Add csrf token to every form

2016-03-12 21:27:30 -05:00 · 2016-03-12 21:27:30 -05:00 · a496880211
commit a496880211
parent 03dc7d9227
1 changed files with 17 additions and 11 deletions
--- a/Core/Frameworks/Formal/Form.php
+++ b/Core/Frameworks/Formal/Form.php
@ -394,21 +394,27 @@ class Form {
            $sCloseButton = "";
        }

+        if (!isset($_SESSION['CSRF_TOKEN'])) {
+            throw new \LogicException('A CSRF token must be set in the session. Try clearing your cookies and logging in again');
+        }
+        $csrfToken = htmlspecialchars($_SESSION['CSRF_TOKEN']);
+
        $sActionUrl = $this->option("action");

        $sHtml = <<<HTML
 <form class="form-horizontal" action="{$sActionUrl}" method="post" enctype="multipart/formdata">
-	<input type="hidden" name="{$sSubmittedFlagName}" value="1" />
-	<input type="hidden" name="refreshed" value="0" />
-	<fieldset>
-		<legend style="line-height: 40px;">{$this->sDisplayTitle}</legend>
-		{$this->sDisplayMessage}
-		{$elements}
-		<div class="form-actions">
-			<button type="submit" class="btn btn-primary">Save changes</button>
-			{$sCloseButton}
-		</div>
-	</fieldset>
+    <input type="hidden" name="{$sSubmittedFlagName}" value="1" />
+    <input type="hidden" name="refreshed" value="0" />
+    <input type="hidden" name="csrf-token" value="{$csrfToken}" />
+    <fieldset>
+        <legend style="line-height: 40px;">{$this->sDisplayTitle}</legend>
+        {$this->sDisplayMessage}
+        {$elements}
+        <div class="form-actions">
+            <button type="submit" class="btn btn-primary">Save changes</button>
+            {$sCloseButton}
+        </div>
+    </fieldset>
 </form>
 HTML;