3 function csrf_startup() {
4 csrf_conf('rewrite-js', 'csrf-magic.js');
6 include dirname(__FILE__
) . '/csrf-magic.php';
8 // Handle an AJAX request
9 if (isset($_POST['ajax'])) {
10 header('Content-type: text/xml;charset=utf-8');
11 echo '<?xml version="1.0" encoding="UTF-8" ?><response>Good!</response>';
18 <title
>Test page
for csrf
-magic
</title
>
21 <h1
>Test page
for csrf
-magic
</h1
>
23 This page might be vulnerable to CSRF
, but never fear
: csrf
-magic is here
!
24 Close by
: <a href
="js-test/all.php">tests
for Internet Explorer support with
25 all the major JavaScript libraries
!</a
>
27 <?php
if ($_SERVER['REQUEST_METHOD'] == 'POST') { ?
>
30 <?php
echo htmlspecialchars(var_export($_POST, true)); ?
>
33 <form action
="" method
="post">
34 Form field
: <input type
="text" name
="foobar" /><br
/>
35 <input type
="submit" value
="Submit" />
37 <FORM METHOD
= "POST" ACTION
="">
38 Another form field
! <INPUT TYPE
="TEXT" NAME
="BARFOO" /><BR
/>
39 <INPUT TYPE
="SUBMIT" value
="Submit 2" />
41 <form action
="" method
="post">
42 This form fails CSRF
validation (we cheated
and overrode the CSRF token
43 later in the form
.) <input type
="submit" name
="__csrf_magic" value
="invalid" />
45 <form action
="" method
="get">
46 This form uses GET
and is thus not
protected.
47 <input type
="submit" name
="foo" value
="Submit" />
50 How about some JavaScript?
52 <textarea id
="js-output" cols
="80" rows
="10"></textarea
>
53 <script type
="text/javascript">
55 params
= 'ajax=yes&var=foo';
56 var http
= new CsrfMagic();
57 http
.open('POST', 'test.php', true);
58 http
.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
59 http
.setRequestHeader("Content-length", params
.length
);
60 http
.setRequestHeader("Connection", "close");
61 http
.onreadystatechange
= function () {
62 document
.getElementById('js-output').value
= http
.responseText
;
