From 0e33fd103c66fdcecbf38837308cbbe27033af01 Mon Sep 17 00:00:00 2001
From: slawkens <slawkens@gmail.com>
Date: Sat, 16 Sep 2023 09:23:51 +0200
Subject: [PATCH] feature: csrf protection

---
 admin/pages/accounts.php                      |  6 ++
 admin/pages/changelog.php                     |  5 +-
 admin/pages/dashboard.php                     |  2 +
 admin/pages/login.php                         |  2 +
 admin/pages/mailer.php                        |  2 +
 admin/pages/mass_account.php                  |  2 +
 admin/pages/mass_teleport.php                 |  2 +
 admin/pages/menus.php                         |  4 +
 admin/pages/modules/templates/web_status.twig |  1 +
 admin/pages/news.php                          |  9 +-
 admin/pages/notepad.php                       |  2 +
 admin/pages/players.php                       |  6 ++
 admin/pages/plugins.php                       |  3 +
 admin/tools/settings_save.php                 |  2 +
 system/functions.php                          | 23 +++++
 system/init.php                               |  9 ++
 system/logout.php                             |  5 +
 system/pages/account/change_email.php         |  8 +-
 system/settings.php                           |  6 ++
 system/src/CsrfToken.php                      | 95 +++++++++++++++++++
 .../templates/account.back_button.html.twig   |  1 +
 .../account.change_comment.html.twig          |  2 +
 .../templates/account.change_info.html.twig   |  4 +-
 .../templates/account.change_mail.html.twig   |  2 +
 .../templates/account.change_name.html.twig   |  2 +
 .../account.change_password.html.twig         |  4 +-
 system/templates/account.change_sex.html.twig |  2 +
 system/templates/account.create.html.twig     |  1 +
 .../account.create_character.html.twig        |  2 +
 .../account.delete_character.html.twig        |  4 +-
 ...ccount.generate_new_recovery_key.html.twig |  2 +
 .../account.generate_recovery_key.html.twig   |  4 +-
 system/templates/account.login.html.twig      |  4 +-
 system/templates/account.lost.form.html.twig  |  5 +-
 system/templates/account.management.html.twig |  8 ++
 .../templates/admin.changelog.form.html.twig  |  1 +
 system/templates/admin.login.html.twig        |  1 +
 system/templates/admin.mailer.html.twig       |  1 +
 system/templates/admin.menus.form.html.twig   |  1 +
 system/templates/admin.news.form.html.twig    |  1 +
 system/templates/admin.notepad.html.twig      |  1 +
 system/templates/admin.pages.form.html.twig   |  1 +
 system/templates/admin.plugins.form.html.twig |  1 +
 system/templates/admin.settings.html.twig     |  6 ++
 .../templates/admin.tools.account.html.twig   |  3 +
 system/templates/characters.html.twig         |  4 +-
 system/templates/faq.form.html.twig           |  9 +-
 system/templates/forum.add_board.html.twig    |  3 +-
 system/templates/forum.edit_post.html.twig    |  3 +-
 system/templates/forum.move_thread.html.twig  |  3 +-
 system/templates/forum.new_post.html.twig     |  1 +
 system/templates/forum.new_thread.html.twig   |  3 +-
 system/templates/gallery.form.html.twig       |  3 +-
 .../templates/guilds.accept_invite.html.twig  |  4 +-
 system/templates/guilds.back_button.html.twig |  3 +-
 .../guilds.change_description.html.twig       |  2 +
 system/templates/guilds.change_logo.html.twig |  2 +
 system/templates/guilds.change_motd.html.twig |  2 +
 system/templates/guilds.change_rank.html.twig |  4 +-
 system/templates/guilds.create.html.twig      |  4 +-
 .../templates/guilds.create.success.html.twig |  3 +-
 .../templates/guilds.delete_guild.html.twig   |  4 +-
 .../templates/guilds.delete_invite.html.twig  |  4 +-
 system/templates/guilds.invite.html.twig      |  3 +-
 system/templates/guilds.kick_player.html.twig |  4 +-
 system/templates/guilds.leave_guild.html.twig |  4 +-
 system/templates/guilds.list.html.twig        | 12 ++-
 system/templates/guilds.manager.html.twig     |  5 +-
 .../guilds.pass_leadership.html.twig          |  4 +-
 system/templates/guilds.view.html.twig        |  7 ++
 system/templates/templates.header.html.twig   |  2 +
 system/twig.php                               | 11 +++
 72 files changed, 332 insertions(+), 39 deletions(-)
 create mode 100644 system/src/CsrfToken.php

diff --git a/admin/pages/accounts.php b/admin/pages/accounts.php
index f3022e9c..1b440761 100644
--- a/admin/pages/accounts.php
+++ b/admin/pages/accounts.php
@@ -13,6 +13,9 @@ use MyAAC\Models\Player;
 defined('MYAAC') or die('Direct access not allowed!');
 
 $title = 'Account editor';
+
+csrfProtect();
+
 $admin_base = ADMIN_URL . '?p=accounts';
 $use_datatable = true;
 
@@ -289,6 +292,7 @@ else if (isset($_REQUEST['search'])) {
 					<div class="tab-content" id="accounts-tabContent">
 						<div class="tab-pane fade active show" id="accounts-acc">
 							<form action="<?php echo $admin_base . ((isset($id) && $id > 0) ? '&id=' . $id : ''); ?>" method="post">
+								<?php csrf(); ?>
 								<div class="form-group row">
 									<?php if (USE_ACCOUNT_NAME): ?>
 										<div class="col-12 col-sm-12 col-lg-4">
@@ -581,6 +585,7 @@ else if (isset($_REQUEST['search'])) {
 				<div class="row">
 					<div class="col-6 col-lg-12">
 						<form action="<?php echo $admin_base; ?>" method="post">
+							<?php csrf(); ?>
 							<label for="name">Account Name:</label>
 							<div class="input-group input-group-sm">
 								<input type="text" class="form-control" name="search" value="<?php echo $search_account; ?>" maxlength="32" size="32">
@@ -590,6 +595,7 @@ else if (isset($_REQUEST['search'])) {
 					</div>
 					<div class="col-6 col-lg-12">
 						<form action="<?php echo $admin_base; ?>" method="post">
+							<?php csrf(); ?>
 							<label for="name">Account ID:</label>
 							<div class="input-group input-group-sm">
 								<input type="text" class="form-control" name="id" value="" maxlength="32" size="32">
diff --git a/admin/pages/changelog.php b/admin/pages/changelog.php
index 3d5cad64..34e7c01a 100644
--- a/admin/pages/changelog.php
+++ b/admin/pages/changelog.php
@@ -13,12 +13,15 @@ use MyAAC\Models\Changelog as ModelsChangelog;
 
 defined('MYAAC') or die('Direct access not allowed!');
 
+$title = 'Changelog';
+
+csrfProtect();
+
 if (!hasFlag(FLAG_CONTENT_PAGES) && !superAdmin()) {
 	echo 'Access denied.';
 	return;
 }
 
-$title = 'Changelog';
 $use_datatable = true;
 const CL_LIMIT = 600; // maximum changelog body length
 ?>
diff --git a/admin/pages/dashboard.php b/admin/pages/dashboard.php
index e24b98ad..a8a15e4c 100644
--- a/admin/pages/dashboard.php
+++ b/admin/pages/dashboard.php
@@ -10,6 +10,8 @@
 defined('MYAAC') or die('Direct access not allowed!');
 $title = 'Dashboard';
 
+csrfProtect();
+
 if (isset($_GET['clear_cache'])) {
 	if (clearCache()) {
 		success('Cache cleared.');
diff --git a/admin/pages/login.php b/admin/pages/login.php
index 8bb25f36..eb6466d3 100644
--- a/admin/pages/login.php
+++ b/admin/pages/login.php
@@ -10,6 +10,8 @@
 defined('MYAAC') or die('Direct access not allowed!');
 $title = 'Login';
 
+csrfProtect();
+
 require PAGES . 'account/login.php';
 if ($logged) {
 	header('Location: ' . (admin() ? ADMIN_URL : BASE_URL));
diff --git a/admin/pages/mailer.php b/admin/pages/mailer.php
index 732b7461..cf8ef241 100644
--- a/admin/pages/mailer.php
+++ b/admin/pages/mailer.php
@@ -10,6 +10,8 @@
 defined('MYAAC') or die('Direct access not allowed!');
 $title = 'Mailer';
 
+csrfProtect();
+
 if (!hasFlag(FLAG_CONTENT_MAILER) && !superAdmin()) {
 	echo 'Access denied.';
 	return;
diff --git a/admin/pages/mass_account.php b/admin/pages/mass_account.php
index 63bec54c..549310a5 100644
--- a/admin/pages/mass_account.php
+++ b/admin/pages/mass_account.php
@@ -16,6 +16,8 @@ defined('MYAAC') or die('Direct access not allowed!');
 
 $title = 'Mass Account Actions';
 
+csrfProtect();
+
 $hasCoinsColumn = $db->hasColumn('accounts', 'coins');
 $hasPointsColumn = $db->hasColumn('accounts', 'premium_points');
 $freePremium = $config['lua']['freePremium'];
diff --git a/admin/pages/mass_teleport.php b/admin/pages/mass_teleport.php
index 5027fa1c..f2a7ee27 100644
--- a/admin/pages/mass_teleport.php
+++ b/admin/pages/mass_teleport.php
@@ -16,6 +16,8 @@ defined('MYAAC') or die('Direct access not allowed!');
 
