function cat_csrf_callback($tokens) { // check headers content type $headers = headers_list(); foreach ($headers as $entry) { list($key, $value) = explode(': ', $entry); if (!strcasecmp('Content-type', $key)) { if (substr_count($value, 'json')) { print json_encode(array('message' => 'CSRF check failed. Your form session may have expired, or you may not have cookies enabled.', 'success' => false)); exit; } } } $data = ''; header($_SERVER['SERVER_PROTOCOL'] . ' 403 Forbidden'); if (function_exists('csrf_flattenpost')) { foreach (csrf_flattenpost($_POST) as $key => $value) { if ($key == $GLOBALS['csrf']['input-name']) { continue; } $data .= '<input type="hidden" name="' . htmlspecialchars($key) . '" value="' . htmlspecialchars($value) . '" />'; } $data = '<form method="post" action="">' . $data . '<input type="submit" value="Try again" /></form>'; } echo '<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html> <head> <meta http-equiv="content-type" content="text/html; charset=windows-1250"> <title>Black Cat CMS Error Message</title> </head> <body> <p>CSRF check failed. Your form session may have expired, or you may not have cookies enabled.</p> ' . $data; if (CAT_Registry::exists('DEBUG_CSRF') && DEBUG_CSRF === true) { echo "<p>Debug: {$tokens}</p>"; } echo '</body></html>'; }
/** * @param $tokens is safe for HTML consumption */ function csrf_callback($tokens) { // (yes, $tokens is safe to echo without escaping) header($_SERVER['SERVER_PROTOCOL'] . ' 403 Forbidden'); $data = ''; foreach (csrf_flattenpost($_POST) as $key => $value) { if ($key == $GLOBALS['csrf']['input-name']) { continue; } $data .= '<input type="hidden" name="' . htmlspecialchars($key) . '" value="' . htmlspecialchars($value) . '" />'; } echo "<html><head><title>CSRF check failed</title></head>\n <body>\n <p>CSRF check failed. Your form session may have expired, or you may not have\n cookies enabled.</p>\n <form method='post' action=''>{$data}<input type='submit' value='Try again' /></form>\n <p>Debug: {$tokens}</p></body></html>\n"; }