On 11/05/2016 13:29, Rowan Collins wrote:
Thinking about it, the only part that has some value being in core is
the HTML rewriting. Perhaps what is actually needed is a lower-level
function that PHP libraries can use to hook into this with whatever
parameters they want, e.g.
register_html_rewrite_callback(
function() { return [ 'csrf_token' => MyFramework\CSRF::getToken()
]; },
REWRITE_POST_FORMS | REWRITE_URL
);
I realised I over-complicated this, all you need is:
# ob_add_rewrite_param(array $fields, int $flags)
ob_add_rewrite_param( [ 'csrf_token' => MyFramework\CSRF::getToken() ],
REWRITE_POST_FORMS | REWRITE_URL_LINKS );
That said, this - and the CSRF mechanism as currently proposed - rely
heavily on the quality of that output rewriting engine. I've never used
it, so have no idea how well it actually works with a modern application.
Regards,
--
Rowan Collins
[IMSoP]
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