 $title = 'Mass Teleport Actions';
 
+csrfProtect();
+
 function admin_teleport_position($x, $y, $z) {
 	if (!Player::query()->update([
 		'posx' => $x, 'posy' => $y, 'posz' => $z
diff --git a/admin/pages/menus.php b/admin/pages/menus.php
index a0b492df..a6b06773 100644
--- a/admin/pages/menus.php
+++ b/admin/pages/menus.php
@@ -13,6 +13,8 @@ use MyAAC\Models\Menu;
 defined('MYAAC') or die('Direct access not allowed!');
 $title = 'Menus';
 
+csrfProtect();
+
 if (!hasFlag(FLAG_CONTENT_MENUS) && !superAdmin()) {
 	echo 'Access denied.';
 	return;
@@ -93,6 +95,7 @@ if (isset($_REQUEST['template'])) {
 		</p>
 		<?php if (isset($config['menu_default_color'])) {?>
 		<form method="post" action="?p=menus&reset_colors" onsubmit="return confirm('Do you really want to reset colors?');">
+			<?php csrf(); ?>
 			<input type="hidden" name="template" value="<?php echo $template ?>"/>
 			<button type="submit" class="btn btn-danger">Reset Colors to default</button>
 		</form>
@@ -112,6 +115,7 @@ if (isset($_REQUEST['template'])) {
 	$last_id = array();
 	?>
 	<form method="post" id="menus-form" action="?p=menus">
+		<?php csrf(); ?>
 		<input type="hidden" name="template" value="<?php echo $template ?>"/>
 		<button type="submit" class="btn btn-info">Save</button><br/><br/>
 		<div class="row">
diff --git a/admin/pages/modules/templates/web_status.twig b/admin/pages/modules/templates/web_status.twig
index 2b0ec1e8..9b41f4c7 100644
--- a/admin/pages/modules/templates/web_status.twig
+++ b/admin/pages/modules/templates/web_status.twig
@@ -1,6 +1,7 @@
 <div class="col-12 col-md-6">
 	<div class="card card-warning card-outline">
 		<form action="?p=dashboard&maintenance" method="post" class="form-horizontal">
+			{{ csrf() }}
 			<div class="card-header">
 				<span class="m-0">Website Status<span class="float-right">
 				<div class="custom-control custom-switch custom-switch-off-danger custom-switch-on-success">
diff --git a/admin/pages/news.php b/admin/pages/news.php
index 81153e4f..b268966d 100644
--- a/admin/pages/news.php
+++ b/admin/pages/news.php
@@ -9,12 +9,15 @@
  */
 defined('MYAAC') or die('Direct access not allowed!');
 
+$title = 'News Panel';
+
+csrfProtect();
+
+$use_datatable = true;
+
 require_once LIBS . 'forum.php';
 require_once LIBS . 'news.php';
 
-$title = 'News Panel';
-$use_datatable = true;
-
 if (!hasFlag(FLAG_CONTENT_PAGES) && !superAdmin()) {
 	echo 'Access denied.';
 	return;
diff --git a/admin/pages/notepad.php b/admin/pages/notepad.php
index c18d837e..d6c6358b 100644
--- a/admin/pages/notepad.php
+++ b/admin/pages/notepad.php
@@ -13,6 +13,8 @@ use MyAAC\Models\Notepad as ModelsNotepad;
 defined('MYAAC') or die('Direct access not allowed!');
 $title = 'Notepad';
 
+csrfProtect();
+
 /**
  * @var $account_logged OTS_Account
  */
diff --git a/admin/pages/players.php b/admin/pages/players.php
index b409c15e..210be048 100644
--- a/admin/pages/players.php
+++ b/admin/pages/players.php
@@ -13,6 +13,9 @@ use MyAAC\Models\Player;
 defined('MYAAC') or die('Direct access not allowed!');
 
 $title = 'Player editor';
+
+csrfProtect();
+
 $player_base = ADMIN_URL . '?p=players';
 
 $use_datatable = true;
@@ -373,6 +376,7 @@ else if (isset($_REQUEST['search'])) {
 					</ul>
 				</div>
 				<form action="<?php echo $player_base . ((isset($id) && $id > 0) ? '&id=' . $id : ''); ?>" method="post">
+					<?php csrf(); ?>
 					<div class="card-body">
 						<div class="tab-content" id="tabs-tabContent">
 							<div class="tab-pane fade active show" id="tabs-home">
@@ -870,6 +874,7 @@ else if (isset($_REQUEST['search'])) {
 			<div class="card-body row">
 				<div class="col-6 col-lg-12">
 					<form action="<?php echo $player_base; ?>" method="post">
+						<?php csrf(); ?>
 						<label for="name">Player Name:</label>
 						<div class="input-group input-group-sm">
 							<input type="text" class="form-control" name="search" value="<?php echo $search_player; ?>" maxlength="32" size="32">
@@ -879,6 +884,7 @@ else if (isset($_REQUEST['search'])) {
 				</div>
 				<div class="col-6 col-lg-12">
 					<form action="<?php echo $player_base; ?>" method="post">
+						<?php csrf(); ?>
 						<label for="name">Player ID:</label>
 						<div class="input-group input-group-sm">
 							<input type="text" class="form-control" name="id" value="" maxlength="32" size="32">
diff --git a/admin/pages/plugins.php b/admin/pages/plugins.php
index be9df2b0..1f5a2352 100644
--- a/admin/pages/plugins.php
+++ b/admin/pages/plugins.php
@@ -9,6 +9,9 @@
  */
 defined('MYAAC') or die('Direct access not allowed!');
 $title = 'Plugin manager';
+
+csrfProtect();
+
 $use_datatable = true;
 
 require_once LIBS . 'plugins.php';
diff --git a/admin/tools/settings_save.php b/admin/tools/settings_save.php
index 2fdd5fc4..500c83bb 100644
--- a/admin/tools/settings_save.php
+++ b/admin/tools/settings_save.php
@@ -16,6 +16,8 @@ if(!admin()) {
 	die('Access denied.');
 }
 
+csrfProtect();
+
 if (!isset($_REQUEST['plugin'])) {
 	http_response_code(500);
 	die('Please enter plugin name.');
diff --git a/system/functions.php b/system/functions.php
index 37f241bc..a9523587 100644
--- a/system/functions.php
+++ b/system/functions.php
@@ -9,6 +9,7 @@
  */
 defined('MYAAC') or die('Direct access not allowed!');
 
+use MyAAC\CsrfToken;
 use MyAAC\Models\Config;
 use MyAAC\Models\Guild;
 use MyAAC\Models\House;
@@ -1045,6 +1046,28 @@ function unsetSession($key) {
 	unset($_SESSION[setting('core.session_prefix') . $key]);
 }
 
+function csrf(): void {
+	CsrfToken::create();
+}
+
+function csrfToken(): string {
+	return CsrfToken::get();
+}
+
+function isValidToken(): bool {
+	$token = $_POST['csrf_token'] ?? $_SERVER['HTTP_X_CSRF_TOKEN'] ?? null;
+	return ($_SERVER['REQUEST_METHOD'] !== 'POST' || (isset($token) && CsrfToken::isValid($token)));
+}
+
+function csrfProtect(): void
+{
+	if (!isValidToken()) {
+		$lastUri = BASE_URL . str_replace_first('/', '', getSession('last_uri'));
+		echo 'Request has been cancelled due to security reasons - token is invalid. Go <a href="' . $lastUri . '">back</a>';
+		exit();
+	}
+}
+
 function getTopPlayers($limit = 5) {
 	global $db;
 
diff --git a/system/init.php b/system/init.php
index cf4b3f9b..a081f3e6 100644
--- a/system/init.php
+++ b/system/init.php
@@ -7,6 +7,9 @@
  * @copyright 2019 MyAAC
  * @link      https://my-aac.org
  */
+
+use MyAAC\CsrfToken;
+
 defined('MYAAC') or die('Direct access not allowed!');
 
 if(!isset($config['installed']) || !$config['installed']) {
@@ -132,6 +135,12 @@ require_once LIBS . 'Settings.php';
 $settings = Settings::getInstance();
 $settings->load();
 
+// csrf protection
+$token = getSession('csrf_token');
+if (!isset($token)) {
+	CsrfToken::generate();
+}
+
 // deprecated config values
 require_once SYSTEM . 'compat/config.php';
 
diff --git a/system/logout.php b/system/logout.php
index af443aa3..4f653ecb 100644
--- a/system/logout.php
+++ b/system/logout.php
@@ -7,6 +7,9 @@
  * @copyright 2019 MyAAC
  * @link      https://my-aac.org
  */
+
+use MyAAC\CsrfToken;
+
 defined('MYAAC') or die('Direct access not allowed!');
 
 if(isset($account_logged) && $account_logged->isLoaded()) {
@@ -15,6 +18,8 @@ if(isset($account_logged) && $account_logged->isLoaded()) {
 		unsetSession('password');
 		unsetSession('remember_me');
 
