public function eventPreSaveFilter(array $context)
{
if (!in_array('xss-fail', $context['event']->eParamFILTERS) && !in_array('validate-xsrf', $context['event']->eParamFILTERS)) {
return;
}
$contains_xss = FALSE;
// Loop over the fields to check for XSS, this loop will
// break as soon as XSS is detected
foreach ($context['fields'] as $field => $value) {
if (is_array($value)) {
if (self::detectXSSInArray($value) === FALSE) {
continue;
}
$contains_xss = TRUE;
break;
} else {
if (self::detectXSS($value) === FALSE) {
continue;
}
$contains_xss = TRUE;
break;
}
}
// Detect XSS filter
if (in_array('xss-fail', $context['event']->eParamFILTERS) && $contains_xss === TRUE) {
$context['messages'][] = array('xss', FALSE, __("Possible XSS attack detected in submitted data"));
}
// Validate XSRF token filter
if (in_array('validate-xsrf', $context['event']->eParamFILTERS)) {
if (Symphony::Engine()->isXSRFEnabled() && is_session_empty() === false && XSRF::validateRequest(true) === false) {
$context['messages'][] = array('xsrf', FALSE, __("Request was rejected for having an invalid cross-site request forgery token."));
}
}
}
/**
* Overrides the default Symphony constructor to add XSRF checking
*/
protected function __construct()
{
parent::__construct();
// Ensure the request is legitimate. RE: #1874
if (self::isXSRFEnabled()) {
XSRF::validateRequest();
}
}
public function __construct()
{
parent::__construct();
// Validate request passes XSRF checks if extension is enabled.
$status = Symphony::ExtensionManager()->fetchStatus(array("handle" => "xsrf_protection"));
if (in_array(EXTENSION_ENABLED, $status) || in_array(EXTENSION_REQUIRES_UPDATE, $status)) {
XSRF::validateRequest();
}
}
