test.php

   1 <?php
   2
   3 function csrf_startup() {
   4     csrf_conf('rewrite-js', 'csrf-magic.js');
   5     if (isset($_POST['ajax'])) csrf_conf('rewrite', false);
   6 }
   7 include dirname(__FILE__) . '/csrf-magic.php';
   8
   9 // Handle an AJAX request
  10 if (isset($_POST['ajax'])) {
  11     header('Content-type: text/xml;charset=utf-8');
  12     echo '<?xml version="1.0" encoding="UTF-8" ?><response>Good!</response>';
  13     exit;
  14 }
  15
  16 ?>
  17 <html lang="en">
  18 <head>
  19 <title>Test page for csrf-magic</title>
  20 </head>
  21 <body>
  22 <h1>Test page for csrf-magic</h1>
  23 <p>
  24   This page might be vulnerable to CSRF, but never fear: csrf-magic is here!
  25   Close by: <a href="js-test/all.php">tests for Internet Explorer support with
  26   all the major JavaScript libraries!</a>
  27 </p>
  28 <?php if ($_SERVER['REQUEST_METHOD'] == 'POST') { ?>
  29 <p>Post data:</p>
  30 <pre>
  31 <?php echo htmlspecialchars(var_export($_POST, true)); ?>
  32 </pre>
  33 <?php } ?>
  34 <form action="" method="post">
  35   Form field: <input type="text" name="foobar" /><br />
  36   <input type="submit" value="Submit" />
  37 </form>
  38 <FORM METHOD = "POST" ACTION="">
  39   Another form field! <INPUT TYPE="TEXT" NAME="BARFOO" /><BR />
  40   <INPUT TYPE="SUBMIT" value="Submit 2" />
  41 </FORM>
  42 <form action="" method="post">
  43   This form fails CSRF validation (we cheated and overrode the CSRF token
  44   later in the form.) <br />
  45   <input type="text" name="foobar[2]" />
  46   <input type="submit" name="__csrf_magic" value="invalid" />
  47 </form>
  48 <form action="" method="get">
  49   This form uses GET and is thus not protected.
  50   <input type="submit" name="foo" value="Submit" />
  51 </form>
  52 <p>
  53   How about some JavaScript?
  54 </p>
  55 <script type="text/javascript">
  56 //<![CDATA[
  57     document.writeln('<for'+'m action="" method="post">Dynamically generated form: <input type="submit" /></form>');
  58 //]]>
  59 </script>
  60 <textarea id="js-output" cols="80" rows="2"></textarea>
  61 <script type="text/javascript">
  62 //<![CDATA[
  63     params = 'ajax=yes&var=foo';
  64     var http = new CsrfMagic();
  65     http.open('POST', 'test.php', true);
  66     http.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
  67     http.setRequestHeader("Content-length", params.length);
  68     http.setRequestHeader("Connection", "close");
  69     http.onreadystatechange = function () {
  70         document.getElementById('js-output').value = 'Ajax: ' + http.responseText;
  71     }
  72     http.send(params);
  73 //]]>
  74 </script>
  75 </body>
  76 </html>