+		CsrfToken::generate();
+
 		$logged = false;
 		unset($account_logged);
 
diff --git a/system/pages/account/change_email.php b/system/pages/account/change_email.php
index 4168131c..90f5b54d 100644
--- a/system/pages/account/change_email.php
+++ b/system/pages/account/change_email.php
@@ -92,18 +92,22 @@ else
 	<tr>
 		<td width="30">&nbsp;</td>
 		<td align=left>
-			<form action="' . getLink('account/email') . '" method="post"><input type="hidden" name="changeemailsave" value=1 >
+			<form action="' . getLink('account/email') . '" method="post">
+				' . csrf() . '
+				<input type="hidden" name="changeemailsave" value=1 >
 				<INPUT TYPE=image NAME="I Agree" SRC="' . $template_path . '/images/global/buttons/sbutton_iagree.gif" BORDER=0 WIDTH=120 HEIGHT=17>
 			</form>
 		</td>
 		<td align=left>
 			<form action="' . getLink('account/email') . '" method="post">
+				' . csrf() . '
 				<input type="hidden" name="emailchangecancel" value=1 >
 				' . $twig->render('buttons.cancel.html.twig') . '
 			</form>
 		</td>
 		<td align=right>
 			<form action="?subtopic=accountmanagement" method="post" >
+				' . csrf() . '
 				' . $twig->render('buttons.back.html.twig') . '
 			</form>
 		</td>
@@ -125,6 +129,7 @@ else
 		<td>
 			<table border="0" cellspacing="0" cellpadding="0" >
 				<form action="' .getLink('account/email') . '" method="post" >
+					' . csrf() . '
 					<tr>
 						<td style="border:0px;" >
 							<input type="hidden" name="emailchangecancel" value="1" >
@@ -137,6 +142,7 @@ else
 		<td>
 			<table border="0" cellspacing="0" cellpadding="0" >
 				<form action="' . getLink('account/manage') . '" method="post" >
+					' . csrf() . '
 					<tr>
 						<td style="border:0px;" >
 							' . $twig->render('buttons.back.html.twig') . '
diff --git a/system/settings.php b/system/settings.php
index 29149e1f..d95e16d7 100644
--- a/system/settings.php
+++ b/system/settings.php
@@ -65,6 +65,12 @@ return [
 			'default' => false,
 			'is_config' => true,
 		],
+		'csrf_protection' => [
+			'name' => 'CSRF protection',
+			'type' => 'boolean',
+			'desc' => 'Its recommended to keep it enabled. Disable only if you know what you are doing.',
+			'default' => true,
+		],
 		'google_analytics_id' => [
 			'name' => 'Google Analytics ID',
 			'type' => 'text',
diff --git a/system/src/CsrfToken.php b/system/src/CsrfToken.php
new file mode 100644
index 00000000..4a92baf2
--- /dev/null
+++ b/system/src/CsrfToken.php
@@ -0,0 +1,95 @@
+<?php
+/**
+ * CsrfToken
+ *
+ * @package   MyAAC
+ * @author    Znote
+ * @author    Slawkens <slawkens@gmail.com>
+ * @copyright 2023 MyAAC
+ * @link      https://my-aac.org
+ */
+
+namespace MyAAC;
+
+class CsrfToken
+{
+	public static function generate(): void
+	{
+		$token = sha1(uniqid(time(), true));
+
+		setSession('csrf_token', $token);
+	}
+
+	/**
+	 * Displays a random token to prevent CSRF attacks.
+	 *
+	 * @access public
+	 * @static true
+	 * @return void
+	 **/
+	public static function create(): void {
+		echo '<input type="hidden" name="csrf_token" value="' . self::get() . '" />';
+	}
+
+	/**
+	 * Returns the active token, if there is one.
+	 *
+	 * @access public
+	 * @static true
+	 * @return mixed
+	 **/
+	public static function get(): mixed
+	{
+		$token = getSession('csrf_token');
+		return $token ?? false;
+	}
+
+	/**
+	 * Validates whether the active token is valid or not.
+	 *
+	 * @param string $post
+	 * @access public
+	 * @static true
+	 * @return boolean
+	 **/
+	public static function isValid($post): bool
+	{
+		if (!setting('core.csrf_protection')) {
+			return true;
+		}
+
+		// Token doesn't exist yet, return false.
+		if (!self::get()) {
+			return false;
+		}
+
+		return ($post == getSession('csrf_token'));
+	}
+
+	/**
+	 * Destroys the active token.
+	 *
+	 * @access protected
+	 * @static true
+	 * @return void
+	 **/
+	protected static function reset(): void {
+		unsetSession('csrf_token');
+	}
+
+	/**
+	 * Displays information on both the post token and the session token.
+	 *
+	 * @param string $post
+	 * @access public
+	 * @static true
+	 * @return void
+	 **/
+	public static function debug($post): void
+	{
+		echo '<pre>', var_export([
+			'post' => $post,
+			'token' => self::get()
+		], true), '</pre>';
+	}
+}
diff --git a/system/templates/account.back_button.html.twig b/system/templates/account.back_button.html.twig
index e4ed6884..e2d784ca 100644
--- a/system/templates/account.back_button.html.twig
+++ b/system/templates/account.back_button.html.twig
@@ -2,5 +2,6 @@
 	<br/>
 {% endif %}
 <form action="{% if action is not defined %}{{ getLink('account/manage') }}{% else %}{{ action }}{% endif %}" method="post">
+	{{ csrf() }}
 	{{ include('buttons.back.html.twig') }}
 </form>
diff --git a/system/templates/account.change_comment.html.twig b/system/templates/account.change_comment.html.twig
index c69e3f6b..6c133d2b 100644
--- a/system/templates/account.change_comment.html.twig
+++ b/system/templates/account.change_comment.html.twig
@@ -1,6 +1,7 @@
 Here you can see and edit the information about your character.<br/>
 If you do not want to specify a certain field, just leave it blank.<br/><br/>
 <form action="{{ getLink('account/character/comment') }}" method="post">
+	{{ csrf() }}
 	<div class="TableContainer" >
 		<table class="Table5" cellpadding="0" cellspacing="0">
 			<div class="CaptionContainer">
@@ -99,6 +100,7 @@ If you do not want to specify a certain field, just leave it blank.<br/><br/>
 			<td>
 				<table border="0" cellspacing="0" cellpadding="0">
 					<form action="{{ getLink('account/manage') }}" method="post">
+						{{ csrf() }}
 						<tr>
 							<td style="border:0px;">
 								{{ include('buttons.back.html.twig') }}
diff --git a/system/templates/account.change_info.html.twig b/system/templates/account.change_info.html.twig
index fb503e8e..067eabc5 100644
--- a/system/templates/account.change_info.html.twig
+++ b/system/templates/account.change_info.html.twig
@@ -1,5 +1,6 @@
 Here you can tell other players about yourself. This information will be displayed alongside the data of your characters. If you do not want to fill in a certain field, just leave it blank.<br/><br/>
-<form action="{{ getLink('account/info') }}" method=post>
+<form action="{{ getLink('account/info') }}" method="post">
+	{{ csrf() }}
 	<div class="TableContainer" >
 		<table class="Table1" cellpadding="0" cellspacing="0" >
 			<div class="CaptionContainer" >
@@ -88,6 +89,7 @@ Here you can tell other players about yourself. This information will be display
 </form>
 				<table border="0" cellspacing="0" cellpadding="0" >
 					<form action="{{ getLink('account/manage') }}" method="post" >
+						{{ csrf() }}
 						<tr>
 							<td style="border:0px;" >
 								{{ include('buttons.back.html.twig') }}
diff --git a/system/templates/account.change_mail.html.twig b/system/templates/account.change_mail.html.twig
index 35d64854..f093fbff 100644
--- a/system/templates/account.change_mail.html.twig
+++ b/system/templates/account.change_mail.html.twig
@@ -1,5 +1,6 @@
 Please enter your password and the new email address. Make sure that you enter a valid email address which you have access to. <br/><b>For security reasons, the actual change will be finalised after a waiting period of {{ setting('core.account_mail_change') }} days.</b><br/><br/>
 <form action="{{ getLink('account/email') }}" method="post">
+	{{ csrf() }}
 <div class="TableContainer">
 	<table class="Table1" cellpadding="0" cellspacing="0">
 		<div class="CaptionContainer">
@@ -58,6 +59,7 @@ Please enter your password and the new email address. Make sure that you enter a
 		<td>
 			<table border="0" cellspacing="0" cellpadding="0">
 				<form action="{{ getLink('account/manage') }}" method="post">
+					{{ csrf() }}
 					<tr>
 						<td style="border:0px;">
 							{{ include('buttons.back.html.twig') }}
diff --git a/system/templates/account.change_name.html.twig b/system/templates/account.change_name.html.twig
index 76c038d4..2f38bb60 100644
--- a/system/templates/account.change_name.html.twig
+++ b/system/templates/account.change_name.html.twig
@@ -1,6 +1,7 @@
 To change a name of character select player and choose a new name.<br/>
 <span style="color: red">Change name cost {{ setting('core.account_change_character_name_price') }} premium points. You have {{ points }} premium points.</span><br/><br/>
 <form action="{{ getLink('account/character/name') }}" method="post">
+	{{ csrf() }}
 	<input type="hidden" name="changenamesave" value="1">
 	<div class="TableContainer">
 		<table class="Table1" cellpadding="0" cellspacing="0">
@@ -64,6 +65,7 @@ To change a name of character select player and choose a new name.<br/>
 			<td>
 				<table border="0" cellspacing="0" cellpadding="0">
 					<form action="{{ getLink('account/manage') }}" method="post">
+						{{ csrf() }}
 						<tr>
 							<td style="border:0px;">
 								{{ include('buttons.back.html.twig') }}
diff --git a/system/templates/account.change_password.html.twig b/system/templates/account.change_password.html.twig
index d801a733..5a113d6a 100644
--- a/system/templates/account.change_password.html.twig
+++ b/system/templates/account.change_password.html.twig
@@ -1,6 +1,7 @@
 Please enter your current password and a new password. For your security, please enter the new password twice.<br/>
 <br/>
 <form action="{{ getLink('account/password') }}" method="post">
+	{{ csrf() }}
 	<div class="TableContainer">
 		<table class="Table1" cellpadding="0" cellspacing="0">
