Changeset View
Changeset View
Standalone View
Standalone View
src/infrastructure/javelin/markup.php
| Show First 20 Lines • Show All 71 Lines • ▼ Show 20 Lines | |||||
| function phabricator_form(PhabricatorUser $user, $attributes, $content) { | function phabricator_form(PhabricatorUser $user, $attributes, $content) { | ||||
| $body = array(); | $body = array(); | ||||
| $http_method = idx($attributes, 'method'); | $http_method = idx($attributes, 'method'); | ||||
| $is_post = (strcasecmp($http_method, 'POST') === 0); | $is_post = (strcasecmp($http_method, 'POST') === 0); | ||||
| $http_action = idx($attributes, 'action'); | $http_action = idx($attributes, 'action'); | ||||
| $is_absolute_uri = false; | |||||
| if ($http_action != null) { | |||||
| $is_absolute_uri = preg_match('#^(https?:|//)#', $http_action); | $is_absolute_uri = preg_match('#^(https?:|//)#', $http_action); | ||||
| } | |||||
| if ($is_post) { | if ($is_post) { | ||||
| // NOTE: We only include CSRF tokens if a URI is a local URI on the same | // NOTE: We only include CSRF tokens if a URI is a local URI on the same | ||||
| // domain. This is an important security feature and prevents forms which | // domain. This is an important security feature and prevents forms which | ||||
| // submit to foreign sites from leaking CSRF tokens. | // submit to foreign sites from leaking CSRF tokens. | ||||
| // In some cases, we may construct a fully-qualified local URI. For example, | // In some cases, we may construct a fully-qualified local URI. For example, | ||||
| ▲ Show 20 Lines • Show All 53 Lines • Show Last 20 Lines | |||||