adopted hidden data field insertion

now rather than creating a new js file each time the config file is modified
csrfp inserts the cookie name and url patterns as hidden fields in HTML output
and js code fetches them

Author: mebjas

js/csrfprotector.js

@@ -11,6 +11,9 @@
  * =================================================================
  */
 
+var CSRFP_FIELD_TOKEN_NAME = 'csrfp_hidden_data_token';
+var CSRFP_FIELD_URLS = 'csrfp_hidden_data_urls';
+
 var CSRFP = {
 	CSRFP_TOKEN: 'csrfp_token',
 	/**
@@ -19,10 +22,7 @@ var CSRFP = {
 	 *
 	 * @var string array
 	 */
-	checkForUrls: Array.prototype.slice.call(document.getElementsByName("CSRFP_checkForUrls"))
-		.map(function (element) {
-		return element.value;
-		}),
+	checkForUrls: [],
 	/**
 	 * Function to check if a certain url is allowed to perform the request
 	 * With or without csrf token
@@ -143,6 +143,14 @@ var CSRFP = {
 	 * @return void
 	 */
 	_init: function() {
+		CSRFP.CSRFP_TOKEN = document.getElementById(CSRFP_FIELD_TOKEN_NAME).value;
+		try {
+			CSRFP.checkForUrls = JSON.parse(document.getElementById(CSRFP_FIELD_URLS).value);
+		} catch (err) {
+			console.error(err);
+			console.error('[ERROR] [CSRF Protector] unable to parse blacklisted url fields.');
+		}
+
 		//convert these rules received from php lib to regex objects
 		for (var i = 0; i < CSRFP.checkForUrls.length; i++) {
 			CSRFP.checkForUrls[i] = CSRFP.checkForUrls[i].replace(/\*/g, '(.*)')

libs/config.sample.php

@@ -23,4 +23,4 @@
 	Cross-Site Request Forgeries </a> attacks. In order to do so, you must have JavaScript enabled in your web browser otherwise this site will fail to work correctly for you.
 	 See details of your web browser for how to enable JavaScript.",
 	 "verifyGetFor" => array()
-);
+);