test.php

   1 <?php
   2
   3 function csrf_startup() {
   4     csrf_conf('rewrite-js', 'csrf-magic.js');
   5 }
   6 include dirname(__FILE__) . '/csrf-magic.php';
   7
   8 // Handle an AJAX request
   9 if (isset($_POST['ajax'])) {
  10     header('Content-type: text/xml;charset=utf-8');
  11     echo '<?xml version="1.0" encoding="UTF-8" ?><response>Good!</response>';
  12     exit;
  13 }
  14
  15 ?>
  16 <html lang="en">
  17 <head>
  18 <title>Test page for csrf-magic</title>
  19 </head>
  20 <body>
  21 <h1>Test page for csrf-magic</h1>
  22 <p>
  23   This page might be vulnerable to CSRF!
  24 </p>
  25 <?php if ($_SERVER['REQUEST_METHOD'] == 'POST') { ?>
  26 <p>Post data:</p>
  27 <pre>
  28 <?php echo htmlspecialchars(var_export($_POST, true)); ?>
  29 </pre>
  30 <?php } ?>
  31 <form action="" method="post">
  32   Form field: <input type="text" name="foobar" /><br />
  33   <input type="submit" value="Submit" />
  34 </form>
  35 <FORM METHOD = "POST" ACTION="">
  36   Another form field! <INPUT TYPE="TEXT" NAME="BARFOO" /><BR />
  37   <INPUT TYPE="SUBMIT" value="Submit 2" />
  38 </FORM>
  39 <form action="" method="get">
  40   This form is not protected.
  41   <input type="submit" name="foo" value="Submit" />
  42 </form>
  43 <p>
  44   How about some JavaScript?
  45 </p>
  46 <textarea id="js-output" cols="80" rows="10"></textarea>
  47 <script type="text/javascript">
  48 //<![CDATA[
  49     params = 'ajax=yes&var=foo';
  50     var http = new XMLHttpRequest();
  51     http.open('POST', 'test.php', true);
  52     http.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
  53     http.setRequestHeader("Content-length", params.length);
  54     http.setRequestHeader("Connection", "close");
  55     http.onreadystatechange = function () {
  56         document.getElementById('js-output').value = http.responseText;
  57     }
  58     http.send(params);
  59 //]]>
  60 </script>
  61 </body>
  62 </html>