From 6f1d7a01029e0cbe5c8ec4f95a12177dd7397690 Mon Sep 17 00:00:00 2001
From: Matt Schwager <matts@duosecurity.com>
Date: Fri, 1 May 2015 14:03:39 -0400
Subject: [PATCH 1/3] Moved window.onload handler to window event listener.

---
 js/csrfprotector.js         | 4 ++++
 libs/csrf/csrfprotector.php | 3 ---
 2 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/js/csrfprotector.js b/js/csrfprotector.js
index 6f37913..63e9dd4 100644
--- a/js/csrfprotector.js
+++ b/js/csrfprotector.js
@@ -314,3 +314,7 @@ function csrfprotector_init() {
 	}
 
 }
+
+window.addEventListener("DOMContentLoaded", function() {
+	csrfprotector_init();
+}, false);
diff --git a/libs/csrf/csrfprotector.php b/libs/csrf/csrfprotector.php
index 6c63ee5..115a77c 100755
--- a/libs/csrf/csrfprotector.php
+++ b/libs/csrf/csrfprotector.php
@@ -417,9 +417,6 @@ public static function ob_handler($buffer, $flags)
 		    if ($arrayStr !== '') {
 		    	$script .= 'CSRFP.checkForUrls = [' .$arrayStr .'];' .PHP_EOL;
 		    }
-		    $script .= 'window.onload = function() {' .PHP_EOL;
-		    $script .= '	csrfprotector_init();' .PHP_EOL;
-		    $script .= '};' .PHP_EOL;
 		    $script .= '</script>' .PHP_EOL;
 
 		    //implant the CSRFGuard js file to outgoing script

From b6eb2d16f052352a35c351b2c0435a9b10cd680c Mon Sep 17 00:00:00 2001
From: Matt Schwager <matts@duosecurity.com>
Date: Fri, 1 May 2015 14:08:47 -0400
Subject: [PATCH 2/3] Moved inline script to external JS file for CSP
 compliance.

---
 js/csrfprotector.js         |  5 ++++-
 libs/csrf/csrfprotector.php | 23 ++++++++++-------------
 2 files changed, 14 insertions(+), 14 deletions(-)

diff --git a/js/csrfprotector.js b/js/csrfprotector.js
index 63e9dd4..ad7b5d6 100644
--- a/js/csrfprotector.js
+++ b/js/csrfprotector.js
@@ -19,7 +19,10 @@ var CSRFP = {
 	 *
 	 * @var string array
 	 */
-	checkForUrls: [],
+	checkForUrls: Array.prototype.slice.call(document.getElementsByName("checkForUrls"))
+		.map(function (element) {
+		return element.value;
+		}),
 	/**
 	 * Function to check if a certain url is allowed to perform the request
 	 * With or without csrf token
diff --git a/libs/csrf/csrfprotector.php b/libs/csrf/csrfprotector.php
index 115a77c..b5c9c1a 100755
--- a/libs/csrf/csrfprotector.php
+++ b/libs/csrf/csrfprotector.php
@@ -396,30 +396,27 @@ public static function ob_handler($buffer, $flags)
 		    $buffer = preg_replace("/<body[^>]*>/", "$0 <noscript>" .self::$config['disabledJavascriptMessage'] .
 		    	"</noscript>", $buffer);
 
-		    $arrayStr = '';
+		    $urls = array();
 		    if (!self::useCachedVersion()) {
 		    	try {
 		    		self::createNewJsCache();
 		    	} catch (exception $ex) {
 		    		if (self::$config['verifyGetFor']) {
-						foreach (self::$config['verifyGetFor'] as $key => $value) {
-							if ($key != 0) $arrayStr .= ',';
-							$arrayStr .= "'". $value ."'";
-						}
+						$urls = self::$config['verifyGetFor'];
 					}
 		    	}
 		    }
 
