<?php
require __DIR__ . '/../vendor/autoload.php';
$csrf = new \Riimu\Kit\CSRF\CSRFHandler();
try {
$csrf->validateRequest(true);
} catch (\Riimu\Kit\CSRF\InvalidCSRFTokenException $ex) {
header('HTTP/1.0 400 Bad Request');
exit('Bad CSRF Token!');
}
$token = $csrf->getToken();
?>
<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Simple Form</title>
</head>
<body>
<?php
if (!empty($_POST['my_name'])) {
printf(" <p>Hello <strong>%s</strong>!</p>" . PHP_EOL, htmlspecialchars($_POST['my_name'], ENT_QUOTES | ENT_HTML5, 'UTF-8'));
}
?>
<h3>Form with a CSRF token:</h3>
<form method="post"><div>
<input type="hidden" name="csrf_token" value="<?php
echo htmlspecialchars($token, ENT_QUOTES | ENT_HTML5, 'UTF-8');
?>
" />
What is your name?
/**
* Validate the CSRF token for all unsafe request methods
*
* @return boolean
*/
private function csrfValid()
{
$safe_methods = ['get', 'head', 'options', 'trace'];
$request_method = strtolower($this->request->getMethod());
// test for valid CSRF token on all unsafe requests
if (!in_array($request_method, $safe_methods)) {
try {
$csrf = new \Riimu\Kit\CSRF\CSRFHandler();
$csrf->validateRequest(true);
} catch (\Riimu\Kit\CSRF\InvalidCSRFTokenException $ex) {
error_log('Bad or missing CSRF token: ' . $this->request->getURI());
header('HTTP/1.0 400 Bad Request');
exit('Bad CSRF Token');
}
}
return TRUE;
}
/**
* Validates a csrf enabled form
*/
public static function csrfValidate()
{
if (class_exists('\\Riimu\\Kit\\CSRF\\CSRFHandler')) {
$csrf = new \Riimu\Kit\CSRF\CSRFHandler(false);
try {
$csrf->validateRequest(true);
} catch (\Riimu\Kit\CSRF\InvalidCSRFTokenException $ex) {
log::error($ex->getMessage());
http::locationHeader('/error/accessdenied', 'Bad request');
return false;
}
}
return true;
}
$cache->setPrefixSize(0);
$html = $cache->getOrCreate('jade-' . sha1_file($parser->getForm($req->formID)) . '-' . sha1_file('config/config.toml'), [], function () use($req, $parser, $stringifier) {
return json_encode($stringifier->makeArray($parser->parseJade($req->formID)->makeFormPart()));
});
# We add asset URLs and the CSRF token outside of the getOrCreate function
# so that these aren't getting cached.
# Create a XSRF token
$csrf = new \Riimu\Kit\CSRF\CSRFHandler();
$token = $csrf->getToken();
# Write the response
$stringifier->writeArray(json_decode($html, true), $res, $token);
});
$klein->respond('POST', '/submit', function ($req, $res) use($parser, $stringifier) {
$res->header('X-Frame-Options', 'DENY');
# Check for XSRF
$csrf = new \Riimu\Kit\CSRF\CSRFHandler();
$csrf->validateRequest(true);
# The name of the form is provided in the $_POST data,
# not the URL!
$page = $parser->parseJade($_POST['__form_name']);
$config = Config::get();
$res->header('Content-Type', 'application/json; charset=utf-8');
# Do the form submission and create data that is
# compatible with the frontend.
return $page->form->getSubmissionPart(Result::ok(new ClientData($_POST, $_FILES)))->ifError(function ($val) {
return Result::error(['success' => false, 'errors' => $val]);
})->ifOk(function ($val) use($page, $config) {
ob_start();
$val = $page->outputs->run($val, $page);
var_dump($val);
$out = ob_get_clean();
