From 3e6e9d2e06b25f0fecdf2d5cb1cf0ff80a83db53 Mon Sep 17 00:00:00 2001
From: Alan Hardman <alanaktion@gmail.com>
Date: Sun, 8 Aug 2021 12:12:08 -0600
Subject: [PATCH 1/4] Limiting cookie access to same-origin

---
 index.php | 1 +
 1 file changed, 1 insertion(+)

diff --git a/index.php b/index.php
index 0f74e86c..78fc70b3 100644
--- a/index.php
+++ b/index.php
@@ -14,6 +14,7 @@
     "FALLBACK" => "en",
     "CACHE" => true,
     "AUTOLOAD" => "app/;lib/vendor/",
+    "JAR.samesite" => "Strict",
     "PACKAGE" => "Phproject",
     "TZ" => "UTC",
     "microtime" => microtime(true),

From c05563328060a3cca6f8463c9d3e6cf37fb3dc56 Mon Sep 17 00:00:00 2001
From: Alan Hardman <alanaktion@gmail.com>
Date: Fri, 10 Sep 2021 13:00:05 -0600
Subject: [PATCH 2/4] Adding CSRF token protection

This adds a CSRF token to the session, and requires/validates that token for all web-based POST requests. It is sent by default as a header with each jQuery XHR and available as a <csrf-token /> tag in the templating engine for use in forms.
---
 app/controller.php                          |  8 ++++
 app/controller/admin.php                    | 33 +++++++------
 app/controller/backlog.php                  |  3 ++
 app/controller/index.php                    | 12 ++++-
 app/controller/issues.php                   | 26 ++++++++--
 app/controller/taskboard.php                |  3 ++
 app/controller/user.php                     |  3 ++
 app/helper/security.php                     | 30 ++++++++++++
 app/helper/template.php                     | 11 +++++
 app/routes.ini                              | 27 +++++------
 app/view/admin/config.html                  |  1 +
 app/view/admin/groups.html                  | 10 +++-
 app/view/admin/groups/edit.html             | 16 +++++--
 app/view/admin/index.html                   |  1 +
 app/view/admin/sprints/edit.html            |  1 +
 app/view/admin/sprints/new.html             |  1 +
 app/view/admin/users.html                   |  7 +--
 app/view/admin/users/deleted.html           | 16 +++++--
 app/view/admin/users/edit.html              |  1 +
 app/view/blocks/footer.html                 |  7 ++-
 app/view/blocks/head.html                   |  1 +
 app/view/blocks/issue-list/bulk-update.html |  1 +
 app/view/blocks/navbar-public.html          |  1 +
 app/view/blocks/navbar.html                 | 12 ++++-
 app/view/index/login.html                   |  2 +
 app/view/index/reset.html                   |  1 +
 app/view/index/reset_complete.html          |  1 +
 app/view/index/reset_forced.html            |  1 +
 app/view/issues/edit-form.html              |  1 +
 app/view/issues/single.html                 | 53 ++++++++++++++-------
 app/view/taskboard/index.html               |  1 +
 app/view/user/account.html                  |  4 ++
 app/view/user/dashboard-widget-modal.html   |  1 +
 index.php                                   |  6 +++
 js/global.js                                |  7 +++
 35 files changed, 245 insertions(+), 65 deletions(-)
 create mode 100644 app/helper/template.php

diff --git a/app/controller.php b/app/controller.php
index 0c77aaa9..3a841e9c 100644
--- a/app/controller.php
+++ b/app/controller.php
@@ -91,4 +91,12 @@ public function now($time = true)
     {
         return $time ? date("Y-m-d H:i:s") : date("Y-m-d");
     }
+
+    /**
+     * Validate the request's CSRF token, exiting if invalid
+     */
+    protected function validateCsrf()
+    {
+        \Helper\Security::instance()->validateCsrfToken();
+    }
 }
diff --git a/app/controller/admin.php b/app/controller/admin.php
index 612743f4..406ada7f 100644
--- a/app/controller/admin.php
+++ b/app/controller/admin.php
@@ -22,6 +22,8 @@ public function index(\Base $f3)
         $f3->set("menuitem", "admin");
 
         if ($f3->get("POST.action") == "clearcache") {
+            $this->validateCsrf();
+
             $cache = \Cache::instance();
 
