manilaSuite.referer.checkEdit

The referer check for "trojan horse" does not cater to browsers that leave the username and password (iCab 1.3 was one, and Palm WAP browsers are reputedly the same). Watch for that case and strip them out before checking.

on checkEdit (editUrlName="discussEditInBrowser", postURLName="discussPostEditedMessage")

«This script makes sure that the referer is the edit-in-browser page and that the msgNums match.

unaltered lines omitted

«Changes

«04.06.20, 18:41:14 by DAB

«allow a post from the url that receives the post; cater to validation fo posts

«4/18/03; 12:21:21 AM by JES

unaltered lines omitted

manilaSuite.referer.mustNotBeEmpty ()

local (pta = html.getPageTableAddress ())

local (referer = string.popSuffix (pta^.requestHeaders.referer, '?'))

referer = string.popSuffix (referer, '#')

local (expectedReferer = pta^.urls^.[editUrlName] + pta^.postArgs.msgNum)

«if string.lower (referer) != string.lower (expectedReferer)

unaltered lines omitted

«return (true)

case string.lower(referer)

unaltered lines omitted

log.add("CheckEdit:" + referer + "!=" + expectedReferer, "referer")

scriptError (manilaSuite.getString ("admin.refererDoesntMatchError"))

Relative to Frontier version 9.7b10