{"payload":{"allShortcutsEnabled":false,"fileTree":{"":{"items":[{"name":"jb","path":"jb","contentType":"directory"},{"name":"Owasp.CsrfGuard-2.js","path":"Owasp.CsrfGuard-2.js","contentType":"file"},{"name":"Owasp.CsrfGuard.js","path":"Owasp.CsrfGuard.js","contentType":"file"},{"name":"README.md","path":"README.md","contentType":"file"},{"name":"anchorToFormConversion","path":"anchorToFormConversion","contentType":"file"}],"totalCount":5}},"fileTreeProcessingTime":4.571111,"foldersToFetch":[],"repo":{"id":7860098,"defaultBranch":"master","name":"jforumCsrf","ownerLogin":"boyarsky","currentUserCanPush":false,"isFork":false,"isEmpty":false,"createdAt":"2013-01-28T00:02:55.000Z","ownerAvatar":"https://avatars.githubusercontent.com/u/416926?v=4","public":true,"private":false,"isOrgOwned":false},"symbolsExpanded":false,"treeExpanded":true,"refInfo":{"name":"master","listCacheKey":"v0:1613694811.089559","canEdit":false,"refType":"branch","currentOid":"0785d86f8a33c4272ed0297348de553d0ea5b2fa"},"path":"Owasp.CsrfGuard-2.js","currentUser":null,"blob":{"rawLines":["// rolledback to owasp csrf guard 2 since 3 is failing so much in IE","",""," var tokenName = '%TOKEN_NAME%';","\tvar tokenValue = '%TOKEN_VALUE%';","","\tfunction updateAnchors()","\t{","\t\tupdateTag('a','href');","\t}","\t","\tfunction updateLinks()","\t{","\t\tupdateTag('link', 'href');","\t}","\t","\tfunction updateAreas()","\t{","\t\tupdateTag('area', 'href');","\t}","\t","\tfunction updateFrames()","\t{","\t\tupdateTag('frame', 'src');","\t}","\t","\tfunction updateIFrames()","\t{","\t\tupdateTag('iframe', 'src');","\t}","\t","\tfunction updateStyles()","\t{","\t\tupdateTag('style', 'src');","\t}","\t","\tfunction updateScripts()","\t{","\t\tupdateTag('script', 'src');","\t}","\t","\tfunction updateImages()","\t{","\t\tupdateTag('img', 'src');","\t}","\t","\tfunction updateForms()","\t{","\t\tvar pageTokens = {};","\t\tvar forms = document.getElementsByTagName('form');","\t\t","\t\tfor(i=0; i';","\t\t\t","\t\t\t//alert('new html: ' + html);","\t\t\t","\t\t\t//forms[i].innerHTML = html;","\t\t\t","\t\t\tinjectTokenAttribute(forms[i], \"action\", tokenName, tokenValue, pageTokens);","\t\t\t","\t\t\t// added action update from CSRF 3 (needed for posting) - with IE friendly change for adding name to node","\t\t\t","\t\t\t// hack to test if action is a string since IE returns [object] when action in form and as hidden field","\t\t\t// if not a string, assume it is our action and add token for now","\t\t\tvar action = forms[i].getAttributeNode(\"action\").nodeValue;","\t\t\tif(action != null && isValidUrl(action)) {","\t\t\t\tvar uri = parseUri(action);","\t\t\t\t","\t\t\t\t// IE hack from http://stackoverflow.com/questions/1650797/setting-name-of-dom-created-element-fails-in-ie-workaround","\t\t\t\tvar hidden;","\t\t\t try {","\t\t\t \thidden = document.createElement('');","\t\t\t } catch(e) {","\t\t\t \thidden = document.createElement(\"input\");","\t\t\t \thidden.type = \"hidden\";","\t\t\t \thidden.name = tokenName;","\t\t\t }","\t\t\t hidden.value = (pageTokens[uri] != null ? pageTokens[uri] : tokenValue);","\t\t\t\tforms[i].appendChild(hidden);","","\t\t\t}","\t\t\t","\t\t}","\t}","\t","\tfunction