@@ -38,7 +38,7 @@ class ezxFormToken
3838 static protected $ intention'legacy ' ;
3939
4040 /**
41- * @var string
41+ * @var string Custom Form field, by default set to system default form field (self::FORM_FIELD).
4242 */
4343 static protected $ formFieldself ::FORM_FIELD ;
4444
@@ -90,6 +90,8 @@ static public function setIntention( $intention )
9090 }
9191
9292 /**
93+ * Get the custom form field.
94+ *
9395 * @return string
9496 */
9597 static protected function getFormField ()
@@ -98,6 +100,8 @@ static protected function getFormField()
98100 }
99101
100102 /**
103+ * Set the custom form field.
104+ *
101105 * @param string $formField
102106 */
103107 static public function setFormField ( $ formField
@@ -137,6 +141,11 @@ static public function input( eZURI $uri )
137141 {
138142 $ token$ _POST self ::getFormField ()];
139143 }
144+ // For historical reasons also check the system default form field
145+ else if ( !empty ( $ _POST self ::FORM_FIELD ] ) )
146+ {
147+ $ token$ _POST self ::FORM_FIELD ];
148+ }
140149 // allow ajax calls using POST with other formats than forms (such as
141150 // json or xml) to still validate using a custom http header
142151 else if ( !empty ( $ _SERVER 'HTTP_X_CSRF_TOKEN ' ] ) )
@@ -188,19 +197,22 @@ static public function output( $templateResult, $filterForms = true )
188197 }
189198
190199 $ tokenself ::getToken ();
191- $ fieldself ::getFormField ();
200+ $ customfieldself ::getFormField ();
201+ $ defaultFieldself ::FORM_FIELD ;
192202 $ replaceKeyself ::REPLACE_KEY ;
193203
194204 eZDebugSetting::writeDebug ( 'ezformtoken ' , 'Output protected (all forms will be modified) ' , __METHOD__ );
195205
206+ // Inject token for programmatical use (also system default for historical reasons)
196207 // If document has head tag, insert in a html5 valid and semi standard way
197208 if ( strpos ( $ templateResult'<head> ' ) !== false )
198209 {
199210 $ templateResultstr_replace (
200211 '<head> ' ,
201212 "<head> \n"
202- . "<meta name= \"csrf-param \" content= \"{$ field /> \n"
203- . "<meta name= \"csrf-token \" id= \"{$ field_js \" title= \"{$ token content= \"{$ token /> \n" ,
213+ . "<meta name= \"csrf-param \" content= \"{$ customfield /> \n"
214+ . "<meta name= \"csrf-token \" id= \"{$ customfield_js \" title= \"{$ token content= \"{$ token /> \n"
215+ . ($ defaultField$ customfield"<meta name= \"csrf-token-x \" id= \"{$ defaultField_js \" title= \"{$ token content= \"{$ token /> \n" : '' ),
204216 $ templateResult
205217 );
206218 }
@@ -209,16 +221,18 @@ static public function output( $templateResult, $filterForms = true )
209221 {
210222 $ templateResultpreg_replace (
211223 '/(<body[^>]*>)/i ' ,
212- '\\1 ' . "\n<span style='display:none;' id= \"{$ field_js \" title= \"{$ token></span> \n" ,
224+ '\\1 ' . "\n<span style='display:none;' id= \"{$ customfield_js \" title= \"{$ token></span> \n"
225+ . ($ defaultField$ customfield"\n<span style='display:none;' id= \"{$ defaultField_js \" title= \"{$ token></span> \n" : '' ),
213226 $ templateResult
214227 );
215228 }
216229
230+ // For forms we set the custom field which will be sent back to this class and evaluated
217231 if ( $ filterForms
218232 {
219233 $ templateResultpreg_replace (
220234 '/(<form\W[^>]*\bmethod=( \'|"|)POST( \'|"|)\b[^>]*>)/i ' ,
221- '\\1 ' . "\n<input type= \"hidden \" name= \"{$ field value= \"{$ token /> \n" ,
235+ '\\1 ' . "\n<input type= \"hidden \" name= \"{$ customfield value= \"{$ token /> \n" ,
222236 $ templateResult
223237 );
224238 }
0 commit comments