1 ajax.inc ajax_set_verification_header()

Sets a response header for ajax.js to trust the response body.

It is not safe to invoke Ajax commands within user-uploaded files, so this header protects against those being invoked.

See also

Backdrop.ajax.options.success()

Related topics

File

core/includes/ajax.inc, line 636
Functions for use with Backdrop's Ajax framework.

Code

function ajax_set_verification_header() {
  $added = &backdrop_static(__FUNCTION__);

  // User-uploaded files cannot set any response headers, so a custom header is
  // used to indicate to ajax.js that this response is safe. Note that most
  // Ajax requests bound using the Form API will be protected by having the URL
  // flagged as trusted in Backdrop.settings, so this header is used only for
  // things like custom markup that gets Ajax behaviors attached.
  if (empty($added)) {
    backdrop_add_http_header('X-Backdrop-Ajax-Token', '1');
    // Avoid sending the header twice.
    $added = TRUE;
  }
}