[pLog-svn] r7015 - plog/branches/lifetype-1.2/js/ui

Sat Jul 31 11:43:13 EDT 2010

Too bad, couldn't get away with only having a plugin to fix the issue.  I 
thought that'd be pretty cool if we could protect all CSRF just by adding 
a plugin.

I think I'll leave it as a plugin, but make it installed by default; it's 
a nice code separation, keeping that code simple.

I've tested the entire admin interface, so I don't think there are any 
places where it is broken.  It is conceivable that I missed some actions, 
but I think I got them all.

There are two more things that need work:

1. Plugins.  Not sure how to fix this unless we protect all plugin input, 
using the configuration key array.  Or if I switch to be a whitelist, 
rather than a blacklist, but that makes the URL parsing harder

2. Remote URIs shouldn't ever have a CSRF token added.  I've thought about 
this a little, and I think it can be done with regexps, all fully 
qualified URIs need to be checked to see if they are really local or not. 
And then all relative URLs should be protected.  I don't think we need to 
worry about forms that post externally.  That doesn't exist, right?

On Sat, 31 Jul 2010, jondaley at devel.lifetype.net wrote:

> Author: jondaley
> Date: 2010-07-31 11:33:40 -0400 (Sat, 31 Jul 2010)
> New Revision: 7015
>
> Modified:
>   plog/branches/lifetype-1.2/js/ui/plogui.js
> Log:
> the ajax addCategory op needed some extra help to get the CSRF Token.  While I was editing, cleaned up the code, with error checking on the ajax responses, and appropriate (though hard-coded English, for now) messages to the user when the ajax action fails
>
> Modified: plog/branches/lifetype-1.2/js/ui/plogui.js
> ===================================================================
> --- plog/branches/lifetype-1.2/js/ui/plogui.js	2010-07-31 13:48:54 UTC (rev 7014)
> +++ plog/branches/lifetype-1.2/js/ui/plogui.js	2010-07-31 15:33:40 UTC (rev 7015)
> @@ -45,67 +45,94 @@
> 	var params = 'op=saveDraftArticleAjax&'+formData;
> 	var myAjax = new Ajax.Request(
> 					url,
> -					{method: 'post', parameters: params, onComplete: saveDraftArticleResponse}
> +					{method: 'post',
> +                     parameters: params,
> +                     onComplete: saveDraftArticleResponse}
> 					);
> }
>
> function saveDraftArticleResponse(originalRequest)
> {
> +    var success = false;
> 	//put returned XML in the textarea
> 	var xmldoc = originalRequest.responseXML;
> -	var id_elem = xmldoc.getElementsByTagName('id');
> -    if(id_elem[0]){
> -        $( 'postId' ).value = id_elem[0].firstChild.nodeValue;
> +    if(xmldoc){
> +        var id_elem = xmldoc.getElementsByTagName('id');
> +        if(id_elem && id_elem[0]){
> +            $('postId').value = id_elem[0].firstChild.nodeValue;
> +
> +            var message = xmldoc.getElementsByTagName('message')[0].firstChild.nodeValue;
> +            if(message != ''){
> +                window.alert(message);
> +                success = true;
> +            }
> +        }
>     }
> -	var message = xmldoc.getElementsByTagName('message')[0].firstChild.nodeValue;
> -	window.alert(message);
> +    if(!success){
> +        window.alert('Error: couldn\'t save draft');
> +    }
> }
>
> +
> /**
>  * The following functions are called when clicking the "add category" button
>  */
> function addArticleCategoryAjax()
> {
> 	var categoryName = $F('newArticleCategory');
> -	if (categoryName != '')
> -	{
> +	if (categoryName != ''){
> 		var url = plogAdminBaseUrl;
> -		var params = 'op=addArticleCategoryAjax' + '&categoryName=' + encodeURIComponent(categoryName);
> -		var myAjax = new Ajax.Request(
> -						url,
> -						{method: 'get', parameters: params, onComplete: addArticleCategoryOption, onLoading: showArticleCategorySavingStatus }
