// SecurityForm launcher
(function(old){onload=function(evt){if(old)old(evt);

	SecurityForm.Hash = hex_md5;	// function to hash strings (requires external function)
	// NOTE: this hashing function should be the same used on form action used file

	SecurityForm(
		
		"secure-form",		// form id, please change it if it's not corect
		"secure-form-user",	// user input id, please change it if it's not corect
		"secure-form-pass"	// password input id, please change it if it's not corect
	);

}})(window.onload);

// SecurityForm function
function SecurityForm(

	formId,		// uniq form id
	userId,		// uniq user input id
	passId		// uniq password input id

) {

	/** private nested functions */
	
	// return choosed element using an id string
	function get(id){
		return document.getElementById ? document.getElementById(id) : document.all[id];
	};

	// return url encoded string
	// NOTE:	please remember that escape and encodeURI are not a perfect
	//	encoding functions as cncodeURIComponent is
	function encode(str){
		if(window.encodeURICompnent)
			str = encodeURICompnent(str);
		else if(window.encodeURI)
			str = encodeURI(str);
		else
			str = escape(str);
		return str;
	};
	
	// return a trimmed string
	function trim(str){
		return str.replace(/^\s+|\s+$/, "");
	};
	
	function script(src){
		var	script = document.createElement("script");
		script.type = "text/javascript";
		script.src = src;
		document.body.appendChild(script);
	};

	// start SecurotyForm changes
	function init(form, user, pass){

		// remove possibility to save login informations
		user.setAttribute("autocomplete", "off");
		pass.setAttribute("autocomplete", "off");
		
		// remove WCAG default text and focus username input field
		user.value = "";
		user.focus();
		
		// set submit form event
		form.onsubmit = function(){
		
			// remove spaces from suer and password
			user.value = trim(user.value);
			pass.value = trim(pass.value);
			
			// if user and password are not empty strings
			if(!SecurityForm.working && user.value && pass.value) {
			
				// switch SecurityForm into working mode
				SecurityForm.working = !SecurityForm.working;
				
				// set load event
				SecurityForm.onload = function(salt){
					
					// redirect to admin area
					document.location.href = form.action.concat("?",
					
						// send clear userName (encoding correctly)
						user.name, "=", encode(user.value), "&", 
						
						// send an hash of uniqid and password
						// (in this way password will not be sent clear and will not be simply * to brute force if readed from malicious users)
						// * not simply means that brute force should be execute hashing at least two times matches
						// and if a collision is found, it couldn't be used from form to login correctly 
						pass.name, "=", SecurityForm.Hash(salt.concat(SecurityForm.Hash(pass.value))), "&",
						
						// send the uniqid
						"uniqid=", salt
					);
				};
				
				// call server page to get a valid salt
				script(form.action.concat("?salt=", encode(user.value)));
			};
			return false;
		};
	};
	
	/** apply SecurityForm */
	init(get(formId), get(userId), get(passId));
};