blob: 5e4c7b0019421997d8feb0ff5ea7a78a3b2c8b9f (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
|
<?php
/**
* Create a form for data submission.
* Use this view for forms rather than creating a form tag in the wild as it provides
* extra security which help prevent CSRF attacks.
*
* @package Elgg
* @subpackage Core
* @license http://www.gnu.org/licenses/old-licenses/gpl-2.0.html GNU Public License version 2
* @author Marcus Povey
* @copyright Curverider Ltd 2008
* @link http://elgg.org/
*
* @uses $vars['body'] The body of the form (made up of other input/xxx views and html
* @uses $vars['method'] Method (default POST)
* @uses $vars['enctype'] How the form is encoded, default blank
* @uses $vars['action'] URL of the action being called
*
*/
$body = $vars['body'];
$action = $vars['action'];
$enctype = $vars['enctype'];
$method = $vars['method']; if (!$method) $method = 'POST';
// TODO: Token generation
// Generate a security header
$ts = time();
$token = generate_action_token($action, $ts);
$security_header = elgg_view('input/hidden', array('internalname' => '__elgg_token', 'value' => $token));
$security_header .= elgg_view('input/hidden', array('internalname' => '__elgg_action', 'value' => $action));
$security_header .= elgg_view('input/hidden', array('internalname' => '__elgg_ts', 'value' => $ts));
?>
<form action="<?php echo $action; ?>" method="<?php echo $method; ?>" <?php if ($enctype!="") echo "enctype=\"$enctype\""; ?>>
<?php echo $security_header; ?>
<?php echo $body; ?>
</form>
|