Support sending all _rx_* POST fields as HTTP headers instead

하위호환성, 부가기능 등을 위한 _rx_* POST 필드가 점점 많아짐에 따라 모두 헤더로 대체할 수 있도록 지원하고, 앞으로 점점 헤더로 바꿀 예정 CSRF 토큰은 예전부터 X-CSRF-Token 헤더를 지원했음
2026-01-04 01:01:41 +09:00 · 2023-08-27 23:32:31 +09:00 · 2023-08-27 23:32:31 +09:00 · 06e736178b
commit 06e736178b
parent dc492345da
5 changed files with 17 additions and 11 deletions
--- a/classes/module/ModuleHandler.class.php
+++ b/classes/module/ModuleHandler.class.php
@ -701,7 +701,7 @@ class ModuleHandler extends Handler
 		$procResult = $oModule->proc();

 		$methodList = array('XMLRPC' => 1, 'JSON' => 1, 'JS_CALLBACK' => 1);
-		if(!$oModule->stop_proc && !isset($methodList[Context::getRequestMethod()]) && !isset($_POST['_rx_ajax_form']))
+		if(!$oModule->stop_proc && !isset($methodList[Context::getRequestMethod()]) && !isset($_SERVER['HTTP_X_AJAX_TARGET']) && !isset($_POST['_rx_ajax_form']))
 		{
 			$error = $oModule->getError();
 			$message = $oModule->getMessage();
@ -1013,7 +1013,8 @@ class ModuleHandler extends Handler
 		if(!isset($methodList[Context::getRequestMethod()]))
 		{
 			// Handle iframe form submissions.
-			if(isset($_POST['_rx_ajax_form']) && starts_with('_rx_temp_iframe_', $_POST['_rx_ajax_form']))
+			$ajax_form_target = strval($_SERVER['HTTP_X_AJAX_TARGET'] ?? ($_POST['_rx_ajax_form'] ?? ''));
+			if($ajax_form_target !== '' && starts_with('_rx_temp_iframe_', $ajax_form_target))
 			{
 				$data = [];
 				if ($this->error)
@ -1029,7 +1030,7 @@ class ModuleHandler extends Handler
 				$data = array_merge($data, $oModule->getVariables());

 				ob_end_clean();
-				echo sprintf('<html><head></head><body><script>parent.XE.handleIframeResponse(%s, %s);</script></body></html>', json_encode(strval($_POST['_rx_ajax_form'])), json_encode($data));
+				echo sprintf('<html><head></head><body><script>parent.XE.handleIframeResponse(%s, %s);</script></body></html>', json_encode($ajax_form_target), json_encode($data));
 				return;
 			}