             // Clear configured cache
@@ -153,6 +155,7 @@ public function config(\Base $f3)
      */
     public function config_post_saveattribute(\Base $f3)
     {
+        $this->validateCsrf();
         $this->_requireAdmin(\Model\User::RANK_SUPER);
 
         $attribute = str_replace("-", ".", $f3->get("POST.attribute"));
@@ -304,6 +307,7 @@ public function user_new(\Base $f3)
      */
     public function user_save(\Base $f3)
     {
+        $this->validateCsrf();
         $security = \Helper\Security::instance();
         $user = new \Model\User();
         $user_id = $f3->get("POST.user_id");
@@ -399,6 +403,7 @@ public function user_save(\Base $f3)
      */
     public function user_delete(\Base $f3, array $params)
     {
+        $this->validateCsrf();
         $user = new \Model\User();
         $user->load($params["id"]);
         if (!$user->id) {
@@ -434,6 +439,7 @@ public function user_delete(\Base $f3, array $params)
      */
     public function user_undelete(\Base $f3, array $params)
     {
+        $this->validateCsrf();
         $user = new \Model\User();
         $user->load($params["id"]);
         if (!$user->id) {
@@ -485,20 +491,15 @@ public function groups(\Base $f3)
      */
     public function group_new(\Base $f3)
     {
-        $f3->set("title", $f3->get("dict.groups"));
-
-        if ($f3->get("POST")) {
-            $group = new \Model\User();
-            $group->name = $f3->get("POST.name");
-            $group->username = \Web::instance()->slug($group->name);
-            $group->role = "group";
-            $group->task_color = sprintf("%02X%02X%02X", mt_rand(0, 0xFF), mt_rand(0, 0xFF), mt_rand(0, 0xFF));
-            $group->created_date = $this->now();
-            $group->save();
-            $f3->reroute("/admin/groups");
-        } else {
-            $f3->error(405);
-        }
+        $this->validateCsrf();
+        $group = new \Model\User();
+        $group->name = $f3->get("POST.name");
+        $group->username = \Web::instance()->slug($group->name);
+        $group->role = "group";
+        $group->task_color = sprintf("%02X%02X%02X", mt_rand(0, 0xFF), mt_rand(0, 0xFF), mt_rand(0, 0xFF));
+        $group->created_date = $this->now();
+        $group->save();
+        $f3->reroute("/admin/groups");
     }
 
     /**
@@ -532,6 +533,7 @@ public function group_edit(\Base $f3, array $params)
      */
     public function group_delete(\Base $f3, array $params)
     {
+        $this->validateCsrf();
         $group = new \Model\User();
         $group->load($params["id"]);
         $group->delete();
@@ -549,6 +551,7 @@ public function group_delete(\Base $f3, array $params)
      */
     public function group_ajax(\Base $f3)
     {
+        $this->validateCsrf();
         if (!$f3->get("AJAX")) {
             $f3->error(400);
         }
@@ -608,6 +611,7 @@ public function group_ajax(\Base $f3)
      */
     public function group_setmanager(\Base $f3, array $params)
     {
+        $this->validateCsrf();
         $db = $f3->get("db.instance");
 
         $group = new \Model\User();
@@ -645,6 +649,7 @@ public function sprints(\Base $f3)
      */
     public function sprint_new(\Base $f3)
     {
+        $this->validateCsrf();
         $f3->set("title", $f3->get("dict.sprints"));
 
