28113569902

Committed 24 Jun 2026 04:27PM UTC coverage: 93.649% (+0.2%) from 93.412%

Build Type

push

github

Committed by

Commit Message

added CLAUDE.md

Coverage Stats

2138 of 2283 relevant lines covered (93.65%)

0.94 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

96.55

/src/Forms/Controls/CsrfProtection.php

<?php declare(strict_types=1);

/**
 * This file is part of the Nette Framework (https://nette.org)
 * Copyright (c) 2004 David Grudl (https://davidgrudl.com)
 */

namespace Nette\Forms\Controls;

use Nette;
use Nette\Application\UI\Presenter;
use Stringable;
use function base64_encode, sha1, substr;


/**
 * @deprecated default protection is sufficient
 */
class CsrfProtection extends HiddenField
{
        public const Protection = 'Nette\Forms\Controls\CsrfProtection::validateCsrf';

        /** @deprecated use CsrfProtection::Protection */
        public const PROTECTION = self::Protection;

        public ?Nette\Http\Session $session = null;


        public function __construct(string|Stringable|null $errorMessage = null)
        {
                parent::__construct();
                $this->setOmitted()
                        ->setRequired()
                        ->addRule(self::Protection, $errorMessage);

                $this->monitor(Presenter::class, function (Presenter $presenter): void {
                        if (!$this->session) {
                                $this->session = $presenter->getSession();
                                $this->session->start();
                        }
                });

                $this->monitor(Nette\Forms\Form::class, function (Nette\Forms\Form $form): void {
                        if (!$this->session && !$form instanceof Nette\Application\UI\Form) {
                                $this->session = new Nette\Http\Session($form->httpRequest, new Nette\Http\Response);
                                $this->session->start();
                        }
                });
        }


        /**
         * @internal
         */
        public function setValue($value): static
        {
                return $this;
        }


        public function loadHttpData(): void
        {
                $this->value = $this->getHttpData(Nette\Forms\Form::DataText);
        }


        public function getToken(): string
        {
                if (!$this->session) {
                        throw new Nette\InvalidStateException('Session initialization error');
                }

                $session = $this->session->getSection(self::class);
                if (!$session->get('token')) {
                        $session->set('token', Nette\Utils\Random::generate());
                }

                return $session->get('token') ^ $this->session->getId();
        }


        private function generateToken(?string $random = null): string
        {
                $random ??= Nette\Utils\Random::generate(10);
                return $random . base64_encode(sha1($this->getToken() . $random, binary: true));
        }


        public function getControl(): Nette\Utils\Html
        {
                return parent::getControl()->value($this->generateToken());
        }


        /** @internal */
        public static function validateCsrf(self $control): bool
        {
                $value = (string) $control->getValue();
                return $control->generateToken(substr($value, 0, 10)) === $value;
        }
}

1	<?php declare(strict_types=1);
2
3	/**
4	* This file is part of the Nette Framework (https://nette.org)
5	* Copyright (c) 2004 David Grudl (https://davidgrudl.com)
6	*/
7
8	namespace Nette\Forms\Controls;
9
10	use Nette;
11	use Nette\Application\UI\Presenter;
12	use Stringable;
13	use function base64_encode, sha1, substr;
14
15
16	/**
17	* @deprecated default protection is sufficient
18	*/
19	class CsrfProtection extends HiddenField
20	{
21	public const Protection = 'Nette\Forms\Controls\CsrfProtection::validateCsrf';
22
23	/** @deprecated use CsrfProtection::Protection */
24	public const PROTECTION = self::Protection;
25
26	public ?Nette\Http\Session $session = null;
27
28
29	public function __construct(string\|Stringable\|null $errorMessage = null)	1✔
30	{
31	parent::__construct();	1✔
32	$this->setOmitted()	1✔
33	->setRequired()	1✔
34	->addRule(self::Protection, $errorMessage);	1✔
35
36	$this->monitor(Presenter::class, function (Presenter $presenter): void {	1✔
37	if (!$this->session) {
38	$this->session = $presenter->getSession();
39	$this->session->start();
40	}
41	});	1✔
42
43	$this->monitor(Nette\Forms\Form::class, function (Nette\Forms\Form $form): void {	1✔
44	if (!$this->session && !$form instanceof Nette\Application\UI\Form) {	1✔
45	$this->session = new Nette\Http\Session($form->httpRequest, new Nette\Http\Response);	1✔
46	$this->session->start();	1✔
47	}
48	});	1✔
49	}	1✔
50
51
52	/**
53	* @internal
54	*/
55	public function setValue($value): static
56	{
57	return $this;	1✔
58	}
59
60
61	public function loadHttpData(): void
62	{
63	$this->value = $this->getHttpData(Nette\Forms\Form::DataText);	1✔
64	}	1✔
65
66
67	public function getToken(): string
68	{
69	if (!$this->session) {	1✔
70	throw new Nette\InvalidStateException('Session initialization error');	×
71	}
72
73	$session = $this->session->getSection(self::class);	1✔
74	if (!$session->get('token')) {	1✔
75	$session->set('token', Nette\Utils\Random::generate());	1✔
76	}
77
78	return $session->get('token') ^ $this->session->getId();	1✔
79	}
80
81
82	private function generateToken(?string $random = null): string	1✔
83	{
84	$random ??= Nette\Utils\Random::generate(10);	1✔
85	return $random . base64_encode(sha1($this->getToken() . $random, binary: true));	1✔
86	}
87
88
89	public function getControl(): Nette\Utils\Html
90	{
91	return parent::getControl()->value($this->generateToken());	1✔
92	}
93
94
95	/** @internal */
96	public static function validateCsrf(self $control): bool	1✔
97	{
98	$value = (string) $control->getValue();	1✔
99	return $control->generateToken(substr($value, 0, 10)) === $value;	1✔
100	}
101	}

nette / forms / 28113569902

Source File Press 'n' to go to next uncovered line, 'b' for previous

Source File
Press 'n' to go to next uncovered line, 'b' for previous