X-Git-Url: https://git.mxchange.org/?a=blobdiff_plain;f=actions%2Fopenidlogin.php;h=b066b9aa4ecdb349381d1e0c4fbd38e7aa7b563b;hb=3a246c17266d562e0510e5a332009dcfda43c1c7;hp=ecc4e6bff630a49332edde2ab93c8632cfbcdb53;hpb=03a08efce9bfe3be1673581594498b5d856d08b0;p=quix0rs-gnu-social.git

diff --git a/actions/openidlogin.php b/actions/openidlogin.php
index ecc4e6bff6..b066b9aa4e 100644
--- a/actions/openidlogin.php
+++ b/actions/openidlogin.php
@@ -26,35 +26,55 @@ class OpenidloginAction extends Action {
 	function handle($args) {
 		parent::handle($args);
 		if (common_logged_in()) {
-			common_user_error(_t('Already logged in.'));
+			common_user_error(_('Already logged in.'));
 		} else if ($_SERVER['REQUEST_METHOD'] == 'POST') {
-			$result = oid_authenticate($this->trimmed('openid_url'),
+			$openid_url = $this->trimmed('openid_url');
+
+			# CSRF protection
+			$token = $this->trimmed('token');
+			if (!$token || $token != common_session_token()) {
+				$this->show_form(_('There was a problem with your session token. Try again, please.'), $openid_url);
+				return;
+			}
+
+			$result = oid_authenticate($openid_url,
 									   'finishopenidlogin');
 			if (is_string($result)) { # error message
-				$this->show_form($result);
+				$this->show_form($result, $openid_url);
 			}
 		} else {
-			$this->show_form();
+			$openid_url = oid_get_last();
+			$this->show_form(NULL, $openid_url);
 		}
 	}
 
+	function get_instructions() {
+		return _('Login with an [OpenID](%%doc.openid%%) account.');
+	}
+
 	function show_top($error=NULL) {
 		if ($error) {
 			common_element('div', array('class' => 'error'), $error);
 		} else {
-			common_element('div', 'instructions',
-						   _t('Login with an OpenID account.'));
+			$instr = $this->get_instructions();
+			$output = common_markup_to_html($instr);
+			common_element_start('div', 'instructions');
+			common_raw($output);
+			common_element_end('div');
 		}
 	}
-	
-	function show_form($error=NULL) {
-		common_show_header(_t('OpenID Login'), NULL, $error, array($this, 'show_top'));
+
+	function show_form($error=NULL, $openid_url) {
+		common_show_header(_('OpenID Login'), NULL, $error, array($this, 'show_top'));
 		$formaction = common_local_url('openidlogin');
-		common_element_start('form', array('method' => 'POST',
+		common_element_start('form', array('method' => 'post',
 										   'id' => 'openidlogin',
 										   'action' => $formaction));
-		common_input('openid_url', _t('OpenID URL'));
-		common_submit('submit', _t('Login'));
+		common_hidden('token', common_session_token());
+		common_input('openid_url', _('OpenID URL'),
+					 $openid_url,
+					 _('Your OpenID URL'));
+		common_submit('submit', _('Login'));
 		common_element_end('form');
 		common_show_footer();
 	}