         if ($post = $f3->get("POST")) {
diff --git a/app/controller/backlog.php b/app/controller/backlog.php
index dbf2b56c..935af134 100644
--- a/app/controller/backlog.php
+++ b/app/controller/backlog.php
@@ -141,6 +141,8 @@ public function redirect(\Base $f3)
      */
     public function edit($f3)
     {
+        $this->validateCsrf();
+
         // Move project
         $post = $f3->get("POST");
         $issue = new \Model\Issue();
@@ -166,6 +168,7 @@ public function edit($f3)
      */
     public function sort($f3)
     {
+        $this->validateCsrf();
         $this->_requireLogin(\Model\User::RANK_MANAGER);
         $backlog = new \Model\Issue\Backlog();
         if ($f3->get("POST.sprint_id")) {
diff --git a/app/controller/index.php b/app/controller/index.php
index 0728e3a1..a515fbd8 100644
--- a/app/controller/index.php
+++ b/app/controller/index.php
@@ -68,6 +68,7 @@ public function login($f3)
      */
     public function loginpost($f3)
     {
+        $this->validateCsrf();
         $user = new \Model\User();
 
         // Load user by username or email address
@@ -111,6 +112,7 @@ public function loginpost($f3)
      */
     public function registerpost($f3)
     {
+        $this->validateCsrf();
 
         // Exit immediately if public registrations are disabled
         if (!$f3->get("site.public_registration")) {
@@ -184,6 +186,7 @@ public function reset($f3)
             $f3->reroute("/");
         } else {
             if ($f3->get("POST.email")) {
+                $this->validateCsrf();
                 $user = new \Model\User();
                 $user->load(array("email = ?", $f3->get("POST.email")));
                 if ($user->id && !$user->deleted_date) {
@@ -233,6 +236,8 @@ public function reset_complete($f3, $params)
         }
 
         if ($f3->get("POST.password1")) {
+            $this->validateCsrf();
+
             // Validate new password
             if ($f3->get("POST.password1") != $f3->get("POST.password2")) {
                 $f3->set("reset.error", "The given passwords don't match.");
@@ -263,6 +268,10 @@ public function reset_forced($f3)
         $user = new \Model\User();
         $user->loadCurrent();
 
+        if ($f3->get('POST')) {
+            $this->validateCsrf();
+        }
+
         if ($f3->get("POST.password1") != $f3->get("POST.password2")) {
             $f3->set("reset.error", "The given passwords don't match.");
         } elseif (strlen($f3->get("POST.password1")) < 6) {
@@ -280,12 +289,13 @@ public function reset_forced($f3)
     }
 
     /**
-     * GET|POST /logout
+     * POST /logout
      *
      * @param \Base $f3
      */
     public function logout($f3)
     {
+        $this->validateCsrf();
         $session = new \Model\Session();
         $session->loadCurrent();
         $session->delete();
diff --git a/app/controller/issues.php b/app/controller/issues.php
index df8d00dc..1c1471c4 100644
--- a/app/controller/issues.php
+++ b/app/controller/issues.php
@@ -239,6 +239,7 @@ public function index($f3)
      */
     public function bulk_update($f3)
     {
+        $this->validateCsrf();
         $post = $f3->get("POST");
 
         $issue = new \Model\Issue();
@@ -526,7 +527,7 @@ protected function loadIssueMeta(\Model\Issue $issue)
     }
 
     /**
-     * GET /issues/close/@id
+     * POST /issues/close/@id
      * Close an issue
      *
      * @param \Base $f3
@@ -535,6 +536,7 @@ protected function loadIssueMeta(\Model\Issue $issue)
      */
     public function close($f3, $params)
     {
+        $this->validateCsrf();
         $issue = new \Model\Issue();
         $issue->load($params["id"]);
 
@@ -554,7 +556,7 @@ public function close($f3, $params)
     }
 
     /**
-     * GET /issues/reopen/@id
+     * POST /issues/reopen/@id
      * Reopen an issue
      *
      * @param \Base $f3
@@ -563,6 +565,7 @@ public function close($f3, $params)
      */
     public function reopen($f3, $params)
     {
+        $this->validateCsrf();
         $issue = new \Model\Issue();
         $issue->load($params["id"]);
 
@@ -588,7 +591,7 @@ public function reopen($f3, $params)
     }
 
     /**
-     * GET /issues/copy/@id
+     * POST /issues/copy/@id
      * Copy an issue
      *
      * @param \Base $f3
@@ -597,6 +600,7 @@ public function reopen($f3, $params)
      */
     public function copy($f3, $params)
     {
+        $this->validateCsrf();
         $issue = new \Model\Issue();
         $issue->load($params["id"]);
 
