General CRSF protection for AJAX GET requests

idea to always include crsf token in GETS

ez	#35178 2012-08-22 05:55
Contributors Thanked: 10 times	I looked at all code.. and I have a universal solution for ALL my ajaxcalls. I can add the x parameter using something like: jsMainSettings.xfactor='theXtoken'; $(document).ajaxSend(function(evt, request, settings){ var x=$.getUrlParameter(settings.url,'x'); if (!x) { settings.url+='&x='+jsMainSettings.xfactor }; }); This was a small test I made in the console, I have made $.getUrlParameter and I have a global named jsMainSettings where I can put the $sys['xk'] thing in. I think with this little coding i have covered ALL my ajax requests... :D This example is not ready yet.. but it is just to show the idea BIG Question: There should be a piece in common.php like : //======== Anti XSS addition ============= if ($_SERVER['REQUEST_METHOD'] == 'GET') { if (empty($x)) { $x = sed_import('x', 'G', 'ALP'); } if (!empty($x) && !defined('SED_NO_ANTIXSS') && !defined('SED_AUTH') && $x != $sys['xk'] && (empty($sys['xk_prev']) \|\| $x != $sys['xk_prev'])) { sed_redirect(sed_url('message', 'msg=950', '', true)); } } //=================================== where sed_redirect for AJAX - JSON should be something else i think... but you get my point !! ==- I say: Keep it EZ -== This post was edited by ez (2012-08-22 06:12, 13 years ago)

#35178 2012-08-22 05:55

I looked at all code.. and I have a universal solution for ALL my ajaxcalls.

I can add the x parameter using something like:

jsMainSettings.xfactor='theXtoken';
$(document).ajaxSend(function(evt, request, settings){
    var x=$.getUrlParameter(settings.url,'x');
    if (!x) { settings.url+='&x='+jsMainSettings.xfactor };
});

This was a small test I made in the console, I have made $.getUrlParameter and I have a global named jsMainSettings where I can put the $sys['xk'] thing in.
I think with this little coding i have covered ALL my ajax requests... :D
This example is not ready yet.. but it is just to show the idea

BIG Question:

There should be a piece in common.php like :

//======== Anti XSS addition =============
if ($_SERVER['REQUEST_METHOD'] == 'GET')
{
	if (empty($x)) {
		$x = sed_import('x', 'G', 'ALP');
	}
	if (!empty($x) && !defined('SED_NO_ANTIXSS') && !defined('SED_AUTH') && $x != $sys['xk'] && (empty($sys['xk_prev']) || $x != $sys['xk_prev'])) {
		sed_redirect(sed_url('message', 'msg=950', '', true));
	}
}
//===================================

where sed_redirect for AJAX - JSON should be something else i think... but you get my point !!

==- I say: Keep it EZ -==

This post was edited by ez (2012-08-22 06:12, 13 years ago)