X-Git-Url: https://delta.frontaccounting.com/gitweb/?a=blobdiff_plain;f=includes%2Fui%2Fui_controls.inc;h=bbe4c7f5142f3680055589e48ecbe906daaca390;hb=7b429726b63cd0ad02c5bd32a344e2764758e31a;hp=eaaccdca31110b3494c0651cd5ee025a083e8f3e;hpb=95a69c2506035fb3e300cdbd221cb979f403fc04;p=fa-stable.git

diff --git a/includes/ui/ui_controls.inc b/includes/ui/ui_controls.inc
index eaaccdca..bbe4c7f5 100644
--- a/includes/ui/ui_controls.inc
+++ b/includes/ui/ui_controls.inc
@@ -53,11 +53,27 @@ function start_form($multi=false, $dummy=false, $action="", $name="")
 
 function end_form($breaks=0)
 {
+	global $Ajax;
+
+	$_SESSION['csrf_token'] = hash('sha256', uniqid(mt_rand(), true));
 	if ($breaks)
 		br($breaks);
-	echo "<input type=\"hidden\" name=\"_focus\" value=\"".get_post('_focus')."\">\n";
-	echo "<input type=\"hidden\" name=\"_modified\" value=\"".get_post('_modified', 0)."\">\n";
+	hidden('_focus');
+	hidden('_modified', get_post('_modified', 0));
+	hidden('_token', $_SESSION['csrf_token']);
 	echo "</form>\n";
+	$Ajax->activate('token');
+}
+
+function check_csrf_token()
+{
+	if ($_SESSION['csrf_token'] != @$_POST['_token'])
+	{
+		display_error(_("Request from outside of this page is forbidden."));
+		error_log(_("CSRF attack detected from: ").@$_SERVER['HTTP_HOST'].' ('.@$_SERVER['HTTP_REFERER'].')');
+		return false;
+	}
+	return true;
 }
 
 function start_table($class=false, $extra="", $padding='2', $spacing='0')
@@ -150,7 +166,7 @@ function access_string($label, $clean=false)
 	return $clean ? $label : array($label, $access);
 }
 
-function hyperlink_back($center=true, $no_menu=true, $type_no=0, $trans_no=0)
+function hyperlink_back($center=true, $no_menu=true, $type_no=0, $trans_no=0, $final=false)
 {
 	global $path_to_root;
 
@@ -170,8 +186,8 @@ function hyperlink_back($center=true, $no_menu=true, $type_no=0, $trans_no=0)
 		if ($id != 0)
 			echo "<td align=center><a href='$path_to_root/admin/attachments.php?vw=$id' target='blanc_'>"._("View Attachment")."</a></td>\n";
 		echo "<td align=center><a href='javascript:window.print();'>"._("Print")."</a></td>\n";
-	}	
-	echo "<td align=center><a href='javascript:goBack();'>".($no_menu ? _("Close") : _("Back"))."</a></td>\n";
+	}
+	echo "<td align=center><a href='javascript:goBack(".($final ? '-2' : '').");'>".($no_menu ? _("Close") : _("Back"))."</a></td>\n";
 	end_row();
 	end_table();
 	if ($center)
@@ -415,6 +431,15 @@ function tabbed_content_end() {
 	div_end(); // tabs widget
 }
 
+function tab_changed($name)
+{
+	$to = find_submit("{$name}_", false);
+	if (!$to) return null;
+
+	return array('from' => $from = get_post("_{$name}_sel"),
+		'to' => $to);
+}
+
 /* Table editor interfaces. Key is editor type
 	0 => url of editor page
 	1 => hotkey code