From 28d23458bcceb495e3fae904caa0b494d41ad73f Mon Sep 17 00:00:00 2001 From: "Edward Z. Yang" Date: Thu, 31 Jul 2008 19:25:27 -0600 Subject: [PATCH] Switch to use {} form in JS, also *actually* implement key-based tokens. Signed-off-by: Edward Z. Yang --- csrf-magic.js | 118 ++++++++++++++++++++++++++++++--------------------------- csrf-magic.php | 10 +++-- 2 files changed, 69 insertions(+), 59 deletions(-) diff --git a/csrf-magic.js b/csrf-magic.js index 2152c13..e898518 100644 --- a/csrf-magic.js +++ b/csrf-magic.js @@ -7,7 +7,7 @@ // Here are the basic overloaded method definitions // The wrapper must be set BEFORE onreadystatechange is written to, since // a bug in ActiveXObject prevents us from properly testing for it. -var CsrfMagic = function (real) { +CsrfMagic = function(real) { // try to make it ourselves, if you didn't pass it if (!real) try { real = new XMLHttpRequest; } catch (e) {;} if (!real) try { real = new ActiveXObject('Msxml2.XMLHTTP'); } catch (e) {;} @@ -23,54 +23,58 @@ var CsrfMagic = function (real) { csrfMagic._updateProps(); } -CsrfMagic.prototype.open = function(method, url, async, username, password) { - if (method == 'POST') this.csrf_isPost = true; - // deal with Opera bug, thanks jQuery - if (username) return this.csrf_open(method, url, async, username, password); - else return this.csrf_open(method, url, async); -} -CsrfMagic.prototype.csrf_open = function(method, url, async, username, password) { - if (username) return this.csrf.open(method, url, async, username, password); - else return this.csrf.open(method, url, async); -} +CsrfMagic.prototype = { -CsrfMagic.prototype.send = function(data) { - if (!this.csrf_isPost) this.csrf_send(data); - prepend = csrfMagicName + '=' + csrfMagicToken + '&'; - if (this.csrf_purportedLength === undefined) { - this.csrf_setRequestHeader("Content-length", this.csrf_purportedLength + prepend.length); - delete this.csrf_purportedLength; - } - delete this.csrf_isPost; - return this.csrf_send(prepend + data); -} -CsrfMagic.prototype.csrf_send = function(data) { - return this.csrf.send(data); -} + open: function(method, url, async, username, password) { + if (method == 'POST') this.csrf_isPost = true; + // deal with Opera bug, thanks jQuery + if (username) return this.csrf_open(method, url, async, username, password); + else return this.csrf_open(method, url, async); + }, + csrf_open: function(method, url, async, username, password) { + if (username) return this.csrf.open(method, url, async, username, password); + else return this.csrf.open(method, url, async); + }, -CsrfMagic.prototype.setRequestHeader = function(header, value) { - // We have to auto-set this at the end, since we don't know how long the - // nonce is when added to the data. - if (this.csrf_isPost && header == "Content-length") { - this.csrf_purportedLength = value; - return; - } - return this.csrf_setRequestHeader(header, value); -} -CsrfMagic.prototype.csrf_setRequestHeader = function(header, value) { - return this.csrf.setRequestHeader(header, value); -} + send: function(data) { + if (!this.csrf_isPost) this.csrf_send(data); + prepend = csrfMagicName + '=' + csrfMagicToken + '&'; + if (this.csrf_purportedLength === undefined) { + this.csrf_setRequestHeader("Content-length", this.csrf_purportedLength + prepend.length); + delete this.csrf_purportedLength; + } + delete this.csrf_isPost; + return this.csrf_send(prepend + data); + }, + csrf_send: function(data) { + return this.csrf.send(data); + }, -CsrfMagic.prototype.abort = function () { - return this.csrf.abort(); -} -CsrfMagic.prototype.getAllResponseHeaders = function() { - return this.csrf.getAllResponseHeaders(); -} -CsrfMagic.prototype.getResponseHeader = function(header) { - return this.csrf.getResponseHeader(header); + setRequestHeader: function(header, value) { + // We have to auto-set this at the end, since we don't know how long the + // nonce is when added to the data. + if (this.csrf_isPost && header == "Content-length") { + this.csrf_purportedLength = value; + return; + } + return this.csrf_setRequestHeader(header, value); + }, + csrf_setRequestHeader: function(header, value) { + return this.csrf.setRequestHeader(header, value); + }, + + abort: function() { + return this.csrf.abort(); + }, + getAllResponseHeaders: function() { + return this.csrf.getAllResponseHeaders(); + }, + getResponseHeader: function(header) { + return this.csrf.getResponseHeader(header); + } // , } + // proprietary CsrfMagic.prototype._updateProps = function() { this.readyState = this.csrf.readyState; @@ -89,18 +93,22 @@ CsrfMagic.process = function(base) { // Sets things up for Mozilla/Opera/nice browsers if (window.XMLHttpRequest && window.XMLHttpRequest.prototype) { - XMLHttpRequest.prototype.csrf_open = XMLHttpRequest.prototype.open; - XMLHttpRequest.prototype.csrf_send = XMLHttpRequest.prototype.send; - XMLHttpRequest.prototype.csrf_setRequestHeader = XMLHttpRequest.prototype.setRequestHeader; - + var x = XMLHttpRequest.prototype; + var c = CsrfMagic.prototype; + + // Save the original functions + x.csrf_open = x.open; + x.csrf_send = x.send; + x.csrf_setRequestHeader = x.setRequestHeader; + // Notice that CsrfMagic is itself an instantiatable object, but only // open, send and setRequestHeader are necessary as decorators. - XMLHttpRequest.prototype.open = CsrfMagic.prototype.open; - XMLHttpRequest.prototype.send = CsrfMagic.prototype.send; - XMLHttpRequest.prototype.setRequestHeader = CsrfMagic.prototype.setRequestHeader; + x.open = c.open; + x.send = c.send; + x.setRequestHeader = c.setRequestHeader; } else { // The only way we can do this is by modifying a library you have been - // using. We plan to support YUI, script.aculo.us, prototype, MooTools, + // using. We plan to support YUI, script.aculo.us, prototype, MooTools, // jQuery, Ext and Dojo. if (window.jQuery) { // jQuery didn't implement a new XMLHttpRequest function, so we have @@ -131,8 +139,7 @@ if (window.XMLHttpRequest && window.XMLHttpRequest.prototype) { YAHOO.util.Connect.csrf_createXhrObject = YAHOO.util.Connect.createXhrObject; YAHOO.util.Connect.createXhrObject = function (transaction) { obj = YAHOO.util.Connect.csrf_createXhrObject(transaction); - var old = obj.conn; - obj.conn = new CsrfMagic(old); + obj.conn = new CsrfMagic(obj.conn); return obj; } } else if (window.Ext) { @@ -142,8 +149,7 @@ if (window.XMLHttpRequest && window.XMLHttpRequest.prototype) { Ext.lib.Ajax.csrf_createXhrObject = Ext.lib.Ajax.createXhrObject; Ext.lib.Ajax.createXhrObject = function (transaction) { obj = Ext.lib.Ajax.csrf_createXhrObject(transaction); - var old = obj.conn; - obj.conn = new CsrfMagic(old); + obj.conn = new CsrfMagic(obj.conn); return obj; } } else if (window.dojo) { diff --git a/csrf-magic.php b/csrf-magic.php index 6af78f0..0e339d4 100644 --- a/csrf-magic.php +++ b/csrf-magic.php @@ -1,4 +1,4 @@ -