<?php

/**
 * We don't automatically set this up, because it depends on server
 * configuration.
 * 
 * This is a sample, it's what I use on mckenzierobotics.org
 * So, it may help you to know that I have several systems interacting there.
 *   http://mckenzierobotics.org/         Base of entire site
 *   http://mckenzierobotics.org/mm/      WordPress
 *   http://mckenzierobotics.org/wp/      MessageManager
 * 
 * The 'conf' table for MessageManager has 'baseurl' set to '/mm/'; it does NOT
 * include the hostname.
 *
 * The idea of this approach is we inspect the HTTP_REFERER to decide if the
 * user came from an acceptable URL. This is tricky because this isn't
 * nescessarily just URLs inside of MessageManager's "baseurl", and URLs from
 * inside of "baseurl" might not be trusted (like email body files).
 */
function xss_attack() {
	$siteurl_re = '^https?://(www\.)?mckenzierobotics\.org/';// basic trusted base
	$mmurl_re = $siteurl.'mm/';// where MessageManager is

	if (!isset($_SERVER['HTTP_REFERER']))
		return false;
	
	$from = $_SERVER['HTTP_REFERER'];
	$method = $_SERVER['REQUEST_METHOD'];

	switch ($method) {
	case 'PUT': break;
	case 'POST': break;
	case 'GET': return false; break;
	case HEAD: return false; break;
	default: break;
	}

	if (!preg_match('@'.$siteurl_re.'@', $from))
		return true;

	$messages_re = '@'.preg_quote($mmurl.'messages/','@').'.*/.@';
	if (preg_match($messages_re, $from))
		// Someone cleverly tried to XSS us from inside a message
		return true;

	return false;
}