/** * Call this to add a CSRF protection code to all the * forms and links on the generated page. Note that * you don't need to pass any content, and nothing is * returned - this function uses PHP to change it's * output so as to insert the data. * * Note: output_add_rewrite_var() used in here does a really bad job * on your URIs within the HTML. It adds parameters without considering * whether it should use '&' or '&'. This results in invalid HTML! */ public static function add_code() { if (!self::__is_logged_in()) { return; } if (self::$already_added_code) { return; } // do not add CSRF code in case current request is an AJAX request. They're secure // by definition and also, they're much more delicate in // what can be returned - and they usually exceed the // request amount limit pretty quickly (see active_decrease etc) if (self::__is_ajax()) { return; } self::$already_added_code = true; $code = self::__get_code(); output_add_rewrite_var(self::$formkey, $code); }