 			<div class="CaptionContainer">
@@ -66,6 +67,7 @@ Please enter your current password and a new password. For your security, please
 			<td>
 				<table border="0" cellspacing="0" cellpadding="0">
 					<form action="{{ getLink('account/manage') }}" method="post">
+						{{ csrf() }}
 						<tr>
 							<td style="border:0px;">
 								{{ include('buttons.back.html.twig') }}
@@ -75,4 +77,4 @@ Please enter your current password and a new password. For your security, please
 				</table>
 			</td>
 		</tr>
-	</table>
\ No newline at end of file
+	</table>
diff --git a/system/templates/account.change_sex.html.twig b/system/templates/account.change_sex.html.twig
index 24141f61..7e7fff32 100644
--- a/system/templates/account.change_sex.html.twig
+++ b/system/templates/account.change_sex.html.twig
@@ -1,6 +1,7 @@
 To change a sex of character select player and choose a new sex.<br/>
 <span style="color: red">Change sex cost {{ setting('core.account_change_character_sex_price') }} premium points. You have {{ points }} premium points.</span><br/><br/>
 <form action="{{ getLink('account/character/sex') }}" method="post">
+	{{ csrf() }}
 	<input type="hidden" name="changesexsave" value="1"/>
 	<div class="TableContainer">
 		<table class="Table1" cellpadding="0" cellspacing="0">
@@ -64,6 +65,7 @@ To change a sex of character select player and choose a new sex.<br/>
 			<td>
 				<table border="0" cellspacing="0" cellpadding="0">
 					<form action="{{ getLink('account/manage') }}" method="post">
+						{{ csrf() }}
 						<tr>
 							<td style="border:0px;" >
 								{{ include('buttons.back.html.twig') }}
diff --git a/system/templates/account.create.html.twig b/system/templates/account.create.html.twig
index 5f9ea910..6ff7b19d 100644
--- a/system/templates/account.create.html.twig
+++ b/system/templates/account.create.html.twig
@@ -1,5 +1,6 @@
 {{ hook('HOOK_ACCOUNT_CREATE_BEFORE_FORM') }}
 <form action="{{ getLink('account/create') }}" method="post" id="createaccount">
+	{{ csrf() }}
 	<div class="TableContainer" >
 		<table class="Table5" cellpadding="0" cellspacing="0" >
 			<div class="CaptionContainer" >
diff --git a/system/templates/account.create_character.html.twig b/system/templates/account.create_character.html.twig
index c116cec2..a860a8b1 100644
--- a/system/templates/account.create_character.html.twig
+++ b/system/templates/account.create_character.html.twig
@@ -7,6 +7,7 @@ In any case the name must not violate the naming conventions stated in the <a hr
 {% endif %}
 <br/><br/>
 <form action="{{ getLink('account/character/create') }}" method="post">
+	{{ csrf() }}
 	<input type="hidden" name="save" value="1">
 	<div class="TableContainer">
 		<table class="Table3" cellpadding="0" cellspacing="0">
@@ -135,6 +136,7 @@ In any case the name must not violate the naming conventions stated in the <a hr
 			<td>
 				<table border="0" cellspacing="0" cellpadding="0">
 					<form action="{{ getLink('account/manage') }}" method="post">
+						{{ csrf() }}
 						<tr>
 							<td style="border:0px;">
 								{{ include('buttons.back.html.twig') }}
diff --git a/system/templates/account.delete_character.html.twig b/system/templates/account.delete_character.html.twig
index 4a481f3a..c5953cc7 100644
--- a/system/templates/account.delete_character.html.twig
+++ b/system/templates/account.delete_character.html.twig
@@ -1,5 +1,6 @@
 To delete a character enter the name of the character and your password.<br/><br/>
 <form action="{{ getLink('account/character/delete') }}" method="post">
+	{{ csrf() }}
 	<input type="hidden" name="deletecharactersave" value="1"/>
 	<div class="TableContainer">
 		<table class="Table1" cellpadding="0" cellspacing="0" >
@@ -54,6 +55,7 @@ To delete a character enter the name of the character and your password.<br/><br
 			<td>
 				<table border="0" cellspacing="0" cellpadding="0">
 					<form action="{{ getLink('account/manage') }}" method="post">
+						{{ csrf() }}
 						<tr>
 							<td style="border:0px;">
 								{{ include('buttons.back.html.twig') }}
@@ -63,4 +65,4 @@ To delete a character enter the name of the character and your password.<br/><br
 				</table>
 			</td>
 		</tr>
-	</table>
\ No newline at end of file
+	</table>
diff --git a/system/templates/account.generate_new_recovery_key.html.twig b/system/templates/account.generate_new_recovery_key.html.twig
index 6f3e5c50..9b28cebc 100644
--- a/system/templates/account.generate_new_recovery_key.html.twig
+++ b/system/templates/account.generate_new_recovery_key.html.twig
@@ -1,6 +1,7 @@
 To generate new recovery key for your account please enter your password.<br/>
 <span style="color: red"><b>New recovery key cost {{ setting('core.account_generate_new_reckey_price') }} Premium Points.</span> You have {{ points }} premium points. You will receive e-mail with this recovery key.</b><br/>
 <form action="{{ getLink('account/register/new') }}" method="post">
+	{{ csrf() }}
 	<input type="hidden" name="registeraccountsave" value="1">
 	<div class="TableContainer" >
 		<table class="Table1" cellpadding="0" cellspacing="0">
@@ -47,6 +48,7 @@ To generate new recovery key for your account please enter your password.<br/>
 			<td>
 				<table border="0" cellspacing="0" cellpadding="0">
 					<form action="{{ getLink('account/manage') }}" method="post">
+						{{ csrf() }}
 						<tr>
 							<td style="border:0px;">
 								{{ include('buttons.back.html.twig') }}
diff --git a/system/templates/account.generate_recovery_key.html.twig b/system/templates/account.generate_recovery_key.html.twig
index c1193edd..cb69476c 100644
--- a/system/templates/account.generate_recovery_key.html.twig
+++ b/system/templates/account.generate_recovery_key.html.twig
@@ -1,5 +1,6 @@
 To generate recovery key for your account please enter your password.<br/><br/>
 <form action="{{ getLink('account/register') }}" method="post">
+	{{ csrf() }}
 <input type="hidden" name="registeraccountsave" value="1"/>
 <div class="TableContainer">
 	<table class="Table1" cellpadding="0" cellspacing="0">
@@ -50,6 +51,7 @@ To generate recovery key for your account please enter your password.<br/><br/>
 		<td>
 			<table border="0" cellspacing="0" cellpadding="0">
 				<form action="{{ getLink('account/manage') }}" method="post">
+					{{ csrf() }}
 					<tr>
 						<td style="border: 0px;">
 							{{ include('buttons.back.html.twig') }}
@@ -59,4 +61,4 @@ To generate recovery key for your account please enter your password.<br/><br/>
 			</table>
 		</td>
 	</tr>
-</table>
\ No newline at end of file
+</table>
diff --git a/system/templates/account.login.html.twig b/system/templates/account.login.html.twig
index 2431f1d1..aec1e222 100644
--- a/system/templates/account.login.html.twig
+++ b/system/templates/account.login.html.twig
@@ -1,6 +1,7 @@
 {{ hook('HOOK_ACCOUNT_LOGIN_BEFORE_PAGE') }}
 Please enter your account {{ account|lower }} and your password.<br/><a href="{{ getLink('account/create') }}">Create an account</a> if you do not have one yet.<br/><br/>
-<form action="{{ getLink('account/manage') }}" method="post" >
+<form action="{{ getLink('account/manage') }}" method="post">
+	{{ csrf() }}
 	{% if redirect is not null %}
 		<input type="hidden" name="redirect" value="{{ redirect }}" />
 	{% endif %}
@@ -66,6 +67,7 @@ Please enter your account {{ account|lower }} and your password.<br/><a href="{{
 			<td>
 				<table border="0" cellspacing="0" cellpadding="0">
 					<form action="{{ getLink('account/lost') }}" method="post">
+						{{ csrf() }}
 						<tr>
 							<td style="border:0px;">
 								{{ include('buttons.account_lost.html.twig') }}
diff --git a/system/templates/account.lost.form.html.twig b/system/templates/account.lost.form.html.twig
index 33456fd0..9c29ccd8 100644
--- a/system/templates/account.lost.form.html.twig
+++ b/system/templates/account.lost.form.html.twig
@@ -1,5 +1,6 @@
 The Lost Account Interface can help you to get back your account name and password. Please enter your character name and select what you want to do.<br/>
-<form action="?subtopic=lostaccount&action=step1" method=post>
+<form action="?subtopic=lostaccount&action=step1" method="post">
+	{{ csrf() }}
 	<input type="hidden" name="character" value="">
 	<table cellspacing="1" cellpadding="4" border="0" width="100%">
 		<tr>
@@ -32,4 +33,4 @@ The Lost Account Interface can help you to get back your account name and passwo
 			</td>
 		</tr>
 	</table>
-</form>
\ No newline at end of file
+</form>
diff --git a/system/templates/account.management.html.twig b/system/templates/account.management.html.twig
index 95fc0975..a648f28e 100644
--- a/system/templates/account.management.html.twig
+++ b/system/templates/account.management.html.twig
@@ -68,6 +68,7 @@
 		<div style="text-align:center">
 			You can register your account for increased protection. Click on "Register Account" and get your free recovery key today!<br/>
 			<form action="{{ getLink('account/register') }}" method="post">
+				{{ csrf() }}
 				{% set button_name = 'Register Account' %}
 				{% include('buttons.base.html.twig') %}
 			</form>
@@ -80,6 +81,7 @@
 				A request has been submitted to change the email address of this account to <b>{{ email_new }}</b>. After <b>{{ email_new_time|date("j F Y, G:i:s") }}</b> you can accept the new email address and finish the process. Please cancel the request if you do not want your email address to be changed! Also cancel the request if you have no access to the new email address!
 