updateTag(name,attr)","\t{","\t\tvar links = document.getElementsByTagName(name);","\t\t","\t\tfor(i=0; i fragmentIdIndex + 1) {"," fragmentId = src.substring(fragmentIdIndex + 1);"," primaryURL = src.substring(0, fragmentIdIndex);"," }","\t\t\t\t\tvar index = primaryURL.indexOf('?');","\t\t\t\t var resultantURL;","\t\t\t\t\tif(index != -1)","\t\t\t\t\t{"," resultantURL = primaryURL + '&' + tokenName + '=' + tokenValue;","\t\t\t\t\t}","\t\t\t\t\telse","\t\t\t\t\t{"," resultantURL = primaryURL + '?' + tokenName + '=' + tokenValue;","\t\t\t\t\t}"," // Append the fragment id (if any) to the resultant URL"," if (fragmentId != \"\") {"," resultantURL = resultantURL + '#' + fragmentId;"," }"," //alert('new src ' + resultantURL);","","\t\t\t\t\tlinks[i].setAttribute(attr, resultantURL);","\t\t\t\t}","\t\t\t}","\t\t}","\t}","\t","\tfunction isHttpLink(src)","\t{","\t\tvar result = 0;","\t\t","\t\tif(src.substring(0, 4) == 'http' || src.substring(0, 1) == '/' || src.indexOf(':') == -1)","\t\t{","\t\t\tresult = 1;","\t\t}","\t\t","\t\treturn result;","\t}","\t","\t// ---------------------------------------------","\t// functions used by csrf 3","\t/** check if valid domain based on domainStrict **/","\tfunction isValidDomain(current, target) {","\t\tvar result = false;","\t\t","\t\t/** check exact or subdomain match **/","\t\tif(current == target) {","\t\t\tresult = true;","\t\t} else if(%DOMAIN_STRICT% == false) {","\t\t\tif(target.charAt(0) == '.') {","\t\t\t\tresult = current.endsWith(target);","\t\t\t} else {","\t\t\t\tresult = current.endsWith('.' + target);","\t\t\t}","\t\t}","\t\t","\t\treturn result;","\t}","","\tfunction getHost(url) {","\t\t// ie 8 wasn't recognizing hostname","\t\tif (/\\bMSIE/.test(navigator.userAgent) && !window.opera) {","\t\t\turl = canonicalizeUrl(url); // damn you, ie6 (and ie 8)","\t\t}","\t\tvar a = document.createElement('a');","\t\ta.href = url;","\t\treturn a.hostname; // will return hostname without port!","\t}","\t","\tfunction canonicalizeUrl(url) { // https://gist.github.com/2428561#gistcomment-306549","\t\tvar div = document.createElement('div');","\t\tdiv.innerHTML = \"\";","\t\tdiv.firstChild.href = url;","\t\tdiv.innerHTML = div.innerHTML;","\t\treturn div.firstChild.href;","\t}","","\t/** determine if uri/url points to valid domain **/","\tfunction isValidUrl(src) {","\t\tvar urlHost = getHost(src);","\t\treturn isValidDomain(document.domain, urlHost);","\t}","","\t/** parse uri from url **/","\tfunction parseUri(url) {","\t\tvar uri = \"\";","\t\tvar token = \"://\";","\t\tvar index = url.indexOf(token);","\t\tvar part = \"\";","\t\t","\t\t/**","\t\t * ensure to skip protocol and prepend context path for non-qualified","\t\t * resources (ex: \"protect.html\" vs","\t\t * \"/Owasp.CsrfGuard.Test/protect.html\").","\t\t */","\t\tif(index > 0) {","\t\t\tpart = url.substring(index + token.length);","\t\t} else if(url.charAt(0) != '/') {","\t\t\tpart = \"%CONTEXT_PATH%/\" + url;","\t\t} else {","\t\t\tpart = url;","\t\t}","\t\t","\t\t/** parse up to end or query string **/","\t\tvar uriContext = (index == -1);","\t\t","\t\tfor(var i=0; i