X-Git-Url: https://delta.frontaccounting.com/gitweb/?a=blobdiff_plain;f=includes%2Fui%2Fui_controls.inc;h=e1c5ffccf2487d6ee1020c4be8b2ff4d4e216570;hb=a771b6cb35770f7b8b5087caf923aeec8fbefe96;hp=6d0ccf99b3ab0018a9a358bf7a336475e6873de7;hpb=a4a97ed8c4aa263e985680dea7dd82163bd98519;p=fa-stable.git diff --git a/includes/ui/ui_controls.inc b/includes/ui/ui_controls.inc index 6d0ccf99..e1c5ffcc 100644 --- a/includes/ui/ui_controls.inc +++ b/includes/ui/ui_controls.inc @@ -32,10 +32,15 @@ function get_post($name, $dflt='') ((!isset($_POST[$name]) || $_POST[$name] === '') ? $dflt : $_POST[$name]); } //--------------------------------------------------------------------------------- +$form_nested = -1; function start_form($multi=false, $dummy=false, $action="", $name="") { // $dummy - leaved for compatibility with 2.0 API + global $form_nested; + + if (++$form_nested) return; + if ($name != "") $name = "name='$name'"; @@ -53,11 +58,29 @@ function start_form($multi=false, $dummy=false, $action="", $name="") function end_form($breaks=0) { + global $Ajax, $form_nested; + + if ($form_nested-- > 0) return; + + $_SESSION['csrf_token'] = hash('sha256', uniqid(mt_rand(), true)); if ($breaks) br($breaks); - echo "\n"; - echo "\n"; + hidden('_focus'); + hidden('_modified', get_post('_modified', 0)); + hidden('_token', $_SESSION['csrf_token']); echo "\n"; + $Ajax->activate('_token'); +} + +function check_csrf_token() +{ + if ($_SESSION['csrf_token'] != @$_POST['_token']) + { + display_error(_("Request from outside of this page is forbidden.")); + error_log(_("CSRF attack detected from: ").@$_SERVER['HTTP_HOST'].' ('.@$_SERVER['HTTP_REFERER'].')'); + return false; + } + return true; } function start_table($class=false, $extra="", $padding='2', $spacing='0') @@ -150,7 +173,7 @@ function access_string($label, $clean=false) return $clean ? $label : array($label, $access); } -function hyperlink_back($center=true, $no_menu=true, $type_no=0, $trans_no=0) +function hyperlink_back($center=true, $no_menu=true, $type_no=0, $trans_no=0, $final=false) { global $path_to_root; @@ -161,17 +184,17 @@ function hyperlink_back($center=true, $no_menu=true, $type_no=0, $trans_no=0) { include_once($path_to_root."/admin/db/attachments_db.inc"); $id = has_attachment($type_no, $trans_no); - } + $attach = get_attachment_string($type_no, $trans_no); + echo $attach; + } $width = ($id != 0 ? "30%" : "20%"); start_table(false, "width=$width"); start_row(); if ($no_menu) { - if ($id != 0) - echo "