> -						);
> +
> +	var params = '';
> +	form = document.getElementById("newPost");
> +	for(i = 0; i < form.elements.length; i++ ) {
> +		itemName = form.elements[i].name;
> +		if(itemName == "CsrfToken" ) {
> +            params += itemName + '=' + escape(form.elements[i].value) + "&";
> +            break;
> +		}
> +    }
> +
> +    params += 'op=addArticleCategoryAjax' + '&categoryName=' + encodeURIComponent(categoryName);
> +    var myAjax = new Ajax.Request(
> +        url,
> +        {method: 'post',
> +         parameters: params,
> +         onComplete: addArticleCategoryResponse,
> +         onLoading: showArticleCategorySavingStatus }
> +                                  );
> 	}
> }
>
> -function addArticleCategoryOption(originalRequest)
> +function addArticleCategoryResponse(originalRequest)
> {
> 	//put returned XML in the textarea
> 	var xmldoc = originalRequest.responseXML;
> -	var success = xmldoc.getElementsByTagName('success')[0].firstChild.nodeValue;
> -	var message = xmldoc.getElementsByTagName('message')[0].firstChild.nodeValue;
> -	if (success=='0') {
> -		window.alert(message);
> -		$( 'newArticleCategory' ).value = '';
> -		$( 'addArticleCategory' ).disabled = 0;
> -	}
> -	else
> -	{
> -		var catId = xmldoc.getElementsByTagName('id')[0].firstChild.nodeValue;
> -		var catName = xmldoc.getElementsByTagName('name')[0].firstChild.nodeValue;
> -	    for(i=$( 'postCategories' ).length; i>0; i--)
> -	    {
> -			tmpText = $( 'postCategories' ).options[i-1].text;
> -			tmpValue = $( 'postCategories' ).options[i-1].value;
> -			tmpSelected = $( 'postCategories' ).options[i-1].selected;
> -			$( 'postCategories' ).options[i] = new Option( tmpText, tmpValue );
> -			$( 'postCategories' ).options[i].selected = tmpSelected;
> -	    }
> -	    $( 'postCategories' ).options[0] = new Option( catName, catId );
> -	    $( 'postCategories' ).options[0].selected = true;
> -	    $( 'newArticleCategory' ).value = '';
> -	    $( 'addArticleCategory' ).disabled = 0;
> -	}
> +	if(xmldoc){
> +        var success = xmldoc.getElementsByTagName('success')[0].firstChild.nodeValue;
> +        var message = xmldoc.getElementsByTagName('message')[0].firstChild.nodeValue;
> +        if(success == '0'){
> +            window.alert(message);
> +        }
> +        else{
> +            var catId = xmldoc.getElementsByTagName('id')[0].firstChild.nodeValue;
> +            var catName = xmldoc.getElementsByTagName('name')[0].firstChild.nodeValue;
> +            for(i=$( 'postCategories' ).length; i>0; i--){
> +                tmpText = $( 'postCategories' ).options[i-1].text;
> +                tmpValue = $( 'postCategories' ).options[i-1].value;
> +                tmpSelected = $( 'postCategories' ).options[i-1].selected;
> +                $( 'postCategories' ).options[i] = new Option( tmpText, tmpValue );
> +                $( 'postCategories' ).options[i].selected = tmpSelected;
> +            }
> +            $( 'postCategories' ).options[0] = new Option( catName, catId );
> +            $( 'postCategories' ).options[0].selected = true;
> +        }
> +    }
> +    else{
> +        window.alert("Error adding category");
> +    }
> +    $( 'newArticleCategory' ).value = '';
> +    $( 'addArticleCategory' ).disabled = 0;
> }
>
> function showArticleCategorySavingStatus(originalRequest) {
>
> _______________________________________________
> pLog-svn mailing list
> pLog-svn at devel.lifetype.net
> http://limedaley.com/mailman/listinfo/plog-svn
>

-- 
Jon Daley
http://jon.limedaley.com
~~
I robbed from the rich, kind of like Robin Hood, except I kept it.
-- Captured thief, quoted in the Seattle Post Intelligencer