Appending GET variable to html output with regex

brooky

Hi Guys,

I have spend the last few hours on this and I'm beyond stuck.

I need to append a token onto every href, src and action attribute in existing HTML output so the token can be checked on each page load to prevent Cross Site Request Forgery (CSRF) attacks. We already have POST variables checked with a token but our security auditor says GET needs to be checked too.

So....

Can anyone help. We need to use preg_replace or maybe preg_replace_callback to do this.

e.g.
href="?" becomes href="?token=abc"
href="?key=value" becomes href="?key=value&token=abc"
href="admin.php?key=value" becomes href="admin.php?key=value&token=abc"
href="admin.php?" becomes href="admin.php?token=abc"
href="admin.php" becomes href="admin.php?token=abc"

I have spent hours on this and have achieved nothing. Are there any regex gurus out there who can show me how awesome they are?

I have experimented with the code here:
http://stackoverflow.com/questions/2848919/preg-replace-function-to-append-a-string-to-all-the-hyperlinks-of-a-page

It doesn't quite work.

bradgrafelman

brooky;10999580 wrote:
We need to use preg_replace or maybe preg_replace_callback to do this.

Why?

Using regular expressions is, IMHO, one of the worst ways to parse an HTML document... let alone modify one. Why not use something like [man]DOM[/man] instead?

brooky

Thank you I will check that out. It's new to me so if you had an example I would be incredibly grateful.

Weedpacket

Examples can be found among these pages.

brooky

No sh!t? 😛

Thanks for your help.