@@ -760,6 +764,7 @@ protected function _saveNew()
      */
     public function save($f3)
     {
+        $this->validateCsrf();
         if ($f3->get("POST.id")) {
             // Updating existing issue.
             $issue = $this->_saveUpdate();
@@ -849,6 +854,8 @@ public function single($f3, $params)
      */
     public function add_watcher($f3, $params)
     {
+        $this->validateCsrf();
+
         $issue = new \Model\Issue();
         $issue->load(array("id=?", $params["id"]));
         if (!$issue->id) {
@@ -875,6 +882,8 @@ public function add_watcher($f3, $params)
      */
     public function delete_watcher($f3, $params)
     {
+        $this->validateCsrf();
+
         $issue = new \Model\Issue();
         $issue->load(array("id=?", $params["id"]));
         if (!$issue->id) {
@@ -896,6 +905,8 @@ public function delete_watcher($f3, $params)
      */
     public function add_dependency($f3, $params)
     {
+        $this->validateCsrf();
+
         $issue = new \Model\Issue();
         $issue->load(array("id=?", $params["id"]));
         if (!$issue->id) {
@@ -921,6 +932,8 @@ public function add_dependency($f3, $params)
      */
     public function delete_dependency($f3, $params)
     {
+        $this->validateCsrf();
+
         $issue = new \Model\Issue();
         $issue->load(array("id=?", $params["id"]));
         if (!$issue->id) {
@@ -1060,6 +1073,7 @@ public function single_dependencies($f3, $params)
      */
     public function single_delete($f3, $params)
     {
+        $this->validateCsrf();
         $issue = new \Model\Issue();
         $issue->load($params["id"]);
         $user = $f3->get("user_obj");
@@ -1081,6 +1095,7 @@ public function single_delete($f3, $params)
      */
     public function single_undelete($f3, $params)
     {
+        $this->validateCsrf();
         $issue = new \Model\Issue();
         $issue->load($params["id"]);
         $user = $f3->get("user_obj");
@@ -1101,6 +1116,7 @@ public function single_undelete($f3, $params)
      */
     public function comment_save($f3)
     {
+        $this->validateCsrf();
         $post = $f3->get("POST");
 
         $issue = new \Model\Issue();
@@ -1152,6 +1168,7 @@ public function comment_save($f3)
      */
     public function comment_delete($f3)
     {
+        $this->validateCsrf();
         $this->_requireAdmin();
         $comment = new \Model\Issue\Comment();
         $comment->load($f3->get("POST.id"));
@@ -1168,6 +1185,7 @@ public function comment_delete($f3)
      */
     public function file_delete($f3)
     {
+        $this->validateCsrf();
         $file = new \Model\Issue\File();
         $file->load($f3->get("POST.id"));
         $file->delete();
@@ -1183,6 +1201,7 @@ public function file_delete($f3)
      */
     public function file_undelete($f3)
     {
+        $this->validateCsrf();
         $file = new \Model\Issue\File();
         $file->load($f3->get("POST.id"));
         $file->deleted_date = null;
@@ -1289,6 +1308,7 @@ public function search($f3)
      */
     public function upload($f3)
     {
+        $this->validateCsrf();
         $user_id = $this->_userId;
 
