General CRSF protection for AJAX GET requests

idea to always include crsf token in GETS

#35178 2012-08-22 05:55

I looked at all code.. and I have a universal solution for ALL my ajaxcalls.

I can add the x parameter using something like:

JavaScript

        
              jsMainSettings.xfactor='theXtoken';
$(document).ajaxSend(function(evt, request, settings){
    var x=$.getUrlParameter(settings.url,'x');
    if (!x) { settings.url+='&x='+jsMainSettings.xfactor };
});

This was a small test I made in the console, I have made $.getUrlParameter and I have a global named jsMainSettings where I can put the $sys['xk'] thing in.
I think with this little coding i have covered ALL my ajax requests... :D
This example is not ready yet.. but it is just to show the idea

BIG Question:

There should be a piece in common.php like :

PHP

        
              //======== Anti XSS addition =============
if ($_SERVER['REQUEST_METHOD'] == 'GET')
{
    if (empty($x)) {
        $x = sed_import('x', 'G', 'ALP');
    }
    if (!empty($x) && !defined('SED_NO_ANTIXSS') && !defined('SED_AUTH') && $x != $sys['xk'] && (empty($sys['xk_prev']) || $x != $sys['xk_prev'])) {
        sed_redirect(sed_url('message', 'msg=950', '', true));
    }
}
//===================================

where sed_redirect for AJAX - JSON should be something else i think... but you get my point !!

==- I say: Keep it EZ -==

This post was edited by ez (2012-08-22 06:12, 12 years ago)