The JHtmlForm is a utility class for form elements. It has two methods: token and csrf.
It displays a hidden token field to reduce the risk of CSRF exploits. This method is used in conjunction with JSession::checkToken().
public static function token(array $attribs = array())
{
$attributes = '';
if ($attribs !== array())
{
$attributes .= ' ' . ArrayHelper::toString($attribs);
}
return '<input type="hidden" name="' . JSession::getFormToken() . '" value="1"' . $attributes . ' />';
}
It adds CSRF form token to Joomla script options that developers can get it by Javascript.
public static function csrf($name = 'csrf.token')
{
if (isset(static::$loaded[__METHOD__][$name]))
{
return;
}
/** @var JDocumentHtml $doc */
$doc = JFactory::getDocument();
if (!$doc instanceof JDocumentHtml || $doc->getType() !== 'html')
{
return;
}
$doc->addScriptOptions($name, JSession::getFormToken());
static::$loaded[__METHOD__][$name] = true;
}