From 633c198efcc8b6131cfde68028c717a380814f16 Mon Sep 17 00:00:00 2001 From: "Edward Z. Yang" Date: Mon, 4 Aug 2008 16:27:58 -0400 Subject: [PATCH] Initial commit. Setup xhtml-compiler. Signed-off-by: Edward Z. Yang --- .gitignore | 8 +++++++ .gitmodules | 3 +++ index.css | 21 ++++++++++++++++++ index.xhtml | 67 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ xhtml-compiler | 1 + 5 files changed, 100 insertions(+) create mode 100644 .gitignore create mode 100644 .gitmodules create mode 100644 index.css create mode 100644 index.xhtml create mode 160000 xhtml-compiler diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..9e657b2 --- /dev/null +++ b/.gitignore @@ -0,0 +1,8 @@ +# Global +*.html +*.xc-deps +*.rss +*.frag + +# Production +/.htaccess diff --git a/.gitmodules b/.gitmodules new file mode 100644 index 0000000..f42ecc0 --- /dev/null +++ b/.gitmodules @@ -0,0 +1,3 @@ +[submodule "xhtml-compiler"] + path = xhtml-compiler + url = git://repo.or.cz/xhtml-compiler.git diff --git a/index.css b/index.css new file mode 100644 index 0000000..64f0bb9 --- /dev/null +++ b/index.css @@ -0,0 +1,21 @@ +#title { + text-align: center; + color:#111177; + font-size: 6em; +} +#body { + margin: 0 auto; + max-width: 37em; + width: expression(document.body.clientWidth > + 85 * parseInt(document.body.currentStyle.fontSize) ? + "37em": "auto"); + font-family: Calibri, sans-serif; +} +pre { + margin-left: 4em; +} +h2 { + text-align: center; + color:#668; + margin-top: 3em; +} diff --git a/index.xhtml b/index.xhtml new file mode 100644 index 0000000..8789119 --- /dev/null +++ b/index.xhtml @@ -0,0 +1,67 @@ + + + + +csrf-magic: Wizzard CSRF Protection for PHP + + + + + + +
+

csrf-magic

+
+

+ Securing your application against Cross-Site Request Forgery has never been + easier. Why rewrite every form on your website when a program can do it for + you? Simply drop this at the top of every PHP file: +

+
require_once '/path/to/csrf-magic.php';
+
+

+ ...and let the magic take care of the rest. Download it now! +

+

What is CSRF?

+

+ Cross-Site Request Forgery (CSRF) is a relatively new attack vector on +websites today. It involves an attacker tricking a browser into performing +an action on another website. For example, imagine this scenario. Bob +is the human resources manager +for a large and important company. He has the ability to hire and fire with +a click of a button... specifically, a web form button. Mallory, as a practical +joke, decides to setup a CSRF attack against Bob; she crafts a webpage which +submits a form onto the internal website that performs hirings and firings; then +she sends Bob an email to this webpage. The next day, every employee wakes up +to find a rather nasty pink slip in their inbox. +

+ +

Why csrf-magic?

+

+The current standard for preventing CSRF is creating a nonce that every user +submits with any form he/she submits. This is reasonably effective, but +incredibly tedious work; if you were hand-writing your forms or have multiple +avenues for POST data to enter your application, adding CSRF protection may not +seem worth the trouble. +

+ +

+This is where csrf-magic comes into play. csrf-magic uses PHP's output +buffering capabilities to dynamically rewrite forms and scripts in your document. +It will also intercept POST requests and check their token (various algorithms +are used, some generate nonces, some generate user-specific tokens). This means +with a traditional website with forms, you can drop it into your application, +and forget about it! +

+
+
+ + diff --git a/xhtml-compiler b/xhtml-compiler new file mode 160000 index 0000000..09ff247 --- /dev/null +++ b/xhtml-compiler @@ -0,0 +1 @@ +Subproject commit 09ff2471decc4e116cdef6157a5c62b0bc5e4c23 -- 2.11.4.GIT