m-engel · August 5, 2018 20:50
diff --git a/FormItCSRF.snippet.php b/FormItCSRF.snippet.php
 <?php
 /**
 * A custom FormIt hook for CSRF Protection
 *
 * Usage:
 * Append this Plugin as PreHook and Hook
 *
 * [[!FormIt?
 *    &preHooks=`FormItCSRF`
 *    &hooks=`spam,FormItCSRF,email`
 *
 * And add the CSRF Field to the Form:
 * <form method="POST">
 *   <input type="hidden" name="CSRFToken" value="[[!+CSRF]]" />
 *
 * Thats it
 *
 *
 * @var modX $modx
 * @var array $scriptProperties
 * @var FormIt $formit
 * @var fiHooks $hook
 *
 * @package formit
 */
 /* setup default properties */
 $csrfField            = $modx->getOption('csrfField', $scriptProperties, 'CSRFToken');
 $csrfPlaceholder      = $modx->getOption('csrfPlaceholder', $scriptProperties, 'CSRF');
 $csrfCookieProtection = $modx->getOption('csrfCookieProtection', $scriptProperties, false);

 $csrfValue = uniqid(sha1($modx->site_id . '_' . $modx->resource->get('id')), 1);
 // Hook
 if(count($fields)) {
    // POST-Field-check
    if (empty($fields[$csrfField])) {
        $modx->log(modX::LOG_LEVEL_ERROR,'[FormIt] CSRF-Protection, csrfField empty');
        if($hook) $hook->addError($csrfField, 'CSRF-Protection.1');
        $_SESSION['FormItCSRF'][$modx->resource->id] = $csrfValue;
        $modx->setPlaceholder($csrfPlaceholder, $_SESSION['FormItCSRF'][$modx->resource->id]);

        return false;
    }
    if ($fields[$csrfField] != $_SESSION['FormItCSRF'][$modx->resource->id]) {
        $modx->log(modX::LOG_LEVEL_ERROR,'[FormIt] CSRF-Protection, csrfField invalid');
        if($hook) $hook->addError($csrfField, 'CSRF-Protection.2');
        $_SESSION['FormItCSRF'][$modx->resource->id] = $csrfValue;
        $modx->setPlaceholder($csrfPlaceholder, $_SESSION['FormItCSRF'][$modx->resource->id]);

        return false;
    }
    if($csrfCookieProtection && !isset($_COOKIE['csrfCookie'])) {
        $csrfCookieValue = uniqid($modx->site_id . '_' . $modx->user->get('id'), 1);
        $_SESSION['FormItCSRF']['cookie'] = $csrfCookieValue;
        setcookie(
            'csrfCookie',
            $csrfCookieValue,
            21600,
            $modx->getOption('session_cookie_path')
        );
    }
    $_SESSION['FormItCSRF'][$modx->resource->id] = $csrfValue;
    $modx->setPlaceholder($csrfPlaceholder, $_SESSION['FormItCSRF'][$modx->resource->id]);

    return true;
 } elseif(!$_POST) {
    if($csrfCookieProtection && !isset($_COOKIE['csrfCookie'])) {
        $csrfCookieValue = uniqid($modx->site_id . '_' . $modx->user->get('id'), 1);
        $_SESSION['FormItCSRF']['cookie'] = $csrfCookieValue;
        setcookie(
            'csrfCookie',
            $csrfCookieValue, 
            21600, 
            $modx->getOption('session_cookie_path')
        );
    }
    $_SESSION['FormItCSRF'][$modx->resource->id] = $csrfValue;
 } else {
    if(empty($_SESSION['FormItCSRF'][$modx->resource->id])) {
        $_SESSION['FormItCSRF'][$modx->resource->id] = $csrfValue;
    }
 }
 $modx->setPlaceholder($csrfPlaceholder, $_SESSION['FormItCSRF'][$modx->resource->id]);
 return true;
	<?php
	/**
	* A custom FormIt hook for CSRF Protection
	*
	* Usage:
	* Append this Plugin as PreHook and Hook
	*
	* [[!FormIt?
	* &preHooks=`FormItCSRF`
	* &hooks=`spam,FormItCSRF,email`
	*
	* And add the CSRF Field to the Form:
	* <form method="POST">
	* <input type="hidden" name="CSRFToken" value="[[!+CSRF]]" />
	*
	* Thats it
	*
	*
	* @var modX $modx
	* @var array $scriptProperties
	* @var FormIt $formit
	* @var fiHooks $hook
	*
	* @package formit
	*/
	/* setup default properties */
	$csrfField = $modx->getOption('csrfField', $scriptProperties, 'CSRFToken');
	$csrfPlaceholder = $modx->getOption('csrfPlaceholder', $scriptProperties, 'CSRF');
	$csrfCookieProtection = $modx->getOption('csrfCookieProtection', $scriptProperties, false);

	$csrfValue = uniqid(sha1($modx->site_id . '_' . $modx->resource->get('id')), 1);
	// Hook
	if(count($fields)) {
	// POST-Field-check
	if (empty($fields[$csrfField])) {
	$modx->log(modX::LOG_LEVEL_ERROR,'[FormIt] CSRF-Protection, csrfField empty');
	if($hook) $hook->addError($csrfField, 'CSRF-Protection.1');
	$_SESSION['FormItCSRF'][$modx->resource->id] = $csrfValue;
	$modx->setPlaceholder($csrfPlaceholder, $_SESSION['FormItCSRF'][$modx->resource->id]);

	return false;
	}
	if ($fields[$csrfField] != $_SESSION['FormItCSRF'][$modx->resource->id]) {
	$modx->log(modX::LOG_LEVEL_ERROR,'[FormIt] CSRF-Protection, csrfField invalid');
	if($hook) $hook->addError($csrfField, 'CSRF-Protection.2');
	$_SESSION['FormItCSRF'][$modx->resource->id] = $csrfValue;
	$modx->setPlaceholder($csrfPlaceholder, $_SESSION['FormItCSRF'][$modx->resource->id]);

	return false;
	}
	if($csrfCookieProtection && !isset($_COOKIE['csrfCookie'])) {
	$csrfCookieValue = uniqid($modx->site_id . '_' . $modx->user->get('id'), 1);
	$_SESSION['FormItCSRF']['cookie'] = $csrfCookieValue;
	setcookie(
	'csrfCookie',
	$csrfCookieValue,
	21600,
	$modx->getOption('session_cookie_path')
	);
	}
	$_SESSION['FormItCSRF'][$modx->resource->id] = $csrfValue;
	$modx->setPlaceholder($csrfPlaceholder, $_SESSION['FormItCSRF'][$modx->resource->id]);

	return true;
	} elseif(!$_POST) {
	if($csrfCookieProtection && !isset($_COOKIE['csrfCookie'])) {
	$csrfCookieValue = uniqid($modx->site_id . '_' . $modx->user->get('id'), 1);
	$_SESSION['FormItCSRF']['cookie'] = $csrfCookieValue;
	setcookie(
	'csrfCookie',
	$csrfCookieValue,
	21600,
	$modx->getOption('session_cookie_path')
	);
	}
	$_SESSION['FormItCSRF'][$modx->resource->id] = $csrfValue;
	} else {
	if(empty($_SESSION['FormItCSRF'][$modx->resource->id])) {
	$_SESSION['FormItCSRF'][$modx->resource->id] = $csrfValue;
	}
	}
	$modx->setPlaceholder($csrfPlaceholder, $_SESSION['FormItCSRF'][$modx->resource->id]);
	return true;