 				<form action="{{ getLink('account/email') }}" method="post">
+					{{ csrf() }}
 					{% set button_name = 'Edit' %}
 					{% include('buttons.base.html.twig') %}
 				</form>
@@ -99,6 +101,7 @@
 				<td style="width: 90px;">Email Address:</td>
 				<td>{{ account_email ~ email_change }}
 					<form action="{{ getLink('account/email') }}" method="post">
+						{{ csrf() }}
 						{% set button_name = 'Change Email' %}
 						{% include('buttons.base.html.twig') %}
 					</form>
@@ -137,6 +140,7 @@
 			</tr>
 		</table>
 		<form action="{{ getLink('account/info') }}" method="post">
+			{{ csrf() }}
 			{% set button_name = 'Change Info' %}
 			{% include('buttons.base.html.twig') %}
 		</form>
@@ -188,6 +192,7 @@
 			<tr>
 				<td>
 					<form action="{{ getLink('account/character/create') }}" method="post" >
+						{{ csrf() }}
 						{% set button_name = 'Create Character' %}
 						{% include('buttons.base.html.twig') %}
 					</form>
@@ -195,6 +200,7 @@
 				{% if setting('core.account_change_character_name') %}
 				<td>
 					<form action="{{ getLink('account/character/name') }}" method="post" >
+						{{ csrf() }}
 						{% set button_name = 'Change Name' %}
 						{% include('buttons.base.html.twig') %}
 					</form>
@@ -203,6 +209,7 @@
 				{% if setting('core.account_change_character_sex') %}
 				<td>
 					<form action="{{ getLink('account/character/sex') }}" method="post" >
+						{{ csrf() }}
 						{% set button_name = 'Change Sex' %}
 						{% include('buttons.base.html.twig') %}
 					</form>
@@ -210,6 +217,7 @@
 				{% endif %}
 				<td>
 					<form action="{{ getLink('account/character/delete') }}" method="post">
+						{{ csrf() }}
 						{% set button_name = 'Delete Character' %}
 						{% include('buttons.base.html.twig') %}
 					</form>
diff --git a/system/templates/admin.changelog.form.html.twig b/system/templates/admin.changelog.form.html.twig
index 99b90f7a..1d4c1b99 100644
--- a/system/templates/admin.changelog.form.html.twig
+++ b/system/templates/admin.changelog.form.html.twig
@@ -4,6 +4,7 @@
 			<h5 class="m-0">{{ (action == 'edit') ? 'Edit' : 'Add' }}</h5>
 		</div>
 		<form role="form" method="post" action="{{ cl_link_form }}" id="cl-edit-form">
+			{{ csrf() }}
 			<div class="card-body">
 				{% if action == 'edit' %}
 					<input type="hidden" name="id" value="{{ cl_id }}"/>
diff --git a/system/templates/admin.login.html.twig b/system/templates/admin.login.html.twig
index acbcf040..afba47e1 100644
--- a/system/templates/admin.login.html.twig
+++ b/system/templates/admin.login.html.twig
@@ -19,6 +19,7 @@
 				<p class="login-box-msg">Please login.</p>
 
 				<form method="post" action="{{ constant('ADMIN_URL') }}">
+					{{ csrf() }}
 					<div class="input-group mb-3">
 						<div class="input-group-prepend">
 							<span class="input-group-text"><i class="fa fa-lock"></i></span>
diff --git a/system/templates/admin.mailer.html.twig b/system/templates/admin.mailer.html.twig
index eaf32213..0b77ccb3 100644
--- a/system/templates/admin.mailer.html.twig
+++ b/system/templates/admin.mailer.html.twig
@@ -9,6 +9,7 @@
 		<h5 class="m-0">Mailer</h5>
 	</div>
 	<form id="form" method="post">
+		{{ csrf() }}
 		<div class="card-body">
 			<div class="form-group row">
 				<label for="mail_to">To: (enter email, or leave empty to all)</label>
diff --git a/system/templates/admin.menus.form.html.twig b/system/templates/admin.menus.form.html.twig
index da4c126b..ae5c4dd1 100644
--- a/system/templates/admin.menus.form.html.twig
+++ b/system/templates/admin.menus.form.html.twig
@@ -4,6 +4,7 @@
 	</div>
 	<div class="card-body">
 		<form method="post" action="?p=menus">
+			{{ csrf() }}
 			<p>Please choose template in which you want to edit menu items.</p>
 			<div class="col-md-6">
 				<div class="input-group input-group-sm">
diff --git a/system/templates/admin.news.form.html.twig b/system/templates/admin.news.form.html.twig
index ddad9dd9..e1fca8f9 100644
--- a/system/templates/admin.news.form.html.twig
+++ b/system/templates/admin.news.form.html.twig
@@ -4,6 +4,7 @@
 			<h5 class="m-0">{% if action == 'edit' %}Edit{% else %}Add{% endif %} news</h5>
 		</div>
 		<form id="form" role="form" method="post" action="{{ news_link_form }}">
+			{{ csrf() }}
 			<div class="card-body " id="page-edit-table">
 				{% if action == 'edit' %}
 					<input type="hidden" name="id" value="{{ news_id }}"/>
diff --git a/system/templates/admin.notepad.html.twig b/system/templates/admin.notepad.html.twig
index d3dc5000..43bac7f4 100644
--- a/system/templates/admin.notepad.html.twig
+++ b/system/templates/admin.notepad.html.twig
@@ -3,6 +3,7 @@
 		<h5 class="m-0">Notepad</h5>
 	</div>
 	<form method="post">
+		{{ csrf() }}
 		<div class="card-body">
 			<div class="form-group">
 				<label>This is your personal notepad. Be sure to save it each time you modify something.</label>
diff --git a/system/templates/admin.pages.form.html.twig b/system/templates/admin.pages.form.html.twig
index ae666294..f3522133 100644
--- a/system/templates/admin.pages.form.html.twig
+++ b/system/templates/admin.pages.form.html.twig
@@ -4,6 +4,7 @@
 			<h5 class="m-0">{% if action == 'edit' %}Edit{% else %}Add{% endif %} page</h5>
 		</div>
 		<form id="form" class="form-horizontal" method="post" action="?p=pages&action={% if action == 'edit' %}edit{% else %}new{% endif %}">
+			{{ csrf() }}
 			{% if action == 'edit' %}
 				<input type="hidden" name="id" value="{{ id }}"/>
 			{% endif %}
diff --git a/system/templates/admin.plugins.form.html.twig b/system/templates/admin.plugins.form.html.twig
index 8f43b908..3a049184 100644
--- a/system/templates/admin.plugins.form.html.twig
+++ b/system/templates/admin.plugins.form.html.twig
@@ -4,6 +4,7 @@
 			<h5 class="m-0">Install plugin</h5>
 		</div>
 		<form enctype="multipart/form-data" method="post" action="{{ constant('ADMIN_URL') }}?p=plugins">
+			{{ csrf() }}
 			<div class="card-body">
 				<input type="hidden" name="upload_plugin"/>
 
diff --git a/system/templates/admin.settings.html.twig b/system/templates/admin.settings.html.twig
index e5d3ef9b..89a38a95 100644
--- a/system/templates/admin.settings.html.twig
+++ b/system/templates/admin.settings.html.twig
@@ -74,6 +74,12 @@
 <link rel="stylesheet" type="text/css" href="{{ constant('BASE_URL') }}tools/css/toastify.min.css">
 <script type="text/javascript" src="{{ constant('BASE_URL') }}tools/js/toastify.min.js"></script>
 <script>
+	$.ajaxSetup({
+		headers: {
+			'X-CSRF-TOKEN': $('meta[name="csrf-token"]').attr('content')
+		}
+	});
+
 	$('#settings').submit(function(e) {
 		e.preventDefault();
 
