| 1.20.x ajax.inc | ajax_set_verification_header() |
Sets a response header for ajax.js to trust the response body.
It is not safe to invoke Ajax commands within user-uploaded files, so this header protects against those being invoked.
See also
Backdrop.ajax.options.success()
Related topics
File
- includes/
ajax.inc, line 642 - Functions for use with Backdrop's Ajax framework.
Code
function ajax_set_verification_header() {
$added = &backdrop_static(__FUNCTION__);
// User-uploaded files cannot set any response headers, so a custom header is
// used to indicate to ajax.js that this response is safe. Note that most
// Ajax requests bound using the Form API will be protected by having the URL
// flagged as trusted in Backdrop.settings, so this header is used only for
// things like custom markup that gets Ajax behaviors attached.
if (empty($added)) {
backdrop_add_http_header('X-Backdrop-Ajax-Token', '1');
// Avoid sending the header twice.
$added = TRUE;
}
}