Protect against XSS and CSRF + some improvements

class_csrf.php

@@ -0,0 +1,104 @@
+<?php
+/**
+* Cross Site Request Forgery (CSRF) Class
+* @Author Matt Kent (Matt_Kent9)
+* @License MIT
+*
+* session_start(); must be called before this is utilised.
+*/
+class CSRF_Token
+{
+	// Empty constructor to avoid "Constructor cannot be static" error.
+	public function __construct() {}
+
+	// Used for is_recent() method.
+	private static $max_elapsed = 60 * 60 * 24; // 1 day
+
+	/**
+	* Generates token for use but doesn't store it.
+	*/
+	private static function token()
+	{
+		return bin2hex(openssl_random_pseudo_bytes(64));
+	}
+
+	/**
+	* Generate and store CSRF token in user session.
+	* Requires session to have been started already.
+	*/
+	private static function createToken()
+	{
+		$token = self::token();
+		$_SESSION['token'] = $token;
+		$_SESSION['token_time'] = time();
+		return $token;
+	}
+
+	/**
+	* Destroys a token by removing it from the session.
+	*/
+	private static function destroyToken()
+	{
+		$_SESSION['token'] = null;
+		$_SESSION['token_time'] = null;
+		return true;
+	}
+
+	/**
+	* Return HTML tag for use in a form.
+	*/
+	public static function display()
+	{
+		return "<input type=\"hidden\" name=\"token\" value=\"" . self::createToken() . "\" />";
+	}
+
+	/**
+	* Returns true if user-submitted POST token is
+	* identical to the previously stored SESSION token.
+	* Returns false otherwise.
+	*/
+	public static function isValid()
+	{
+		if (isset($_POST['token']))
+		{
+			$user_token = $_POST['token'];
+			$stored_token = $_SESSION['token'];
+			return hash_equals($_SESSION['token'], $_POST['token']);
+		}
+		else
+		{
+			return false;
+		}
+	}
+
+	/**
+	* You can simply check the token validity and 
+	* handle the failure yourself, or you can use 
+	* this "stop-everything-on-failure" method.
+	*/ 
+	public static function exitOnFailure()
+	{
+		if (!self::isValid())
+		{
+			exit('Invalid Security Token.');
+		}
+	}
+
+	/**
+	* This doesn't have to be used but it
+	* checks to see if the token is recent.
+	*/
+	public static function isRecent()
+	{
+		if (isset($_SESSION['token_time']))
+		{
+			$stored_time = $_SESSION['token_time'];
+			return ($stored_time + self::$max_elapsed) >= time();
+		}
+		else
+		{
+			self::destroyToken();
+			return false;
+		}
+	}
+}

documentation/index.php

@@ -11,13 +11,16 @@
 /************************************************************************/
 
 define('TR_INCLUDE_PATH', '../include/');
+
 include(TR_INCLUDE_PATH.'vitals.inc.php');
 include(TR_INCLUDE_PATH.'handbook_pages.inc.php');
 
 global $handbook_pages;
 
 if (isset($_GET['p'])) {
-	$p = htmlentities($_GET['p']);
+	// We depend on htmlspecialchars, trim, stripslashes, and strip_tags to prevent Reflected XSS
+	// for p parameter
+	$p = htmlspecialchars(trim(stripslashes(strip_tags($_GET['p']))));
 } else {
 	// go to first handbook page defined in $handbook_pages
 	foreach ($handbook_pages as $page_key => $page_value)