diff --git a/system/templates/admin.tools.account.html.twig b/system/templates/admin.tools.account.html.twig
index ee32fc99..7e79d38c 100644
--- a/system/templates/admin.tools.account.html.twig
+++ b/system/templates/admin.tools.account.html.twig
@@ -6,6 +6,7 @@
 				<h5 class="m-0">Give Premium Points</h5>
 			</div>
 			<form method="post" action="{{ constant('ADMIN_URL') }}?p=mass_account">
+				{{ csrf() }}
 				<div class="card-body">
 					<div class="form-group">
 						<label>Premium Points</label>
@@ -28,6 +29,7 @@
 				<h5 class="m-0">Give Coins</h5>
 			</div>
 			<form method="post" action="{{ constant('ADMIN_URL') }}?p=mass_account">
+				{{ csrf() }}
 				<div class="card-body">
 					<div class="form-group">
 						<label>Coins</label>
@@ -50,6 +52,7 @@
 				<h5 class="m-0">Give Premium Days</h5>
 			</div>
 			<form method="post" action="{{ constant('ADMIN_URL') }}?p=mass_account">
+				{{ csrf() }}
 				<div class="card-body">
 					<div class="form-group">
 						<label>Premium Days</label>
diff --git a/system/templates/characters.html.twig b/system/templates/characters.html.twig
index 865c39ca..b4d8b359 100644
--- a/system/templates/characters.html.twig
+++ b/system/templates/characters.html.twig
@@ -106,6 +106,7 @@
 							<td>{{ house.name ~ house.town ~ house.add }}</td>
 							<td>
 								<form action="?subtopic=houses&page=view" method="post">
+									{{ csrf() }}
 									<input type="hidden" name="house" value="{{ house.name }}">
 									<input type="image" name="View" alt="View" src="{{ template_path }}/images/global/buttons/sbutton_view.gif" border="0" width="120">
 								</form>
@@ -402,7 +403,8 @@
 				<td>{% if player.isOnline() %}<b><span style="color: green">Online</span></b>{% endif %}</td>
 				<td>
 					<table border="0" cellspacing="0" cellpadding="0">
-						<form action="{{ getLink('characters') }}" method=post>
+						<form action="{{ getLink('characters') }}" method="post">
+							{{ csrf() }}
 							<tr>
 								<td>
 									<input type="hidden" name="name" value="{{ player.getName() }}"/>
diff --git a/system/templates/faq.form.html.twig b/system/templates/faq.form.html.twig
index 8a62d2bd..7dbc4ad2 100644
--- a/system/templates/faq.form.html.twig
+++ b/system/templates/faq.form.html.twig
@@ -1,7 +1,8 @@
 <form method="post" action="{{ link }}">
-    {% if action == 'edit' %}
-        <input type="hidden" name="id" value="{{ id }}" />
-    {% endif %}
+	{{ csrf() }}
+	{% if action == 'edit' %}
+		<input type="hidden" name="id" value="{{ id }}" />
+	{% endif %}
 	<table width="100%" border="0" cellspacing="1" cellpadding="4">
 		<tr>
 			<td bgcolor="{{ config.vdarkborder }}" class="white"><b>{% if action == 'edit' %}Edit{% else %}Add{% endif %} FAQ</b></td>
@@ -23,4 +24,4 @@
 			</td>
 		</tr>
 	</table>
-</form>
\ No newline at end of file
+</form>
diff --git a/system/templates/forum.add_board.html.twig b/system/templates/forum.add_board.html.twig
index f46d3a06..2dbfe963 100644
--- a/system/templates/forum.add_board.html.twig
+++ b/system/templates/forum.add_board.html.twig
@@ -1,4 +1,5 @@
 <form method="post" action="{{ link }}">
+	{{ csrf() }}
 	{% if action == 'edit_board' %}
 	<input type="hidden" name="id" value="{{ id }}" />
 	{% endif %}
@@ -44,4 +45,4 @@
 			</td>
 		</tr>
 	</table>
-</form>
\ No newline at end of file
+</form>
diff --git a/system/templates/forum.edit_post.html.twig b/system/templates/forum.edit_post.html.twig
index cd1e2a51..188bbaf6 100644
--- a/system/templates/forum.edit_post.html.twig
+++ b/system/templates/forum.edit_post.html.twig
@@ -1,5 +1,6 @@
 <br/>
 <form action="{{ getLink('forum') }}" method="post">
+	{{ csrf() }}
 	<input type="hidden" name="action" value="edit_post" />
 	<input type="hidden" name="id" value="{{ post_id }}" />
 	<input type="hidden" name="save" value="save" />
@@ -49,4 +50,4 @@
 	<div style="text-align:center">
 		<input type="submit" value="Save Post" />
 	</div>
-</form>
\ No newline at end of file
+</form>
diff --git a/system/templates/forum.move_thread.html.twig b/system/templates/forum.move_thread.html.twig
index 4188cb75..4a5981b2 100644
--- a/system/templates/forum.move_thread.html.twig
+++ b/system/templates/forum.move_thread.html.twig
@@ -25,6 +25,7 @@
 							<input type="submit" value="Move Thread">
 						</form>
 						<form action="{{ section_link }}" method="post">
+							{{ csrf() }}
 							<input type="submit" value="Cancel">
 						</form>
 					</td>
@@ -32,4 +33,4 @@
 			</table>
 		</td>
 	</tr>
-</table>
\ No newline at end of file
+</table>
diff --git a/system/templates/forum.new_post.html.twig b/system/templates/forum.new_post.html.twig
index 6220cddb..ac07c311 100644
--- a/system/templates/forum.new_post.html.twig
+++ b/system/templates/forum.new_post.html.twig
@@ -1,4 +1,5 @@
 <form action="?" method="post">
+	{{ csrf() }}
 	<input type="hidden" name="action" value="new_post" />
 	<input type="hidden" name="thread_id" value=" {{ thread_id }}" />
 	<input type="hidden" name="subtopic" value="forum" />
diff --git a/system/templates/forum.new_thread.html.twig b/system/templates/forum.new_thread.html.twig
index 77efec37..3b5e080d 100644
--- a/system/templates/forum.new_thread.html.twig
+++ b/system/templates/forum.new_thread.html.twig
@@ -1,4 +1,5 @@
 <form action="?" method="post">
+	{{ csrf() }}
 	<input type="hidden" name="action" value="new_thread" />
 	<input type="hidden" name="section_id" value="{{ section_id }}" />
 	<input type="hidden" name="subtopic" value="forum" />
@@ -45,4 +46,4 @@
 	<div style="text-align:center">
 		<input type="submit" value="Post Thread" />
 	</div>
-</form>
\ No newline at end of file
+</form>
diff --git a/system/templates/gallery.form.html.twig b/system/templates/gallery.form.html.twig
index 8b5b21e7..1c285ba2 100644
--- a/system/templates/gallery.form.html.twig
+++ b/system/templates/gallery.form.html.twig
@@ -1,4 +1,5 @@
 <form method="post" action="{{ link }}">
+	{{ csrf() }}
 	{% if action == 'edit' %}
 	<input type="hidden" name="id" value="{{ id }}" />
 	{% endif %}
@@ -29,4 +30,4 @@
 		</tr>
 	</table>
 </form>
-<br/><br/>
\ No newline at end of file
+<br/><br/>
diff --git a/system/templates/guilds.accept_invite.html.twig b/system/templates/guilds.accept_invite.html.twig
index 8d174473..c3fde96c 100644
--- a/system/templates/guilds.accept_invite.html.twig
+++ b/system/templates/guilds.accept_invite.html.twig
@@ -8,6 +8,7 @@
 	<tr bgcolor="{{ config.darkborder }}">
 		<td>
 			<form action="?subtopic=guilds&action=accept_invite&guild={{ guild_name }}&todo=save" method="post">
+				{{ csrf() }}
 				{% set i = 0 %}
 				{% for player in invited_players %}
 				<input type="radio" name="name" id="name_{{ i }}" value="{{ player }}" /><label for="name_{{ i }}">{{ player }}</label>
@@ -24,9 +25,10 @@
 		<tr>
 			<td>
 				<form action="{{ getLink('guilds') ~ '/' ~ guild_name }}" method="post">
+					{{ csrf() }}
 					{{ include('buttons.back.html.twig') }}
 				</form>
 			</td>
 		</tr>
 	</table>
-</div>
\ No newline at end of file
+</div>
diff --git a/system/templates/guilds.back_button.html.twig b/system/templates/guilds.back_button.html.twig
index c1f009f8..d6ce0de4 100644
--- a/system/templates/guilds.back_button.html.twig
+++ b/system/templates/guilds.back_button.html.twig
@@ -3,6 +3,7 @@
 {% endif %}
 <div style="text-align:center">
 	<form action="{% if action is not defined %}{{ getLink('guilds') }}{% else %}{{ action }}{% endif %}" method="post">
+		{{ csrf() }}
 		{{ include('buttons.back.html.twig') }}
 	</form>
-</div>
\ No newline at end of file
+</div>
diff --git a/system/templates/guilds.change_description.html.twig b/system/templates/guilds.change_description.html.twig
index 97cb866c..c9abc5dc 100644
--- a/system/templates/guilds.change_description.html.twig
+++ b/system/templates/guilds.change_description.html.twig
@@ -1,12 +1,14 @@
 <div style="text-align:center"><h2>Change guild description</h2></div>
 Here you can change description of your guild.<br/>
 <form enctype="multipart/form-data" action="?subtopic=guilds&guild={{ guild.getName() }}&action=change_description" method="post">
+	{{ csrf() }}
 	<input type="hidden" name="todo" value="save"/>
 	<textarea name="description" cols="60" rows="{{ setting('core.guild_description_lines_limit') - 1 }}">{{ guild.getCustomField('description')|raw }}</textarea><br>
 	(max. {{ setting('core.guild_description_lines_limit') }} lines, max. {{ setting('core.guild_description_chars_limit') }} chars) <input type="submit" value="Save description"/></form><br/>
 <br/>
 <div style="text-align:center">
 	<form action="?subtopic=guilds&guild={{ guild.getName() }}&action=manager" method="post">
+		{{ csrf() }}
 		{{ include('buttons.back.html.twig') }}
 	</form>
 </div>
diff --git a/system/templates/guilds.change_logo.html.twig b/system/templates/guilds.change_logo.html.twig
index 3194858f..9577b175 100644
--- a/system/templates/guilds.change_logo.html.twig
+++ b/system/templates/guilds.change_logo.html.twig
@@ -1,6 +1,7 @@
 <div style="text-align:center"><h2>Change guild logo</h2></div>
 Here you can change logo of your guild.<br/>Actuall logo: <img src="{{ constant('GUILD_IMAGES_DIR') }}{{ guild_logo }}" height="64" width="64"><br/><br/>
 <form enctype="multipart/form-data" action="?subtopic=guilds&guild={{ guild.getName() }}&action=change_logo" method="post" id="upload_form">
+	{{ csrf() }}
 	<input type="hidden" name="todo" value="save" />
 	<input type="hidden" name="MAX_FILE_SIZE" value="{{ max_image_size_b }}" />
 	Select new logo: <input name="newlogo" id="newlogo" type="file" />
@@ -10,6 +11,7 @@ Only <b>jpg, gif, png, bmp</b> pictures. Max. size: <b>{{ setting('core.guild_im
 <br/>
 <div style="text-align:center">
 	<form action="?subtopic=guilds&guild={{ guild.getName() }}&action=manager" method="post">
+		{{ csrf() }}
 		{{ include('buttons.back.html.twig') }}
 	</form>
 </div>
diff --git a/system/templates/guilds.change_motd.html.twig b/system/templates/guilds.change_motd.html.twig
index eae3fe67..ab91f67d 100644
--- a/system/templates/guilds.change_motd.html.twig
+++ b/system/templates/guilds.change_motd.html.twig
@@ -1,12 +1,14 @@
 <div style="text-align:center"><h2>Change guild MOTD</h2></div>
 Here you can change MOTD (Message of the Day, showed in game!) of your guild.<br/>
 <form enctype="multipart/form-data" action="?subtopic=guilds&guild={{ guild.getName() }}&action=change_motd" method="post">
+	{{ csrf() }}
 	<input type="hidden" name="todo" value="save"/>
 	<textarea name="motd" cols="60" rows="3">{{ guild.getCustomField('motd')|raw }}</textarea><br/>
 	(max. {{ setting('core.guild_motd_chars_limit') }} chars) <input type="submit" value="Save MOTD" /></form><br/>
 <br/>
 <div style="text-align:center">
 	<form action="?subtopic=guilds&guild={{ guild.getName() }}&action=manager" method="post">
+		{{ csrf() }}
 		{{ include('buttons.back.html.twig') }}
 	</form>
 </div>