-		    $script = '<script type="text/javascript" src="' .self::$config['jsUrl']
-		    	.'"></script>' .PHP_EOL;
-
-		    $script .= '<script type="text/javascript">' .PHP_EOL;
-		    if ($arrayStr !== '') {
-		    	$script .= 'CSRFP.checkForUrls = [' .$arrayStr .'];' .PHP_EOL;
-		    }
-		    $script .= '</script>' .PHP_EOL;
+		    //implant hidden fields with check url information for reading in javascript
+		    $hiddenInput = function ($str) {
+		        return sprintf('<input type="hidden" name="checkForUrls" value="%s"></input>', $str);
+		    };
+		    $hiddenInputUrls = array_map($hiddenInput, $urls);
+		    $hiddenInputUrlStr = implode(PHP_EOL, $hiddenInputUrls);
+		    $buffer = str_ireplace('</body>', $hiddenInputUrlStr . '</body>', $buffer);
 
 		    //implant the CSRFGuard js file to outgoing script
+		    $script = '<script type="text/javascript" src="' . self::$config['jsUrl'] . '"></script>' . PHP_EOL;
 		    $buffer = str_ireplace('</body>', $script . '</body>', $buffer, $count);
 		    if (!$count)
 		        $buffer .= $script;

From 0cb5bef7e82ef065af68b62ce193fb9e5bf4e78a Mon Sep 17 00:00:00 2001
From: Matt Schwager <matts@duosecurity.com>
Date: Mon, 4 May 2015 10:12:49 -0400
Subject: [PATCH 3/3] Changed hidden input csrf token name, and added check
 against the count of check URLs.

---
 js/csrfprotector.js         |  2 +-
 libs/csrf/csrfprotector.php | 14 ++++++++------
 2 files changed, 9 insertions(+), 7 deletions(-)

diff --git a/js/csrfprotector.js b/js/csrfprotector.js
index ad7b5d6..84e0465 100644
--- a/js/csrfprotector.js
+++ b/js/csrfprotector.js
@@ -19,7 +19,7 @@ var CSRFP = {
 	 *
 	 * @var string array
 	 */
-	checkForUrls: Array.prototype.slice.call(document.getElementsByName("checkForUrls"))
+	checkForUrls: Array.prototype.slice.call(document.getElementsByName("CSRFP_checkForUrls"))
 		.map(function (element) {
 		return element.value;
 		}),
diff --git a/libs/csrf/csrfprotector.php b/libs/csrf/csrfprotector.php
index b5c9c1a..b1b20e3 100755
--- a/libs/csrf/csrfprotector.php
+++ b/libs/csrf/csrfprotector.php
@@ -408,12 +408,14 @@ public static function ob_handler($buffer, $flags)
 		    }
 
 		    //implant hidden fields with check url information for reading in javascript
-		    $hiddenInput = function ($str) {
-		        return sprintf('<input type="hidden" name="checkForUrls" value="%s"></input>', $str);
-		    };
-		    $hiddenInputUrls = array_map($hiddenInput, $urls);
-		    $hiddenInputUrlStr = implode(PHP_EOL, $hiddenInputUrls);
-		    $buffer = str_ireplace('</body>', $hiddenInputUrlStr . '</body>', $buffer);
+		    if (count($urls) > 0) {
+		        $hiddenInput = function ($str) {
+		            return sprintf('<input type="hidden" name="CSRFP_checkForUrls" value="%s"></input>', $str);
+		        };
+		        $hiddenInputUrls = array_map($hiddenInput, $urls);
+		        $hiddenInputUrlStr = implode(PHP_EOL, $hiddenInputUrls);
+		        $buffer = str_ireplace('</body>', $hiddenInputUrlStr . '</body>', $buffer);
+		    }
 
 		    //implant the CSRFGuard js file to outgoing script
 		    $script = '<script type="text/javascript" src="' . self::$config['jsUrl'] . '"></script>' . PHP_EOL;