Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
How does something like HTML Purifier or CSRF Magic actually intercept an HTTP request? Its documentation says its based of the idea of the Django Middleware framework of Python but I am yet to find some documentation of how it intercepts HTTP Requests. It works without actually having the need to install any PHP extensions.
Can anyone shed some light on the issue?
Regards
CSRF Magic uses PHP’s output control functions. It captures the output of your script, modifies it, and uses a special handler function to modify the output it captured before it is printed. So, the real magic is in
ob_start. Read up on it if you’re interested. Also, since CSRF Magic is an open-source project, you can read the script itself for more detailed information.It ultimately comes down to line 371:
This line says that, if the condition is true (and it usually is), to start an output buffer (
ob_start) and, when the output is finished, to runcsrf_ob_handleron that output.csrf_ob_handlermodifies the original output of the script to add hidden inputs, then prints that result.