From 385baf2db7c0f6771c1772eb087238a3e343f8a3 Mon Sep 17 00:00:00 2001
From: TheOnlyMace <0815cracky@gmail.com>
Date: Tue, 6 Jan 2026 21:49:24 +0100
Subject: [PATCH] Implement CSRF protection in contact form: Added session
 management and CSRF token validation to enhance security. Updated AJAX
 response handling in JavaScript to reset button state after submission.

---
 public/assets/js/contact.js   |  4 ++++
 public/contact-handler.php    | 20 ++++++++++++++++++++
 public/includes/functions.php |  5 +++++
 3 files changed, 29 insertions(+)

diff --git a/public/assets/js/contact.js b/public/assets/js/contact.js
index 5c9055b..0825812 100644
--- a/public/assets/js/contact.js
+++ b/public/assets/js/contact.js
@@ -77,6 +77,10 @@
             })
             .then(response => response.json())
             .then(data => {
+                // Reset button state
+                submitBtn.textContent = originalText;
+                submitBtn.disabled = false;
+                
                 if (data.success) {
                     // Reset form
                     form.reset();
diff --git a/public/contact-handler.php b/public/contact-handler.php
index 5510287..d553bac 100644
--- a/public/contact-handler.php
+++ b/public/contact-handler.php
@@ -4,12 +4,22 @@
  * E-Mail-Verarbeitung mit SMTP-Integration und Spam-Schutz
  */
 
+// Session starten für CSRF-Validierung
+if (session_status() === PHP_SESSION_NONE) {
+    session_start();
+}
+
 // Konfiguration laden
 require_once 'config.php';
 
 // Konfiguration verwenden
 $config = getHexaHostConfig();
 
+// CSRF-Token validieren
+function validateCSRFToken($token) {
+    return isset($_SESSION['csrf_token']) && hash_equals($_SESSION['csrf_token'], $token);
+}
+
 // CORS Headers für AJAX-Requests
 header('Access-Control-Allow-Origin: *');
 header('Access-Control-Allow-Methods: POST');
@@ -329,6 +339,16 @@ function generateEmailText($data) {
 
 // Hauptverarbeitung
 try {
+    // CSRF-Token validieren
+    if (empty($_POST['csrf_token']) || !validateCSRFToken($_POST['csrf_token'])) {
+        http_response_code(403);
+        echo json_encode([
+            'success' => false, 
+            'message' => 'Ungültige Sitzung. Bitte laden Sie die Seite neu und versuchen Sie es erneut.'
+        ]);
+        exit;
+    }
+    
     // Rate Limiting Check
     $client_ip = $_SERVER['REMOTE_ADDR'];
     if (!checkRateLimit($client_ip)) {
diff --git a/public/includes/functions.php b/public/includes/functions.php
index aee3fac..2bfb38d 100644
--- a/public/includes/functions.php
+++ b/public/includes/functions.php
@@ -3,6 +3,11 @@
  * Helper functions for HexaHost.de
  */
 
+// Start session for CSRF token
+if (session_status() === PHP_SESSION_NONE) {
+    session_start();
+}
+
 /**
  * Set page configuration and include header
  *