From 1b2a85e896db1404d2d5fa709f4c86d6c58fc3f4 Mon Sep 17 00:00:00 2001 From: Andreas Gohr Date: Thu, 30 Aug 2007 21:14:29 +0200 Subject: Part 2 of the SecurityToken patch to avaoid CSRF attacks This patch adds a security token to all forms generated through the new form class. However it is only checked for possible dangerous actions like editing or profile changes. darcs-hash:20070830191429-7ad00-445efea47a09a4823dfe9e3434ba5b355a80daf6.gz --- inc/form.php | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'inc/form.php') diff --git a/inc/form.php b/inc/form.php index b011729ea..4e210ab07 100644 --- a/inc/form.php +++ b/inc/form.php @@ -51,6 +51,8 @@ class Doku_Form { /** * Constructor * + * Autoadds a security token + * * @param string $id ID attribute of the form. * @param string $action (optional) submit URL, defaults to DOKU_SCRIPT * @param string $method (optional) 'POST' or 'GET', default is post @@ -60,6 +62,8 @@ class Doku_Form { $this->id = $id; $this->action = ($action) ? $action : script(); if ($method) $this->method = $method; + + $this->addHidden('sectok', getSecurityToken()); } /** -- cgit v1.2.3