[core] support HypCommon's CSRF protection (on Ajax editing)

nao-pon · Aug 11, 2013 · 22f210c · 22f210c
1 parent 5c3245a
commit 22f210c
Showing 1 changed file with 3 additions and 1 deletion.
diff --git a/xoops_trust_path/modules/xpwiki/class/func/pukiwiki_func.php b/xoops_trust_path/modules/xpwiki/class/func/pukiwiki_func.php
@@ -3746,6 +3746,7 @@ function edit_form($page, $postdata, $digest = FALSE, $b_template = TRUE, $optio
 			$nonconvert = (empty($this->vars['nonconvert']))? '' : '<input type="hidden" name="nonconvert" value="1" />';
 			$enc_hint = '<input type="hidden" name="encode_hint" value="' . $this->cont['PKWK_ENCODING_HINT'] . '" />'
 			          . '<input type="hidden" name="charset" value="UTF-8" />';
+			$csrf_protect = isset($_SESSION['HYP_CSRF_TOKEN'])? '<input type="hidden" name="HypToken" value="'.htmlspecialchars($_SESSION['HYP_CSRF_TOKEN']).'" />' : '';
 			$attaches = '';
 			if ($s_id) {
 				$other_option = $template = $reading = $alias = $pageorder = '';
@@ -3756,7 +3757,7 @@ function edit_form($page, $postdata, $digest = FALSE, $b_template = TRUE, $optio
 			$other_hide = (! $other_option_checked)? 'style="display:none;"' : '';
 			$other_hide_js = '';
 		} else {
-			$nonconvert = $ajax_submit = $ajax_cancel = $enc_hint = $other_hide = '';
+			$nonconvert = $ajax_submit = $ajax_cancel = $enc_hint = $other_hide = $csrf_protect = '';
 			$form_class = $popup? 'edit_form_ajax' : 'edit_form';
 			$ajax_cancel = $popup? ' onsubmit="window.parent.XpWiki.PopupHide();return false;"' : '';
 			$other_hide_js = (! $other_option_checked)? '<script type="text/javascript">$(\'xpwiki_edit_other\').style.display = \'none\';</script>' : '';
@@ -3794,6 +3795,7 @@ function edit_form($page, $postdata, $digest = FALSE, $b_template = TRUE, $optio
   </div>
   $nonconvert
   $enc_hint
+  $csrf_protect
   $popup
   <input type="hidden" name="cmd"    value="edit" />
   <input type="hidden" name="page"   value="$s_page" />