[Summary view] [Print] [Text view]

   1  <?php
   2  
   3  function javelin_tag(
   4    $tag,
   5    array $attributes = array(),
   6    $content = null) {
   7  
   8    if (isset($attributes['sigil']) ||
   9        isset($attributes['meta'])  ||
  10        isset($attributes['mustcapture'])) {
  11      foreach ($attributes as $k => $v) {
  12        switch ($k) {
  13          case 'sigil':
  14            if ($v !== null) {
  15              $attributes['data-sigil'] = $v;
  16            }
  17            unset($attributes[$k]);
  18            break;
  19          case 'meta':
  20            if ($v !== null) {
  21              $response = CelerityAPI::getStaticResourceResponse();
  22              $id = $response->addMetadata($v);
  23              $attributes['data-meta'] = $id;
  24            }
  25            unset($attributes[$k]);
  26            break;
  27          case 'mustcapture':
  28            if ($v) {
  29              $attributes['data-mustcapture'] = '1';
  30            } else {
  31              unset($attributes['data-mustcapture']);
  32            }
  33            unset($attributes[$k]);
  34            break;
  35        }
  36      }
  37    }
  38  
  39    if (isset($attributes['aural'])) {
  40      if ($attributes['aural']) {
  41        $class = idx($attributes, 'class', '');
  42        $class = rtrim('aural-only '.$class);
  43        $attributes['class'] = $class;
  44      } else {
  45        $class = idx($attributes, 'class', '');
  46        $class = rtrim('visual-only '.$class);
  47        $attributes['class'] = $class;
  48        $attributes['aria-hidden'] = 'true';
  49      }
  50      unset($attributes['aural']);
  51    }
  52  
  53    return phutil_tag($tag, $attributes, $content);
  54  }
  55  
  56  function phabricator_form(PhabricatorUser $user, $attributes, $content) {
  57    $body = array();
  58  
  59    $http_method = idx($attributes, 'method');
  60    $is_post = (strcasecmp($http_method, 'POST') === 0);
  61  
  62    $http_action = idx($attributes, 'action');
  63    $is_absolute_uri = preg_match('#^(https?:|//)#', $http_action);
  64  
  65    if ($is_post) {
  66  
  67      // NOTE: We only include CSRF tokens if a URI is a local URI on the same
  68      // domain. This is an important security feature and prevents forms which
  69      // submit to foreign sites from leaking CSRF tokens.
  70  
  71      // In some cases, we may construct a fully-qualified local URI. For example,
  72      // we can construct these for download links, depending on configuration.
  73  
  74      // These forms do not receive CSRF tokens, even though they safely could.
  75      // This can be confusing, if you're developing for Phabricator and
  76      // manage to construct a local form with a fully-qualified URI, since it
  77      // won't get CSRF tokens and you'll get an exception at the other end of
  78      // the request which is a bit disconnected from the actual root cause.
  79  
  80      // However, this is rare, and there are reasonable cases where this
  81      // construction occurs legitimately, and the simplest fix is to omit CSRF
  82      // tokens for these URIs in all cases. The error message you receive also
  83      // gives you some hints as to this potential source of error.
  84  
  85      if (!$is_absolute_uri) {
  86        $body[] = phutil_tag(
  87          'input',
  88          array(
  89            'type' => 'hidden',
  90            'name' => AphrontRequest::getCSRFTokenName(),
  91            'value' => $user->getCSRFToken(),
  92          ));
  93  
  94        $body[] = phutil_tag(
  95          'input',
  96          array(
  97            'type' => 'hidden',
  98            'name' => '__form__',
  99            'value' => true,
 100          ));
 101      }
 102    }
 103  
 104    if (is_array($content)) {
 105      $body = array_merge($body, $content);
 106    } else {
 107      $body[] = $content;
 108    }
 109  
 110    return javelin_tag('form', $attributes, $body);
 111  }