diff options
Diffstat (limited to 'views')
-rw-r--r-- | views/failsafe/input/form.php | 6 | ||||
-rw-r--r-- | views/failsafe/input/securitytoken.php | 17 |
2 files changed, 23 insertions, 0 deletions
diff --git a/views/failsafe/input/form.php b/views/failsafe/input/form.php index 33ddfc3ea..35e718adb 100644 --- a/views/failsafe/input/form.php +++ b/views/failsafe/input/form.php @@ -41,7 +41,13 @@ if (isset($vars['method'])) { $method = strtolower($method); +// Generate a security header +$security_header = ""; +if (!isset($vars['disable_security']) || $vars['disable_security'] != true) { + $security_header = elgg_view('input/securitytoken'); +} ?> <form <?php if ($id) { ?>id="<?php echo $id; ?>" <?php } ?> <?php if ($name) { ?>name="<?php echo $name; ?>" <?php } ?> action="<?php echo $action; ?>" method="<?php echo $method; ?>" <?php if ($enctype!="") echo "enctype=\"$enctype\""; ?>> +<?php echo $security_header; ?> <?php echo $body; ?> </form>
\ No newline at end of file diff --git a/views/failsafe/input/securitytoken.php b/views/failsafe/input/securitytoken.php new file mode 100644 index 000000000..a2a4a0e01 --- /dev/null +++ b/views/failsafe/input/securitytoken.php @@ -0,0 +1,17 @@ +<?php +/** + * CSRF security token view for use with secure forms. + * + * It is still recommended that you use input/form. + * + * @package Elgg + * @subpackage Core + * @author Curverider Ltd + * @link http://elgg.org/ + */ + +$ts = time(); +$token = generate_action_token($ts); + +echo elgg_view('input/hidden', array('internalname' => '__elgg_token', 'value' => $token)); +echo elgg_view('input/hidden', array('internalname' => '__elgg_ts', 'value' => $ts)); |