xamxam/app/public/admin/actions/page.php

<?php
/**
 * Save handler for static page content (Markdown).
 * Supports both regular form POST and AJAX auto-save requests.
 */
require_once __DIR__ . '/../../../bootstrap.php';
require_once __DIR__ . '/../../../src/AdminAuth.php';
error_log('[page.php] ENTRY | method=' . $_SERVER['REQUEST_METHOD'] . ' | slug=' . ($_POST['slug'] ?? 'none') . ' | post_keys=' . implode(',', array_keys($_POST)));
AdminAuth::requireLogin();

$isAjax = (!empty($_SERVER['HTTP_ACCEPT']) && str_contains($_SERVER['HTTP_ACCEPT'], 'application/json'))
       || !empty($_SERVER['HTTP_HX_REQUEST']);

if (!isset($_POST['csrf_token'], $_SESSION['csrf_token'])
    || !hash_equals($_SESSION['csrf_token'], $_POST['csrf_token'])) {
    if ($isAjax) {
        http_response_code(403);
        header('Content-Type: application/json');
        echo json_encode(['error' => 'Erreur de sécurité : token invalide.']);
        exit;
    }
    App::flash('error', 'Erreur de sécurité : token invalide.');
    header('Location: /admin/contenus.php');
    exit;
}

$allowedSlugs = ['about', 'licenses', 'charte'];
$slug         = $_POST['slug'] ?? '';
$content      = $_POST['content'] ?? '';

if (!in_array($slug, $allowedSlugs, true)) {
    if ($isAjax) {
        http_response_code(400);
        header('Content-Type: application/json');
        echo json_encode(['error' => 'Slug de page invalide.']);
        exit;
    }
    App::flash('error', 'Slug de page invalide.');
    header('Location: /admin/contenus.php');
    exit;
}

require_once APP_ROOT . '/src/Database.php';
require_once APP_ROOT . '/src/AdminLogger.php';
require_once APP_ROOT . '/src/ErrorHandler.php';
$db = new Database();

try {
    $db->savePage($slug, $content);
    AdminLogger::make()->logPageEdit($slug);

    if ($isAjax) {
        $_SESSION['csrf_token'] = bin2hex(random_bytes(32));
        header('Content-Type: application/json');
        echo json_encode([
            'success' => true,
            'csrf_token' => $_SESSION['csrf_token'],
        ]);
        exit;
    }
    App::flash('success', 'Page « ' . htmlspecialchars($slug) . ' » mise à jour.');
} catch (Exception $e) {
    ErrorHandler::log('page', $e);
    $msg = 'Erreur lors de la sauvegarde : ' . ErrorHandler::userMessage($e);
    if ($isAjax) {
        http_response_code(500);
        header('Content-Type: application/json');
        echo json_encode(['error' => $msg]);
        exit;
    }
    App::flash('error', $msg);
}

$_SESSION['csrf_token'] = bin2hex(random_bytes(32));
header('Location: /admin/contenus.php');
exit;