diff options
Diffstat (limited to 'views')
-rw-r--r-- | views/default/input/button.php | 2 | ||||
-rw-r--r-- | views/default/input/form.php | 17 |
2 files changed, 13 insertions, 6 deletions
diff --git a/views/default/input/button.php b/views/default/input/button.php index 115324533..2249158e6 100644 --- a/views/default/input/button.php +++ b/views/default/input/button.php @@ -35,4 +35,4 @@ $src = $vars['src']; if (strpos($src,$CONFIG->wwwroot)===false) $src = ""; // blank src if trying to access an offsite image. ?> -<input type="<?php echo $type; ?>" class="<?php echo $type; ?>_button" <?php echo $vars['js']; ?> value="<?php $value; ?>" src="<?php echo $src; ?>" />
\ No newline at end of file +<input type="<?php echo $type; ?>" class="<?php echo $type; ?>_button" <?php echo $vars['js']; ?> value="<?php echo $value; ?>" src="<?php echo $src; ?>" />
\ No newline at end of file diff --git a/views/default/input/form.php b/views/default/input/form.php index 1f15b046f..5e4c7b001 100644 --- a/views/default/input/form.php +++ b/views/default/input/form.php @@ -17,15 +17,22 @@ * @uses $vars['action'] URL of the action being called * */ - -$body = $vars['body']; -$action = $vars['action']; -$enctype = $vars['enctype']; -$method = $vars['method']; if (!$method) $method = 'POST'; + + $body = $vars['body']; + $action = $vars['action']; + $enctype = $vars['enctype']; + $method = $vars['method']; if (!$method) $method = 'POST'; // TODO: Token generation + // Generate a security header + $ts = time(); + $token = generate_action_token($action, $ts); + $security_header = elgg_view('input/hidden', array('internalname' => '__elgg_token', 'value' => $token)); + $security_header .= elgg_view('input/hidden', array('internalname' => '__elgg_action', 'value' => $action)); + $security_header .= elgg_view('input/hidden', array('internalname' => '__elgg_ts', 'value' => $ts)); ?> <form action="<?php echo $action; ?>" method="<?php echo $method; ?>" <?php if ($enctype!="") echo "enctype=\"$enctype\""; ?>> +<?php echo $security_header; ?> <?php echo $body; ?> </form>
\ No newline at end of file |