public static function ob_handler($buffer, $flags)
{
// Even though the user told us to rewrite, we should do a quick heuristic
// to check if the page is *actually* HTML. We don't begin rewriting until
// we hit the first <html tag.
if (!self::$isValidHTML) {
// not HTML until proven otherwise
if (stripos($buffer, '<html') !== false) {
self::$isValidHTML = true;
} else {
return $buffer;
}
}
// TODO: statically rewrite all forms as well so that if a form is submitted
// before the js has worked on, it will still have token to send
// @priority: medium @labels: important @assign: mebjas
// @deadline: 1 week
//add a <noscript> message to outgoing HTML output,
//informing the user to enable js for CSRFProtector to work
//best section to add, after <body> tag
$buffer = preg_replace("/<body[^>]*>/", "\$0 <noscript>" . self::$config['disabledJavascriptMessage'] . "</noscript>", $buffer);
$hiddenInput = '<fieldset style="display: none"><legend>CSRF Protection</legend>' . PHP_EOL;
$hiddenInput .= '<input type="hidden" id="' . CSRFP_FIELD_TOKEN_NAME . '" value="' . self::$config['CSRFP_TOKEN'] . '" />' . PHP_EOL;
$hiddenInput .= '<input type="hidden" id="' . CSRFP_FIELD_URLS . '" value=\'' . json_encode(str_replace("&", "%26", self::$config['verifyGetFor'])) . '\' />' . PHP_EOL;
$hiddenInput .= '</fieldset>';
//implant hidden fields with check url information for reading in javascript
$buffer = str_ireplace('</body>', $hiddenInput . '</body>', $buffer);
//implant the CSRFGuard js file to outgoing script
$script = '<script type="text/javascript" src="' . self::$config['jsUrl'] . '"></script>' . PHP_EOL;
$buffer = str_ireplace('</body>', $script . '</body>', $buffer, $count);
if (!$count) {
$buffer .= $script;
}
return $buffer;
}
public static function ob_handler($buffer, $flags)
{
// Even though the user told us to rewrite, we should do a quick heuristic
// to check if the page is *actually* HTML. We don't begin rewriting until
// we hit the first <html tag.
if (!self::$isValidHTML) {
// not HTML until proven otherwise
if (stripos($buffer, '<html') !== false) {
self::$isValidHTML = true;
} else {
return $buffer;
}
}
//add a <noscript> message to outgoing HTML output,
//informing the user to enable js for CSRFProtector to work
//best section to add, after <body> tag
$buffer = preg_replace("/<body[^>]*>/", "\$0 <noscript>" . self::$config['disabledJavascriptMessage'] . "</noscript>", $buffer);
$hiddenInput = '<input type="hidden" id="' . CSRFP_FIELD_TOKEN_NAME . '" value="' . self::$config['CSRFP_TOKEN'] . '">' . PHP_EOL;
$hiddenInput .= '<input type="hidden" id="' . CSRFP_FIELD_URLS . '" value=\'' . json_encode(self::$config['verifyGetFor']) . '\'>';
//implant hidden fields with check url information for reading in javascript
$buffer = str_ireplace('</body>', $hiddenInput . '</body>', $buffer);
$script = '<script type="text/javascript" src="' . self::$config['jsUrl'] . '"></script>' . PHP_EOL;
//implant the CSRFGuard js file to outgoing script
$buffer = str_ireplace('</body>', $script . '</body>', $buffer, $count);
// Perfor static rewriting on $buffer
$buffer = self::rewriteHTML($buffer);
if (!$count) {
$buffer .= $script;
}
return $buffer;
}
/**
* Rewrites <form> on the fly to add CSRF tokens to them. This can also
* inject our JavaScript library.
* @param: $buffer, output buffer to which all output are stored
* @param: flag
* @return string, complete output buffer
*/
public static function ob_handler($buffer, $flags)
{
// Even though the user told us to rewrite, we should do a quick heuristic
// to check if the page is *actually* HTML. We don't begin rewriting until
// we hit the first <html tag.
if (!self::$isValidHTML) {
// not HTML until proven otherwise
if (stripos($buffer, '<html') !== false) {
self::$isValidHTML = true;
} else {
return $buffer;
}
}
//add a <noscript> message to outgoing HTML output,
//informing the user to enable js for CSRFProtector to work
//best section to add, after <body> tag
$buffer = preg_replace("/<body[^>]*>/", "\$0 <noscript>" . self::$config['disabledJavascriptMessage'] . "</noscript>", $buffer);
$arrayStr = '';
if (!self::useCachedVersion()) {
try {
self::createNewJsCache();
} catch (exception $ex) {
if (self::$config['verifyGetFor']) {
foreach (self::$config['verifyGetFor'] as $key => $value) {
if ($key !== 0) {
$arrayStr .= ',';
}
$arrayStr .= "'" . $value . "'";
}
}
}
}
$script = '<script type="text/javascript" src="' . self::$config['jsUrl'] . '"></script>' . PHP_EOL;
$script .= '<script type="text/javascript">' . PHP_EOL;
if ($arrayStr !== '') {
$script .= 'CSRFP.checkForUrls = [' . $arrayStr . '];' . PHP_EOL;
}
$script .= 'window.onload = function() {' . PHP_EOL;
$script .= ' csrfprotector_init();' . PHP_EOL;
$script .= '};' . PHP_EOL;
$script .= '</script>' . PHP_EOL;
//implant the CSRFGuard js file to outgoing script
$buffer = str_ireplace('</body>', $script . '</body>', $buffer, $count);
if (!$count) {
$buffer .= $script;
}
return $buffer;
}
