Merge pull request #62 from PhpGt/61-post-only

Greg Bowler · web-flow · commit 0f39d4304236 · 2018-12-31T16:58:31.000Z
Only inject into POST forms, closes #61
diff --git a/src/HTMLDocumentProtector.php b/src/HTMLDocumentProtector.php
@@ -55,6 +55,11 @@ public function protectAndInject(
 			$this->tokenStore->saveToken($token);
 
 			foreach($forms as $form) {
+				$formMethod = $form->getAttribute("method");
+				if(strtolower($formMethod) !== "post") {
+					continue;
+				}
+
 				$csrfElement = $this->document->createElement(
 					"input"
 				);
diff --git a/test/unit/HTMLDocumentProtectorTest.php b/test/unit/HTMLDocumentProtectorTest.php
@@ -31,10 +31,11 @@ class HTMLDocumentProtectorTest extends TestCase {
 <body>
 	<h1>This HTML is for the unit test.</h1>
 	<p>Hello</p>
-    <form method="POST">
-        <input type="text">
-        <button type="submit"></button>
-    </form>
+	
+	<form method="POST">
+		<input type="text">
+		<button type="submit"></button>
+	</form>
 </body>
 </html>
 HTML;
@@ -50,17 +51,16 @@ class HTMLDocumentProtectorTest extends TestCase {
 <body>
 	<h1>This HTML is for the unit test.</h1>
 	<p>Hello</p>
-    <form method="POST">
-        <input type="text">
-        <button type="submit"></button>
-    </form>
-    <form method="GET">
-        <input type="text" value="A text field">
-        <button type="submit"></button>
-    </form>
-    <!-- an empty form too...-->
-    <form method="POST">
-    </form>
+	<form method="POST">
+		<input type="text">
+		<button type="submit"></button>
+	</form>
+	<form method="GET">
+		<input type="text" value="A text field">
+		<button type="submit"></button>
+	</form>
+	<!-- an empty form too...-->
+	<form method="POST"></form>
 </body>
 </html>
 HTML;
@@ -77,9 +77,9 @@ class HTMLDocumentProtectorTest extends TestCase {
 <body>
 	<h1>This HTML is for the unit test.</h1>
 	<p>Hello</p>
-    <!-- an empty form too...-->
-    <form method="POST">
-    </form>
+	<!-- an empty form too...-->
+	<form method="POST">
+	</form>
 </body>
 </html>
 HTML;
@@ -153,12 +153,17 @@ public function testMultipleForms() {
 
 		// check that the token has been injected in all forms
 		$doc = $sut->getHTMLDocument();
-		$this->assertEquals(
-			3, $doc->querySelectorAll(
-			"input[name='" . HTMLDocumentProtector::TOKEN_NAME . "']")->length);
-		$this->assertEquals(
-			1, $doc->querySelectorAll(
-			"head meta[name='" . HTMLDocumentProtector::TOKEN_NAME . "']")->length);
+		$this->assertCount(
+			2,
+			$doc->querySelectorAll(
+				"input[name='" . HTMLDocumentProtector::TOKEN_NAME . "']"
+			)
+		);
+		$this->assertCount(
+			1,
+			$doc->querySelectorAll(
+				"head meta[name='" . HTMLDocumentProtector::TOKEN_NAME . "']")
+		);
 	}
 
 	public function testSingleCodeSharedAcrossForms() {
