From 6494bd2c0c5c9a0440b60a3381f89d58609212cd Mon Sep 17 00:00:00 2001
From: slawkens <slawkens@gmail.com>
Date: Tue, 30 Jan 2024 22:40:40 +0100
Subject: [PATCH] Add optional $return = false parameter to the csrf function

---
 system/functions.php                  |  4 ++--
 system/pages/account/change_email.php | 10 +++++-----
 system/src/CsrfToken.php              | 10 ++++++++--
 system/twig.php                       |  4 ++--
 4 files changed, 17 insertions(+), 11 deletions(-)

diff --git a/system/functions.php b/system/functions.php
index 7a807c72..6fa0e6bc 100644
--- a/system/functions.php
+++ b/system/functions.php
@@ -1064,8 +1064,8 @@ function unsetSession($key) {
 	unset($_SESSION[setting('core.session_prefix') . $key]);
 }
 
-function csrf(): void {
-	CsrfToken::create();
+function csrf(bool $return = false): string {
+	return CsrfToken::create($return);
 }
 
 function csrfToken(): string {
diff --git a/system/pages/account/change_email.php b/system/pages/account/change_email.php
index 90f5b54d..811cebb4 100644
--- a/system/pages/account/change_email.php
+++ b/system/pages/account/change_email.php
@@ -93,21 +93,21 @@ else
 		<td width="30">&nbsp;</td>
 		<td align=left>
 			<form action="' . getLink('account/email') . '" method="post">
-				' . csrf() . '
+				' . csrf(true) . '
 				<input type="hidden" name="changeemailsave" value=1 >
 				<INPUT TYPE=image NAME="I Agree" SRC="' . $template_path . '/images/global/buttons/sbutton_iagree.gif" BORDER=0 WIDTH=120 HEIGHT=17>
 			</form>
 		</td>
 		<td align=left>
 			<form action="' . getLink('account/email') . '" method="post">
-				' . csrf() . '
+				' . csrf(true) . '
 				<input type="hidden" name="emailchangecancel" value=1 >
 				' . $twig->render('buttons.cancel.html.twig') . '
 			</form>
 		</td>
 		<td align=right>
 			<form action="?subtopic=accountmanagement" method="post" >
-				' . csrf() . '
+				' . csrf(true) . '
 				' . $twig->render('buttons.back.html.twig') . '
 			</form>
 		</td>
@@ -129,7 +129,7 @@ else
 		<td>
 			<table border="0" cellspacing="0" cellpadding="0" >
 				<form action="' .getLink('account/email') . '" method="post" >
-					' . csrf() . '
+					' . csrf(true) . '
 					<tr>
 						<td style="border:0px;" >
 							<input type="hidden" name="emailchangecancel" value="1" >
@@ -142,7 +142,7 @@ else
 		<td>
 			<table border="0" cellspacing="0" cellpadding="0" >
 				<form action="' . getLink('account/manage') . '" method="post" >
-					' . csrf() . '
+					' . csrf(true) . '
 					<tr>
 						<td style="border:0px;" >
 							' . $twig->render('buttons.back.html.twig') . '
diff --git a/system/src/CsrfToken.php b/system/src/CsrfToken.php
index 4a92baf2..641a47e1 100644
--- a/system/src/CsrfToken.php
+++ b/system/src/CsrfToken.php
@@ -27,8 +27,14 @@ class CsrfToken
 	 * @static true
 	 * @return void
 	 **/
-	public static function create(): void {
-		echo '<input type="hidden" name="csrf_token" value="' . self::get() . '" />';
+	public static function create(bool $return = false): string {
+		$input = '<input type="hidden" name="csrf_token" value="' . self::get() . '" />';
+		if ($return) {
+			return $input;
+		}
+
+		echo $input;
+		return '';
 	}
 
 	/**
diff --git a/system/twig.php b/system/twig.php
index 12189638..ad17b24a 100644
--- a/system/twig.php
+++ b/system/twig.php
@@ -126,8 +126,8 @@ $function = new TwigFunction('getCustomPage', function ($name) {
 });
 $twig->addFunction($function);
 
-$function = new TwigFunction('csrf', function () {
-	csrf();
+$function = new TwigFunction('csrf', function ($return = false) {
+	return csrf($return);
 });
 $twig->addFunction($function);