diff options
Diffstat (limited to 'views/default/input/form.php')
| -rw-r--r-- | views/default/input/form.php | 83 |
1 files changed, 43 insertions, 40 deletions
diff --git a/views/default/input/form.php b/views/default/input/form.php index da666318d..df30133b3 100644 --- a/views/default/input/form.php +++ b/views/default/input/form.php @@ -1,41 +1,44 @@ <?php - /** - * Create a form for data submission. - * Use this view for forms rather than creating a form tag in the wild as it provides - * extra security which help prevent CSRF attacks. - * - * @package Elgg - * @subpackage Core - * @license http://www.gnu.org/licenses/old-licenses/gpl-2.0.html GNU Public License version 2 - * @author Curverider Ltd - * @copyright Curverider Ltd 2008-2009 - * @link http://elgg.org/ - * - * @uses $vars['body'] The body of the form (made up of other input/xxx views and html - * @uses $vars['method'] Method (default POST) - * @uses $vars['enctype'] How the form is encoded, default blank - * @uses $vars['action'] URL of the action being called - * - */ - - if (isset($vars['internalid'])) { $id = $vars['internalid']; } else { $id = ''; } - if (isset($vars['internalname'])) { $name = $vars['internalname']; } else { $name = ''; } - $body = $vars['body']; - $action = $vars['action']; - if (isset($vars['enctype'])) { $enctype = $vars['enctype']; } else { $enctype = ''; } - if (isset($vars['method'])) { $method = $vars['method']; } else { $method = 'POST'; } - - // Generate a security header - $security_header = ""; - if ($vars['disable_security']!=true) - { - $ts = time(); - $token = generate_action_token($ts); - $security_header = elgg_view('input/hidden', array('internalname' => '__elgg_token', 'value' => $token)); - $security_header .= elgg_view('input/hidden', array('internalname' => '__elgg_ts', 'value' => $ts)); - } -?> -<form <?php if ($id) { ?>id="<?php echo $id; ?>" <?php } ?> <?php if ($name) { ?>name="<?php echo $name; ?>" <?php } ?> action="<?php echo $action; ?>" method="<?php echo $method; ?>" <?php if ($enctype!="") echo "enctype=\"$enctype\""; ?>> -<?php echo $security_header; ?> -<?php echo $body; ?> -</form>
\ No newline at end of file +/** + * Create a form for data submission. + * Use this view for forms as it provides protection against CSRF attacks. + * + * @package Elgg + * @subpackage Core + * + * @uses $vars['body'] The body of the form (made up of other input/xxx views and html + * @uses $vars['action'] The action URL of the form + * @uses $vars['method'] The submit method: post (default) or get + * @uses $vars['enctype'] Set to 'multipart/form-data' if uploading a file + * @uses $vars['disable_security'] turn off CSRF security by setting to true + * @uses $vars['class'] Additional class for the form + */ + +$defaults = array( + 'method' => "post", + 'disable_security' => FALSE, +); + +$vars = array_merge($defaults, $vars); + +if (isset($vars['class'])) { + $vars['class'] = "elgg-form {$vars['class']}"; +} else { + $vars['class'] = 'elgg-form'; +} + +$vars['action'] = elgg_normalize_url($vars['action']); +$vars['method'] = strtolower($vars['method']); + +$body = $vars['body']; +unset($vars['body']); + +// Generate a security header +if (!$vars['disable_security']) { + $body = elgg_view('input/securitytoken') . $body; +} +unset($vars['disable_security']); + +$attributes = elgg_format_attributes($vars); + +echo "<form $attributes><fieldset>$body</fieldset></form>"; |