diff --git a/system/templates/guilds.change_rank.html.twig b/system/templates/guilds.change_rank.html.twig
index a3011254..ee28bf3f 100644
--- a/system/templates/guilds.change_rank.html.twig
+++ b/system/templates/guilds.change_rank.html.twig
@@ -1,4 +1,5 @@
 <form action="?subtopic=guilds&action=change_rank&guild={{ guild_name }}&todo=save" method="post">
+	{{ csrf() }}
 	<table border="0" cellspacing="1" cellpadding="4" width="100%">
 		<tr bgcolor="{{ config.vdarkborder }}"><td class="white"><b>Change Rank</b></td></tr>
 		<tr bgcolor="{{ config.darkborder }}">
@@ -29,9 +30,10 @@
 		<td>
 			<div style="text-align:center">
 				<form action="?subtopic=guilds&action=show&guild={{ guild_name }}" method="post">
+					{{ csrf() }}
 					{{ include('buttons.back.html.twig') }}
 				</form>
 			</div>
 		</td>
 	</tr>
-</table>
\ No newline at end of file
+</table>
diff --git a/system/templates/guilds.create.html.twig b/system/templates/guilds.create.html.twig
index eb09ec2a..5def076b 100644
--- a/system/templates/guilds.create.html.twig
+++ b/system/templates/guilds.create.html.twig
@@ -1,4 +1,5 @@
 <form action="?subtopic=guilds&action=create&todo=save" method="post">
+	{{ csrf() }}
 	<table width="100%" border="0" cellspacing="1" cellpadding="4">
 		<tr>
 			<td bgcolor="{{ config.vdarkborder }}" class="white"><B>Create a {{ config.lua.serverName }} Guild</b></td>
@@ -47,6 +48,7 @@
 			</td>
 			<td align="center">
 				<form  action="?subtopic=guilds" method="post">
+					{{ csrf() }}
 					{{ include('buttons.back.html.twig') }}
 				</form>
 			</td>
@@ -54,4 +56,4 @@
 				<img src="{{ template_path }}/images/general/blank.gif" width="120" height="1" border="0"><br>
 			</td>
 		</tr>
-	</table>
\ No newline at end of file
+	</table>
diff --git a/system/templates/guilds.create.success.html.twig b/system/templates/guilds.create.success.html.twig
index 354a0300..c3f8900e 100644
--- a/system/templates/guilds.create.success.html.twig
+++ b/system/templates/guilds.create.success.html.twig
@@ -14,9 +14,10 @@
 		<td>
 			<div style="text-align:center">
 				<form action="{{ getLink('guilds') ~ '/' ~ guild_name }}" method="post">
+				{{ csrf() }}
 				{{ include('buttons.submit.html.twig') }}
 				</form>
 			</div>
 		</td>
 	</tr>
-</table>
\ No newline at end of file
+</table>
diff --git a/system/templates/guilds.delete_guild.html.twig b/system/templates/guilds.delete_guild.html.twig
index 063e3fdc..bd40f1e1 100644
--- a/system/templates/guilds.delete_guild.html.twig
+++ b/system/templates/guilds.delete_guild.html.twig
@@ -20,6 +20,7 @@
 						<tr>
 							<td>Are you sure you want delete guild <b>{{ guild.getName() }}</b>?<br/>
 								<form action="?subtopic=guilds&guild={{ guild.getName() }}&action=delete_guild" method="post">
+									{{ csrf() }}
 									<input type="hidden" name="todo" value="save"/>
 									<input type="submit" value="Yes, delete"/>
 								</form>
@@ -34,6 +35,7 @@
 <br/>
 <div style="text-align:center">
 	<form action="?subtopic=guilds&guild={{ guild.getName() }}&action=manager" method="post">
+		{{ csrf() }}
 		{{ include('buttons.back.html.twig') }}
 	</form>
-</div>
\ No newline at end of file
+</div>
diff --git a/system/templates/guilds.delete_invite.html.twig b/system/templates/guilds.delete_invite.html.twig
index 771617e9..833086db 100644
--- a/system/templates/guilds.delete_invite.html.twig
+++ b/system/templates/guilds.delete_invite.html.twig
@@ -8,15 +8,17 @@
 		<tr>
 			<td align="right" width="50%">
 				<form action="?subtopic=guilds&action=delete_invite&guild={{ guild_name }}&name={{ player_name }}&todo=save" method="post">
+				{{ csrf() }}
 				{{ include('buttons.submit.html.twig') }}
 				</form>
 			</td>
 			<td style="width: 10px; "></td>
 			<td>
 				<form action="?subtopic=guilds&action=show&guild={{ guild_name }}" method="post">
+					{{ csrf() }}
 					{{ include('buttons.back.html.twig') }}
 				</form>
 			</td>
 		</tr>
 	</table>
-</div>
\ No newline at end of file
+</div>
diff --git a/system/templates/guilds.invite.html.twig b/system/templates/guilds.invite.html.twig
index df822e59..9b10bf4e 100644
--- a/system/templates/guilds.invite.html.twig
+++ b/system/templates/guilds.invite.html.twig
@@ -1,4 +1,5 @@
 <form action="?subtopic=guilds&action=invite&guild={{ guild_name }}&todo=save" method="post">
+	{{ csrf() }}
 	Invite player with name:&nbsp;&nbsp;<input type="text" name="name">&nbsp;&nbsp;&nbsp;&nbsp;
 	{{ include('buttons.submit.html.twig') }}
-</form>
\ No newline at end of file
+</form>
diff --git a/system/templates/guilds.kick_player.html.twig b/system/templates/guilds.kick_player.html.twig
index 881195be..00c02b25 100644
--- a/system/templates/guilds.kick_player.html.twig
+++ b/system/templates/guilds.kick_player.html.twig
@@ -8,15 +8,17 @@
 		<tr>
 			<td align="right" width="50%">
 				<form action="?subtopic=guilds&action=kick_player&guild={{ guild_name }}&name={{ player_name }}&todo=save" method="post">
+					{{ csrf() }}
 					{{ include('buttons.submit.html.twig') }}
 				</form>
 			</td>
 			<td style="width: 10px;"></td>
 			<td>
 				<form action="{{ getLink('guilds') ~ '/' ~ guild_name }}" method="post">
+					{{ csrf() }}
 					{{ include('buttons.back.html.twig') }}
 				</form>
 			</td>
 		</tr>
 	</table>
-</div>
\ No newline at end of file
+</div>
diff --git a/system/templates/guilds.leave_guild.html.twig b/system/templates/guilds.leave_guild.html.twig
index 989e1134..7acfa253 100644
--- a/system/templates/guilds.leave_guild.html.twig
+++ b/system/templates/guilds.leave_guild.html.twig
@@ -1,4 +1,5 @@
 <form action="?subtopic=guilds&action=leave_guild&guild={{ guild_name }}&todo=save" METHOD="post">
+	{{ csrf() }}
 <table border="0" cellspacing="1" cellpadding="4" width="100%">
 	<tr bgcolor="{{ config.vdarkborder }}">
 		<td class="white"><b>Leave guild</b></td></tr>
@@ -27,8 +28,9 @@
 </form>
 		<td>
 			<form action="?subtopic=guilds&action=show&guild={{ guild_name }}" method="post">
+				{{ csrf() }}
 				{{ include('buttons.back.html.twig') }}
 			</form>
 		</td>
 	</tr>
-</table>
\ No newline at end of file
+</table>
diff --git a/system/templates/guilds.list.html.twig b/system/templates/guilds.list.html.twig
index 1f7903a6..a95a2750 100644
--- a/system/templates/guilds.list.html.twig
+++ b/system/templates/guilds.list.html.twig
@@ -61,6 +61,7 @@
 																			<tr>
 																				<td style="border:0;">
 																					<form action="{{ guild.link }}" method="post">
+																						{{ csrf() }}
 																						{{ include('buttons.view.html.twig') }}
 																					</form>
 																				</td>
@@ -82,11 +83,10 @@
 															<td>
 																<table border="0" cellpadding="0" cellspacing="0" width="100%">
 																	<form action="?subtopic=guilds&action=create" method="post">
-																		<form action="?subtopic=guilds&action=create" method="post">
-																			{% set button_name = 'Found Guild' %}
-																			{% set button_image = '_sbutton_foundguild' %}
-																			{% include('buttons.base.html.twig') %}
-																		</form>
+																		{{ csrf() }}
+																		{% set button_name = 'Found Guild' %}
+																		{% set button_image = '_sbutton_foundguild' %}
+																		{% include('buttons.base.html.twig') %}
 																	</form>
 																</table>
 															</td>
@@ -128,6 +128,7 @@
 						{% if logged %}
 						No guild found that suits your needs?
 						<form action="?subtopic=guilds&action=create" method="post">
+							{{ csrf() }}
 							{% set button_name = 'Found Guild' %}
 							{% set button_image = '_sbutton_foundguild' %}
 							{% include('buttons.base.html.twig') %}
@@ -136,6 +137,7 @@
 						<b>Before you can create a guild you must login.</b>
 						<br/>
 						<form action="?subtopic=accountmanagement&redirect={{ getLink('guilds') }}" method="post">
+							{{ csrf() }}
 							{% include('buttons.login.html.twig') %}
 						</form>
 						{% endif %}
diff --git a/system/templates/guilds.manager.html.twig b/system/templates/guilds.manager.html.twig
index ff733be0..16dc6082 100644
--- a/system/templates/guilds.manager.html.twig
+++ b/system/templates/guilds.manager.html.twig
@@ -76,6 +76,7 @@ Here you can change names of ranks, delete and add ranks, pass leadership to oth
 							<td width="120" valign="top">New rank name:</td>
 							<td>
 								<form action="?subtopic=guilds&guild={{ guild.getName() }}&action=add_rank" method="post">
+									{{ csrf() }}
 									<input type="text" name="rank_name" size="20"/>
 									<input type="submit" value="Add"/>
 								</form>
@@ -89,6 +90,7 @@ Here you can change names of ranks, delete and add ranks, pass leadership to oth
 </div>
 <div style="text-align:center"><h3>Change rank names and levels</h3></div>
 <form action="?subtopic=guilds&action=save_ranks&guild={{ guild.getName() }}" method="post">
+	{{ csrf() }}
 	<table style="clear:both" border="0" cellpadding="0" cellspacing="0" width="100%">
 		<tr bgcolor="{{ config.vdarkborder }}">
 			<td rowspan="2" width="120" align="center">
@@ -163,6 +165,7 @@ Here you can change names of ranks, delete and add ranks, pass leadership to oth
 <br/>
 <div style="text-align:center">
 	<form action="?subtopic=guilds&action=show&guild={{ guild.getName() }}" method="post">
+		{{ csrf() }}
 		{{ include('buttons.back.html.twig') }}
 	</form>
-</div>
\ No newline at end of file
+</div>
diff --git a/system/templates/guilds.pass_leadership.html.twig b/system/templates/guilds.pass_leadership.html.twig
index 04d7d211..0524835d 100644
--- a/system/templates/guilds.pass_leadership.html.twig
+++ b/system/templates/guilds.pass_leadership.html.twig
@@ -20,6 +20,7 @@
 						<tr>
 							<td>Pass leadership to: </b><br>
 								<form action="?subtopic=guilds&guild={{ guild.getName() }}&action=pass_leadership" method="post">
+									{{ csrf() }}
 									<input type="hidden" name="todo" value="save"/>
 									<input type="text" size="40" name="player"/>
 									<input type="submit" value="Save">
@@ -35,6 +36,7 @@
 <br/>
 <div style="text-align:center">
 	<form action="?subtopic=guilds&guild={{ guild.getName() }}&action=manager" method="post">
+		{{ csrf() }}
 		{{ include('buttons.back.html.twig') }}
 	</form>
-</div>
\ No newline at end of file
+</div>
diff --git a/system/templates/guilds.view.html.twig b/system/templates/guilds.view.html.twig
index f3da843e..a815379b 100644
--- a/system/templates/guilds.view.html.twig
+++ b/system/templates/guilds.view.html.twig
@@ -142,6 +142,7 @@
 																	<td>
 																		{% set playerName = player.getName() %}
 																		<form action="?subtopic=guilds&action=change_nick&name={{ playerName }}&guild={{ guild_name }}" method="post">
+																			{{ csrf() }}
 																			{{ getPlayerLink(playerName, true)|raw }}
 
