001/*
002    Licensed to the Apache Software Foundation (ASF) under one
003    or more contributor license agreements.  See the NOTICE file
004    distributed with this work for additional information
005    regarding copyright ownership.  The ASF licenses this file
006    to you under the Apache License, Version 2.0 (the
007    "License"); you may not use this file except in compliance
008    with the License.  You may obtain a copy of the License at
009
010       http://www.apache.org/licenses/LICENSE-2.0
011
012    Unless required by applicable law or agreed to in writing,
013    software distributed under the License is distributed on an
014    "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
015    KIND, either express or implied.  See the License for the
016    specific language governing permissions and limitations
017    under the License.
018 */
019package org.apache.wiki.tags;
020
021import org.apache.wiki.api.core.Session;
022import org.apache.wiki.http.filter.CsrfProtectionFilter;
023
024/**
025 * Outputs the hidden {@link CsrfProtectionFilter#ANTICSRF_PARAM}.
026 */
027public class CsrfProtectionTag extends WikiTagBase {
028
029    private static final long serialVersionUID = -6828306125406112417L;
030    private boolean meta;
031
032    public void setFormat( final String format ) {
033        meta = "meta".equalsIgnoreCase( format );
034    }
035
036    /**
037     *  {@inheritDoc}
038     */
039    @Override
040    public int doWikiStartTag() throws Exception {
041        final Session session = m_wikiContext.getWikiSession();
042        final String csrfProtectionHidden;
043        if( meta ) {
044            csrfProtectionHidden = "<meta name=\"wikiCsrfProtection\" content='" + session.antiCsrfToken() + "'/>";
045        } else {
046            csrfProtectionHidden = "<input type=\"hidden\" name=\"" + CsrfProtectionFilter.ANTICSRF_PARAM + "\" " +
047                                          "id=\"" + CsrfProtectionFilter.ANTICSRF_PARAM + "\" " +
048                                          "value=\"" + session.antiCsrfToken() + "\"/>";
049        }
050        pageContext.getOut().print( csrfProtectionHidden );
051        return SKIP_BODY;
052    }
053
054}