNcUN', $widgetNow->bitcoinAddress);
assertNotEqual('Show me the money!', $widgetNow->about);
}