Changeset View
Changeset View
Standalone View
Standalone View
src/infrastructure/javelin/markup.php
| Show First 20 Lines • Show All 71 Lines • ▼ Show 20 Lines | |||||
| function phabricator_form(PhabricatorUser $user, $attributes, $content) { | function phabricator_form(PhabricatorUser $user, $attributes, $content) { | ||||
| $body = array(); | $body = array(); | ||||
| $http_method = idx($attributes, 'method'); | $http_method = idx($attributes, 'method'); | ||||
| $is_post = (strcasecmp($http_method, 'POST') === 0); | $is_post = (strcasecmp($http_method, 'POST') === 0); | ||||
| $http_action = idx($attributes, 'action'); | $http_action = idx($attributes, 'action'); | ||||
| $is_absolute_uri = 0; | |||||
| if (phutil_nonempty_string($http_action)) { | if ($http_action === null) { | ||||
valerio.bozzolan: I would recommend a strict check here to avoid type juggling (0 == null) is true etc.
https… | |||||
Done Inline Actions👍 avivey: 👍 | |||||
| // Not sure what this is. | |||||
| $is_absolute_uri = false; | |||||
| } else if ($http_action instanceof PhutilURI) { | |||||
| // This is the happy path, I think | |||||
| // For now, this is close enough - I suspect we'll stay with "https" schema | |||||
| // for the rest of eternity. | |||||
| $protocol = $http_action->getProtocol(); | |||||
| $is_absolute_uri = ($protocol == 'http' || $protocol == 'https'); | |||||
| } else if (is_string($http_action)) { | |||||
| // Also good path? | |||||
| $is_absolute_uri = preg_match('#^(https?:|//)#', $http_action); | $is_absolute_uri = preg_match('#^(https?:|//)#', $http_action); | ||||
| } else { | |||||
| throw new Exception( | |||||
| pht( | |||||
| 'Unexpected object type provided as `action` - %s', | |||||
| gettype($http_action))); | |||||
| } | } | ||||
| if ($is_post) { | if ($is_post) { | ||||
| // NOTE: We only include CSRF tokens if a URI is a local URI on the same | // NOTE: We only include CSRF tokens if a URI is a local URI on the same | ||||
| // domain. This is an important security feature and prevents forms which | // domain. This is an important security feature and prevents forms which | ||||
| // submit to foreign sites from leaking CSRF tokens. | // submit to foreign sites from leaking CSRF tokens. | ||||
| ▲ Show 20 Lines • Show All 54 Lines • Show Last 20 Lines | |||||
Content licensed under Creative Commons Attribution-ShareAlike 4.0 (CC-BY-SA) unless otherwise noted; code licensed under Apache 2.0 or other open source licenses. · CC BY-SA 4.0 · Apache 2.0
I would recommend a strict check here to avoid type juggling (0 == null) is true etc.
https://www.php.net/manual/en/types.comparisons.php