Support sending all _rx_* POST fields as HTTP headers instead

하위호환성, 부가기능 등을 위한 _rx_* POST 필드가 점점 많아짐에 따라 모두 헤더로 대체할 수 있도록 지원하고, 앞으로 점점 헤더로 바꿀 예정 CSRF 토큰은 예전부터 X-CSRF-Token 헤더를 지원했음
2026-01-05 09:41:40 +09:00 · 2023-08-27 23:32:31 +09:00 · 2023-08-27 23:32:31 +09:00 · 06e736178b
commit 06e736178b
parent dc492345da
5 changed files with 17 additions and 11 deletions
--- a/classes/context/Context.class.php
+++ b/classes/context/Context.class.php
@ -1140,9 +1140,10 @@ class Context
 		if (isset($_SERVER['REQUEST_METHOD']) && $_SERVER['REQUEST_METHOD'] === 'POST')
 		{
 			// Set variables for XE compatibility.
-			if (isset($_POST['_rx_ajax_compat']) && in_array($_POST['_rx_ajax_compat'], array('JSON', 'XMLRPC')))
+			$compat = $_SERVER['HTTP_X_AJAX_COMPAT'] ?? ($_POST['_rx_ajax_compat'] ?? false);
+			if ($compat && in_array($compat, array('JSON', 'XMLRPC')))
 			{
-				self::$_instance->request_method = $_POST['_rx_ajax_compat'];
+				self::$_instance->request_method = $compat;
 				return;
 			}
 			else
--- a/classes/display/DisplayHandler.class.php
+++ b/classes/display/DisplayHandler.class.php
@ -97,7 +97,7 @@ class DisplayHandler extends Handler
 		}
 		else
 		{
-			if($responseMethod == 'JSON' || $responseMethod == 'JS_CALLBACK' || isset($_POST['_rx_ajax_compat']))
+			if($responseMethod == 'JSON' || $responseMethod == 'JS_CALLBACK' || isset($_SERVER['HTTP_X_AJAX_COMPAT']) || isset($_POST['_rx_ajax_compat']))
 			{
 				self::_printJSONHeader();
 			}
--- a/classes/module/ModuleHandler.class.php
+++ b/classes/module/ModuleHandler.class.php
@ -701,7 +701,7 @@ class ModuleHandler extends Handler
 		$procResult = $oModule->proc();

 		$methodList = array('XMLRPC' => 1, 'JSON' => 1, 'JS_CALLBACK' => 1);
-		if(!$oModule->stop_proc && !isset($methodList[Context::getRequestMethod()]) && !isset($_POST['_rx_ajax_form']))
+		if(!$oModule->stop_proc && !isset($methodList[Context::getRequestMethod()]) && !isset($_SERVER['HTTP_X_AJAX_TARGET']) && !isset($_POST['_rx_ajax_form']))
 		{
 			$error = $oModule->getError();
 			$message = $oModule->getMessage();
@ -1013,7 +1013,8 @@ class ModuleHandler extends Handler
 		if(!isset($methodList[Context::getRequestMethod()]))
 		{
 			// Handle iframe form submissions.
-			if(isset($_POST['_rx_ajax_form']) && starts_with('_rx_temp_iframe_', $_POST['_rx_ajax_form']))
+			$ajax_form_target = strval($_SERVER['HTTP_X_AJAX_TARGET'] ?? ($_POST['_rx_ajax_form'] ?? ''));
+			if($ajax_form_target !== '' && starts_with('_rx_temp_iframe_', $ajax_form_target))
 			{
 				$data = [];
 				if ($this->error)
@ -1029,7 +1030,7 @@ class ModuleHandler extends Handler
 				$data = array_merge($data, $oModule->getVariables());

 				ob_end_clean();
-				echo sprintf('<html><head></head><body><script>parent.XE.handleIframeResponse(%s, %s);</script></body></html>', json_encode(strval($_POST['_rx_ajax_form'])), json_encode($data));
+				echo sprintf('<html><head></head><body><script>parent.XE.handleIframeResponse(%s, %s);</script></body></html>', json_encode($ajax_form_target), json_encode($data));
 				return;
 			}

--- a/common/js/xml_handler.js
+++ b/common/js/xml_handler.js
@ -42,8 +42,6 @@
 		params = params ? ($.isArray(params) ? arr2obj(params) : params) : {};
 		params.module = module;
 		params.act = act;
-		params._rx_ajax_compat = 'XMLRPC';
-		params._rx_csrf_token = getCSRFToken();

 		// Decide whether or not to use SSL.
 		var url = request_uri;
@ -180,6 +178,10 @@
 				type : "POST",
 				dataType : "json",
 				data : params,
+				headers : {
+					'X-AJAX-Compat': 'XMLRPC',
+					'X-CSRF-Token': getCSRFToken()
+				},
 				success : successHandler,
 				error : errorHandler
 			});
@ -205,8 +207,6 @@
 			//if (action_parts.length != 2) return;
 			params.module = action_parts[0];
 			params.act = action_parts[1];
-			params._rx_ajax_compat = 'JSON';
-			params._rx_csrf_token = getCSRFToken();
 			request_info = params.module + "." + params.act;
 		}

@ -320,6 +320,10 @@
 				url: request_uri,
 				data: params,
 				processData: (action !== 'raw'),
+				headers : (action !== 'raw') ? {
+					'X-AJAX-Compat': 'JSON',
+					'X-CSRF-Token': getCSRFToken()
+				} : {},
 				success : successHandler,
 				error : errorHandler
 			});
--- a/modules/member/member.class.php
+++ b/modules/member/member.class.php
@ -11,7 +11,7 @@ class Member extends ModuleObject
 	 * Constants
 	 */
 	public const ADMIN_EXTRA_VARS = ['refused_reason', 'limited_reason'];
-	public const NOUSE_EXTRA_VARS = ['error_return_url', 'success_return_url', '_rx_ajax_compat', '_rx_csrf_token', 'ruleset', 'captchaType', 'use_editor', 'use_html'];
+	public const NOUSE_EXTRA_VARS = ['error_return_url', 'success_return_url', '_rx_ajax_compat', '_rx_ajax_form', '_rx_csrf_token', 'ruleset', 'captchaType', 'use_editor', 'use_html'];
 	public const STATUS_LIST = ['APPROVED', 'DENIED', 'UNAUTHED', 'SUSPENDED', 'DELETED'];

 	/**