function end_form($breaks=0)
{
+ global $Ajax;
+
+ $_SESSION['csrf_token'] = hash('sha256', uniqid(mt_rand(), true));
if ($breaks)
br($breaks);
- echo "<input type=\"hidden\" name=\"_focus\" value=\"".get_post('_focus')."\">\n";
- echo "<input type=\"hidden\" name=\"_modified\" value=\"".get_post('_modified', 0)."\">\n";
+ hidden('_focus');
+ hidden('_modified', get_post('_modified', 0));
+ hidden('_token', $_SESSION['csrf_token']);
echo "</form>\n";
+ $Ajax->activate('token');
+}
+
+function check_csrf_token()
+{
+ if ($_SESSION['csrf_token'] != @$_POST['_token'])
+ {
+ display_error(_("Request from outside of this page is forbidden."));
+ error_log(_("CSRF attack detected from: ").@$_SERVER['HTTP_HOST'].' ('.@$_SERVER['HTTP_REFERER'].')');
+ return false;
+ }
+ return true;
}
function start_table($class=false, $extra="", $padding='2', $spacing='0')
return $clean ? $label : array($label, $access);
}
-function hyperlink_back($center=true, $no_menu=true, $type_no=0, $trans_no=0)
+function hyperlink_back($center=true, $no_menu=true, $type_no=0, $trans_no=0, $final=false)
{
global $path_to_root;
if ($id != 0)
echo "<td align=center><a href='$path_to_root/admin/attachments.php?vw=$id' target='blanc_'>"._("View Attachment")."</a></td>\n";
echo "<td align=center><a href='javascript:window.print();'>"._("Print")."</a></td>\n";
- }
- echo "<td align=center><a href='javascript:goBack();'>".($no_menu ? _("Close") : _("Back"))."</a></td>\n";
+ }
+ echo "<td align=center><a href='javascript:goBack(".($final ? '-2' : '').");'>".($no_menu ? _("Close") : _("Back"))."</a></td>\n";
end_row();
end_table();
if ($center)
div_end(); // tabs widget
}
+function tab_changed($name)
+{
+ $to = find_submit("{$name}_", false);
+ if (!$to) return null;
+
+ return array('from' => $from = get_post("_{$name}_sel"),
+ 'to' => $to);
+}
+
/* Table editor interfaces. Key is editor type
0 => url of editor page
1 => hotkey code
projects / fa-stable.git / blobdiff