tracking_kits/MVC/lib.HTMLSecurity.asp

<%
'=======================================================================================================================
' HTML SECURITY HELPER
'=======================================================================================================================
Class HTML_Security_Helper_Class

    '---------------------------------------------------------------------------------------------------------------------
    'Uses Scriptlet.TypeLib to generate a GUID. There may be a better/faster way than this to generate a nonce.
    Public Function Nonce()
        dim TL : set TL = CreateObject("Scriptlet.TypeLib") 
        Nonce = Left(CStr(TL.Guid), 38)    'avoids issue w/ strings appended after this token not being displayed on screen, MSFT bug
        set TL = Nothing
    End Function
    
    '---------------------------------------------------------------------------------------------------------------------
    'Name is probably the combined ControllerName and ActionName of the form generator by convention
    Public Sub SetAntiCSRFToken(name)
        Session(name & ".anti_csrf_token") = Nonce()
    End Sub
    
    '---------------------------------------------------------------------------------------------------------------------
    'Returns the CSRF token nonce from the session corresponding to the passed name
    Public Function GetAntiCSRFToken(name)
        dim token : token = Session(name & ".anti_csrf_token")
        If Len(token) = 0 then
            SetAntiCSRFToken name
        End If
        GetAntiCSRFToken = token
    End Function
    
    '---------------------------------------------------------------------------------------------------------------------
    'Removes the current CSRF token nonce for the passed name
    Public Sub ClearAntiCSRFToken(name)
        Session.Contents.Remove(name & ".anti_csrf_token")
    End Sub
    
    '---------------------------------------------------------------------------------------------------------------------
    'Returns true if passed nonce matches the stored CSRF token nonce for the specified name, false if not
    Public Function IsValidAntiCSRFToken(name, nonce)
        IsValidAntiCSRFToken = (GetAntiCSRFToken(name) = nonce)
    End Function
    
    '---------------------------------------------------------------------------------------------------------------------
    'If an invalid CSRF nonce is passed, sets the flash and redirects using the appropriate MVC.Redirect* method.
    'If a valid CSRF nonce is passed, clears it from the cache to reset the state to the beginning.
    Public Sub OnInvalidAntiCSRFTokenRedirectToAction(token_name, token, action_name)
        OnInvalidAntiCSRFTokenRedirectToExt token_name, token, MVC.ControllerName, action_name, empty
    End Sub
    
    Public Sub OnInvalidAntiCSRFTokenRedirectToActionExt(token_name, token, action_name, params)
        OnInvalidAntiCSRFTokenRedirectToExt token_name, token, MVC.ControllerName, action_name, params
    End Sub
    
    Public Sub OnInvalidAntiCSRFTokenRedirectTo(token_name, token, controller_name, action_name)
        OnInvalidAntiCSRFTokenRedirectToExt token_name, token, controller_name, action_name
    End Sub
    
    Public Sub OnInvalidAntiCSRFTokenRedirectToExt(token_name, token, controller_name, action_name, params)
        If IsValidAntiCSRFToken(token_name, token) then
            ClearAntiCSRFToken token_name
        Else
            ClearAntiCSRFToken token_name
            Flash.AddError "Invalid form state. Please try again."
            MVC.RedirectToExt controller_name, action_name, params
        End If
    End Sub
End Class


dim HTML_Security_Helper__Singleton
Function HTMLSecurity()
    If IsEmpty(HTML_Security_Helper__Singleton) Then
        set HTML_Security_Helper__Singleton = new HTML_Security_Helper_Class
    End If
    set HTMLSecurity = HTML_Security_Helper__Singleton
End Function
%>