Skip to content

Commit 8204ba2

Browse files
mebjasmebjas
committed
Merge pull request #32 from msalestream/master
Fixing bug: #31
2 parents f083e9b + 7ca7310 commit 8204ba2

File tree

1 file changed

+32
-28
lines changed

1 file changed

+32
-28
lines changed

js/csrfprotector.js

Lines changed: 32 additions & 28 deletions
Original file line numberDiff line numberDiff line change
@@ -289,39 +289,43 @@ function csrfprotector_init() {
289289
// Rewrite existing urls ( Attach CSRF token )
290290
// Rules:
291291
// Rewrite those urls which matches the regex sent by Server
292-
// Ingore cross origin urls & internal links (one with hashtags)
292+
// Ignore cross origin urls & internal links (one with hashtags)
293293
// Append the token to those url already containig GET query parameter(s)
294294
// Add the token to those which does not contain GET query parameter(s)
295295
//==================================================================
296296

297297
for (var i = 0; i < document.links.length; i++) {
298-
document.links[i].addEventListener("mousedown", function(event) {
299-
var urlDisect = event.target.href.split('#');
300-
var url = urlDisect[0];
301-
var hash = urlDisect[1];
302-
303-
if(CSRFP._getDomain(url).indexOf(document.domain) === -1
304-
|| CSRFP._isValidGetRequest(url)) {
305-
//cross origin or not to be protected by rules -- ignore
306-
return;
307-
}
308-
309-
if (url.indexOf('?') !== -1) {
310-
if(url.indexOf(CSRFP.CSRFP_TOKEN) === -1) {
311-
url += "&" +CSRFP.CSRFP_TOKEN +"=" +CSRFP._getAuthKey();
312-
} else {
313-
url = url.replace(new RegExp(CSRFP.CSRFP_TOKEN +"=.*?(&|$)", 'g'),
314-
CSRFP.CSRFP_TOKEN +"=" +CSRFP._getAuthKey() + "$1");
315-
}
316-
} else {
317-
url += "?" +CSRFP.CSRFP_TOKEN +"=" +CSRFP._getAuthKey();
318-
}
319-
320-
event.target.href = url;
321-
if (typeof hash !== 'undefined') {
322-
event.target.href += '#' +hash;
323-
}
324-
});
298+
document.links[i].addEventListener("mousedown", function(event) {
299+
var href = event.target.href;
300+
if(typeof href === "string")
301+
{
302+
var urlDisect = href.split('#');
303+
var url = urlDisect[0];
304+
var hash = urlDisect[1];
305+
306+
if(CSRFP._getDomain(url).indexOf(document.domain) === -1
307+
|| CSRFP._isValidGetRequest(url)) {
308+
//cross origin or not to be protected by rules -- ignore
309+
return;
310+
}
311+
312+
if (url.indexOf('?') !== -1) {
313+
if(url.indexOf(CSRFP.CSRFP_TOKEN) === -1) {
314+
url += "&" +CSRFP.CSRFP_TOKEN +"=" +CSRFP._getAuthKey();
315+
} else {
316+
url = url.replace(new RegExp(CSRFP.CSRFP_TOKEN +"=.*?(&|$)", 'g'),
317+
CSRFP.CSRFP_TOKEN +"=" +CSRFP._getAuthKey() + "$1");
318+
}
319+
} else {
320+
url += "?" +CSRFP.CSRFP_TOKEN +"=" +CSRFP._getAuthKey();
321+
}
322+
323+
event.target.href = url;
324+
if (typeof hash !== 'undefined') {
325+
event.target.href += '#' +hash;
326+
}
327+
}
328+
});
325329
}
326330

327331
}

0 commit comments

Comments
 (0)