         $issue = new \Model\Issue();
diff --git a/app/controller/taskboard.php b/app/controller/taskboard.php
index b13a0999..c68d998f 100644
--- a/app/controller/taskboard.php
+++ b/app/controller/taskboard.php
@@ -305,6 +305,7 @@ public function burndown($f3, $params)
      */
     public function saveManHours($f3)
     {
+        $this->validateCsrf();
         $user = new \Model\User();
         $user->load(array("id = ?", $f3->get("POST.user_id")));
         if (!$user->id) {
@@ -324,6 +325,7 @@ public function saveManHours($f3)
      */
     public function add($f3)
     {
+        $this->validateCsrf();
         $post = $f3->get("POST");
         $post['sprint_id'] = $post['sprintId'];
         $post['name'] = $post['title'];
@@ -341,6 +343,7 @@ public function add($f3)
      */
     public function edit($f3)
     {
+        $this->validateCsrf();
         $post = $f3->get("POST");
         $issue = new \Model\Issue();
         $issue->load($post["taskId"]);
diff --git a/app/controller/user.php b/app/controller/user.php
index 8be269fe..cac72afc 100644
--- a/app/controller/user.php
+++ b/app/controller/user.php
@@ -82,6 +82,7 @@ public function dashboard($f3)
      */
     public function dashboardPost($f3)
     {
+        $this->validateCsrf();
         $helper = \Helper\Dashboard::instance();
         $widgets = json_decode($f3->get("POST.widgets"));
         $allWidgets = $helper->allWidgets;
@@ -145,6 +146,7 @@ public function account($f3)
      */
     public function save($f3)
     {
+        $this->validateCsrf();
         $f3 = \Base::instance();
         $post = array_map("trim", $f3->get("POST"));
 
@@ -234,6 +236,7 @@ public function save($f3)
      */
     public function avatar($f3)
     {
+        $this->validateCsrf();
         $f3 = \Base::instance();
 
         $user = new \Model\User();
diff --git a/app/helper/security.php b/app/helper/security.php
index 43ab67d2..51aa3805 100644
--- a/app/helper/security.php
+++ b/app/helper/security.php
@@ -113,6 +113,36 @@ public function updateDatabase($version)
         }
     }
 
+    /**
+     * Initialize a CSRF token
+     */
+    public function initCsrfToken()
+    {
+        $f3 = \Base::instance();
+        if (!($token = $f3->get('COOKIE.XSRF-TOKEN'))) {
+            $token = $this->salt_sha2();
+            $f3->set('COOKIE.XSRF-TOKEN', $token);
+        }
+        $f3->set('csrf_token', $token);
+    }
+
+    /**
+     * Validate a CSRF token, exiting if invalid
+     */
+    public function validateCsrfToken()
+    {
+        $f3 = \Base::instance();
+        $cookieToken = $f3->get('COOKIE.XSRF-TOKEN');
+        $requestToken = $f3->get('POST.csrf-token');
+        if (!$requestToken) {
+            $requestToken = $f3->get('HEADERS.X-Xsrf-Token');
+        }
+        if (!$cookieToken || !$requestToken || !hash_equals($cookieToken, $requestToken)) {
+            $f3->error(400, 'Invalid CSRF token');
+            exit;
+        }
+    }
+
     /**
      * Check if two hashes are equal, safe against timing attacks
      *
diff --git a/app/helper/template.php b/app/helper/template.php
new file mode 100644
index 00000000..d6d12112
--- /dev/null
+++ b/app/helper/template.php
@@ -0,0 +1,11 @@
+<?php
+
+namespace Helper;
+
+class Template
+{
+    public static function csrfToken($args)
+    {
+        return '<input type="hidden" name="csrf-token" value="<?= $this->esc($csrf_token) ?>" />';
+    }
+}
diff --git a/app/routes.ini b/app/routes.ini
index 54c24e8a..032723c5 100644
--- a/app/routes.ini
+++ b/app/routes.ini
@@ -8,8 +8,7 @@ GET|POST /reset/forced = Controller\Index->reset_forced
 GET|POST /reset/@token = Controller\Index->reset_complete
 POST /login = Controller\Index->loginpost
 POST /register = Controller\Index->registerpost
-GET|POST /logout = Controller\Index->logout
-GET|POST /ping = Controller\Index->ping
+POST /logout = Controller\Index->logout
 GET /opensearch.xml = Controller\Index->opensearch
 