 																			{% set showGuildNick = false %}
@@ -290,6 +291,7 @@
 													<tr>
 														{% if not logged %}
 															<form action="?subtopic=accountmanagement&redirect={{ getGuildLink(guild_name|url_encode, false) }}" method="post">
+																{{ csrf() }}
 																<td>
 																	{{ include('buttons.login.html.twig') }}
 																</td>
@@ -297,6 +299,7 @@
 														{% else %}
 															{% if show_accept_invite > 0 %}
 																<form action="?subtopic=guilds&action=accept_invite&guild={{ guild_name|url_encode }}" method="post">
+																	{{ csrf() }}
 																	<td>
 																		<input type="image" name="Accept Invite" alt="Accept Invite" src="{{ template_path }}/images/global/buttons/sbutton_acceptinvite.png" style="width: 120px; height: 20px;">
 																	</td>
@@ -305,6 +308,7 @@
 
 															{% if isVice %}
 																<form action="?subtopic=guilds&action=invite&guild={{ guild_name|url_encode }}" method="post">
+																	{{ csrf() }}
 																	<td>
 																		{% set button_name = 'Invite Character' %}
 																		{% set button_image = '_sbutton_invitecharacter' %}
@@ -313,6 +317,7 @@
 																</form>
 
 																<form action="?subtopic=guilds&action=change_rank&guild={{ guild_name|url_encode }}" method="post">
+																	{{ csrf() }}
 																	<td>
 																		{% set button_name = 'Edit Ranks' %}
 																		{% set button_image = '_sbutton_editranks' %}
@@ -323,6 +328,7 @@
 
 															{% if players_from_account_in_guild|length > 0 %}
 																<form action="?subtopic=guilds&action=leave_guild&guild={{ guild_name|url_encode }}" method="post">
+																	{{ csrf() }}
 																	<td>
 																		{% set button_name = 'Leave Guild' %}
 																		{% set button_image = '_sbutton_leaveguild' %}
@@ -333,6 +339,7 @@
 														{% endif %}
 
 														<form action="{{ getLink('guilds') }}" method="post">
+															{{ csrf() }}
 															<td style="float: right">
 																{{ include('buttons.back.html.twig') }}
 															</td>
diff --git a/system/templates/templates.header.html.twig b/system/templates/templates.header.html.twig
index fa9665f5..cded84de 100644
--- a/system/templates/templates.header.html.twig
+++ b/system/templates/templates.header.html.twig
@@ -1,6 +1,8 @@
 <meta charset="{{ charset }}">
 <meta http-equiv="content-language" content="{{ config.language }}" />
 <meta http-equiv="content-type" content="text/html; charset={{ charset }}" />
+<!-- CSRF Token -->
+<meta name="csrf-token" content="{{ csrfToken() }}">
 {% if not is_admin %}
 <base href="{{ constant('BASE_URL') }}" />
 <title>{{ title }}</title>
diff --git a/system/twig.php b/system/twig.php
index 5eb35c68..d929c869 100644
--- a/system/twig.php
+++ b/system/twig.php
@@ -9,6 +9,7 @@
  */
 defined('MYAAC') or die('Direct access not allowed!');
 
+use MyAAC\CsrfToken;
 use Twig\Environment as Twig_Environment;
 use Twig\Extension\DebugExtension as Twig_DebugExtension;
 use Twig\Loader\FilesystemLoader as Twig_FilesystemLoader;
@@ -118,6 +119,16 @@ $function = new TwigFunction('getCustomPage', function ($name) {
 });
 $twig->addFunction($function);
 
+$function = new TwigFunction('csrf', function () {
+	csrf();
+});
+$twig->addFunction($function);
+
+$function = new TwigFunction('csrfToken', function () {
+	return csrfToken();
+});
+$twig->addFunction($function);
+
 $filter = new TwigFilter('urlencode', function ($s) {
 	return urlencode($s);
 });