Changeset View
Changeset View
Standalone View
Standalone View
src/infrastructure/javelin/markup.php
Show First 20 Lines • Show All 71 Lines • ▼ Show 20 Lines | |||||
function phabricator_form(PhabricatorUser $user, $attributes, $content) { | function phabricator_form(PhabricatorUser $user, $attributes, $content) { | ||||
$body = array(); | $body = array(); | ||||
$http_method = idx($attributes, 'method'); | $http_method = idx($attributes, 'method'); | ||||
$is_post = (strcasecmp($http_method, 'POST') === 0); | $is_post = (strcasecmp($http_method, 'POST') === 0); | ||||
$http_action = idx($attributes, 'action'); | $http_action = idx($attributes, 'action'); | ||||
$is_absolute_uri = 0; | |||||
if (phutil_nonempty_string($http_action)) { | if ($http_action === null) { | ||||
valerio.bozzolan: I would recommend a strict check here to avoid type juggling (0 == null) is true etc.
https… | |||||
Done Inline Actions👍 avivey: 👍 | |||||
// Not sure what this is. | |||||
$is_absolute_uri = false; | |||||
} else if ($http_action instanceof PhutilURI) { | |||||
// This is the happy path, I think | |||||
// For now, this is close enough - I suspect we'll stay with "https" schema | |||||
// for the rest of eternity. | |||||
$protocol = $http_action->getProtocol(); | |||||
$is_absolute_uri = ($protocol == 'http' || $protocol == 'https'); | |||||
} else if (is_string($http_action)) { | |||||
// Also good path? | |||||
$is_absolute_uri = preg_match('#^(https?:|//)#', $http_action); | $is_absolute_uri = preg_match('#^(https?:|//)#', $http_action); | ||||
} else { | |||||
throw new Exception( | |||||
pht( | |||||
'Unexpected object type provided as `action` - %s', | |||||
gettype($http_action))); | |||||
} | } | ||||
if ($is_post) { | if ($is_post) { | ||||
// NOTE: We only include CSRF tokens if a URI is a local URI on the same | // NOTE: We only include CSRF tokens if a URI is a local URI on the same | ||||
// domain. This is an important security feature and prevents forms which | // domain. This is an important security feature and prevents forms which | ||||
// submit to foreign sites from leaking CSRF tokens. | // submit to foreign sites from leaking CSRF tokens. | ||||
▲ Show 20 Lines • Show All 54 Lines • Show Last 20 Lines |
Content licensed under Creative Commons Attribution-ShareAlike 4.0 (CC-BY-SA) unless otherwise noted; code licensed under Apache 2.0 or other open source licenses. · CC BY-SA 4.0 · Apache 2.0
I would recommend a strict check here to avoid type juggling (0 == null) is true etc.
https://www.php.net/manual/en/types.comparisons.php