 ; Issues
@@ -21,9 +20,9 @@ GET /issues/edit/@id = Controller\Issues->edit
 POST /issues/save = Controller\Issues->save
 POST /issues/bulk_update = Controller\Issues->bulk_update
 GET /issues/export = Controller\Issues->export
-GET|POST /issues/@id = Controller\Issues->single
-GET|POST /issues/delete/@id = Controller\Issues->single_delete
-GET|POST /issues/undelete/@id = Controller\Issues->single_undelete
+GET /issues/@id = Controller\Issues->single
+POST /issues/delete/@id = Controller\Issues->single_delete
+POST /issues/undelete/@id = Controller\Issues->single_undelete
 POST /issues/comment/save = Controller\Issues->comment_save
 POST /issues/comment/delete = Controller\Issues->comment_delete
 POST /issues/file/delete = Controller\Issues->file_delete
@@ -40,9 +39,9 @@ GET /issues/project/@id = Controller\Issues\Project->overview
 GET /issues/project/@id/files = Controller\Issues\Project->files
 GET /search = Controller\Issues->search
 POST /issues/upload = Controller\Issues->upload
-GET /issues/close/@id = Controller\Issues->close
-GET /issues/reopen/@id = Controller\Issues->reopen
-GET /issues/copy/@id = Controller\Issues->copy
+POST /issues/close/@id = Controller\Issues->close
+POST /issues/reopen/@id = Controller\Issues->reopen
+POST /issues/copy/@id = Controller\Issues->copy
 GET /issues/parent_ajax = Controller\Issues->parent_ajax
 
 ; Tags
@@ -74,19 +73,15 @@ GET /admin/users/deleted = Controller\Admin->deleted_users
 GET /admin/users/new = Controller\Admin->user_new
 POST /admin/users/save = Controller\Admin->user_save
 GET /admin/users/@id = Controller\Admin->user_edit
-GET|POST /admin/users/@id/delete = Controller\Admin->user_delete
-GET|POST /admin/users/@id/undelete = Controller\Admin->user_undelete
+POST /admin/users/@id/delete = Controller\Admin->user_delete
+POST /admin/users/@id/undelete = Controller\Admin->user_undelete
 
 POST /admin/groups/new = Controller\Admin->group_new
-GET|POST /admin/groups/@id = Controller\Admin->group_edit
-GET|POST /admin/groups/@id/delete = Controller\Admin->group_delete
+GET /admin/groups/@id = Controller\Admin->group_edit
+POST /admin/groups/@id/delete = Controller\Admin->group_delete
 POST /admin/groups/ajax = Controller\Admin->group_ajax
 GET|POST /admin/groups/@id/setmanager/@user_group_id = Controller\Admin->group_setmanager
 
-GET|POST /admin/attributes/new = Controller\Admin->attribute_new
-GET|POST /admin/attributes/@id = Controller\Admin->attribute_edit
-GET|POST /admin/attributes/@id/delete = Controller\Admin->attribute_delete
-
 GET|POST /admin/sprints/new = Controller\Admin->sprint_new
 GET|POST /admin/sprints/@id = Controller\Admin->sprint_edit
 
diff --git a/app/view/admin/config.html b/app/view/admin/config.html
index 7a1040ec..97521ac1 100644
--- a/app/view/admin/config.html
+++ b/app/view/admin/config.html
@@ -8,6 +8,7 @@
 <div class="container">
     <include href="blocks/admin/tabs.html" />
     <form action="{{ @BASE }}/admin/config" method="post" id="frm-config">
+        <csrf-token />
         <div class="row">
 
