public function eventPreSaveFilter(array $context) { if (!in_array('xss-fail', $context['event']->eParamFILTERS) && !in_array('validate-xsrf', $context['event']->eParamFILTERS)) { return; } $contains_xss = FALSE; // Loop over the fields to check for XSS, this loop will // break as soon as XSS is detected foreach ($context['fields'] as $field => $value) { if (is_array($value)) { if (self::detectXSSInArray($value) === FALSE) { continue; } $contains_xss = TRUE; break; } else { if (self::detectXSS($value) === FALSE) { continue; } $contains_xss = TRUE; break; } } // Detect XSS filter if (in_array('xss-fail', $context['event']->eParamFILTERS) && $contains_xss === TRUE) { $context['messages'][] = array('xss', FALSE, __("Possible XSS attack detected in submitted data")); } // Validate XSRF token filter if (in_array('validate-xsrf', $context['event']->eParamFILTERS)) { if (Symphony::Engine()->isXSRFEnabled() && is_session_empty() === false && XSRF::validateRequest(true) === false) { $context['messages'][] = array('xsrf', FALSE, __("Request was rejected for having an invalid cross-site request forgery token.")); } } }
/** * Overrides the default Symphony constructor to add XSRF checking */ protected function __construct() { parent::__construct(); // Ensure the request is legitimate. RE: #1874 if (self::isXSRFEnabled()) { XSRF::validateRequest(); } }
public function __construct() { parent::__construct(); // Validate request passes XSRF checks if extension is enabled. $status = Symphony::ExtensionManager()->fetchStatus(array("handle" => "xsrf_protection")); if (in_array(EXTENSION_ENABLED, $status) || in_array(EXTENSION_REQUIRES_UPDATE, $status)) { XSRF::validateRequest(); } }