             <div class="col-sm-3">
diff --git a/app/view/admin/groups.html b/app/view/admin/groups.html
index e560ef64..91b3fd50 100644
--- a/app/view/admin/groups.html
+++ b/app/view/admin/groups.html
@@ -32,7 +32,14 @@
                         <td>{{ @group.name | esc }}</td>
                         <td>{{ @group.count }}</td>
                         <td><span class="badge" style="background-color: #{{ @group.task_color }};">&ensp;</span>&ensp;#{{ @group.task_color }}</td>
-                        <td><a href="{{ @BASE }}/admin/groups/{{ @group.id }}/delete" class="has-tooltip" title="{{ @dict.delete }}"><span class="fa fa-trash"></span></a></td>
+                        <td class="clearfix">
+                            <form class="pull-right" action="{{ @BASE }}/admin/groups/{{ @group.id }}/delete" method="post">
+                                <csrf-token />
+                                <button type="submit" class="has-tooltip" title="{{ @dict.delete }}" aria-label="{{ @dict.delete }}">
+                                    <span class="fa fa-trash"></span>
+                                </button>
+                            </form>
+                        </td>
                     </tr>
                 </repeat>
             </tbody>
@@ -52,6 +59,7 @@
 <div class="modal" id="new" tabindex="-1" role="dialog" aria-hidden="true">
     <div class="modal-dialog">
         <form class="modal-content" action="{{ @BASE }}/admin/groups/new" method="post">
+            <csrf-token />
             <div class="modal-header">
                 <button type="button" class="close" data-dismiss="modal" aria-hidden="true" onclick="$('#input_name').val('');">&times;</button>
                 <h4 class="modal-title">{{ @dict.new }}</h4>
diff --git a/app/view/admin/groups/edit.html b/app/view/admin/groups/edit.html
index 82ae1972..2df48548 100644
--- a/app/view/admin/groups/edit.html
+++ b/app/view/admin/groups/edit.html
@@ -19,15 +19,25 @@
             <ul id="members" class="list-unstyled">
                 <repeat group="{{ @members }}" value="{{ @member }}">
                     <li data-user-id="{{ @member.user_id }}">
-                        <a href="#" class="delete text-danger has-tooltip" data-placement="right" title="{{ @dict.delete }}"><span class="fa fa-remove"></span></a>&nbsp;
+                        <a href="#" class="delete text-danger has-tooltip" data-placement="right" title="{{ @dict.delete }}" aria-label="{{ @dict.delete }}">
+                            <span class="fa fa-remove"></span>
+                        </a>&nbsp;
                         <check if="{{ @member.manager }}">
                             <true>
-                                <span class="manager text-warning has-tooltip" data-placement="right" title="{{ @dict.manager }}"><span class="fa fa-star"></span></span>&nbsp;
+                                <span class="manager text-warning has-tooltip" data-placement="right" title="{{ @dict.manager }}" aria-label="{{ @dict.manager }}">
+                                    <span class="fa fa-star"></span>
+                                </span>
                             </true>
                             <false>
-                                <a href="{{ @BASE }}/admin/groups/{{ @group.id }}/setmanager/{{ @member.id }}" class="manager text-muted has-tooltip" data-placement="right" title="{{ @dict.set_as_manager }}"><span class="fa fa-star-o"></span></a>&nbsp;
+                                <form style="display: inline-block;" action="{{ @BASE }}/admin/groups/{{ @group.id }}/setmanager/{{ @member.id }}" method="post">
+                                    <csrf-token />
+                                    <button type="submit" class="manager text-muted has-tooltip" data-placement="right" title="{{ @dict.set_as_manager }}">
+                                        <span class="fa fa-star-o"></span>
+                                    </button>
+                                </form>
                             </false>
                         </check>
+                        &nbsp;
                         {{ @member.user_name }}
                     </li>
                 </repeat>
diff --git a/app/view/admin/index.html b/app/view/admin/index.html
index 6d797597..d9a79b15 100644
--- a/app/view/admin/index.html
+++ b/app/view/admin/index.html
@@ -48,6 +48,7 @@ <h4>{{ @dict.database }}</h4>
             <div class="clearfix">
                 <h4 class="pull-left">{{ @dict.cache }}</h4>
                 <form class="pull-right" action="{{ @BASE }}/admin" method="post" style="margin-top: 10px;">
+                    <csrf-token />
                     <input type="hidden" name="action" value="clearcache">
                     <button type="submit" class="btn btn-warning btn-xs">{{ @dict.clear_cache }}</button>
                 </form>
diff --git a/app/view/admin/sprints/edit.html b/app/view/admin/sprints/edit.html
index eaaaee52..20495a89 100644
--- a/app/view/admin/sprints/edit.html
+++ b/app/view/admin/sprints/edit.html
@@ -8,6 +8,7 @@
 <div class="container">
     <include href="blocks/admin/tabs.html" />
     <form action="{{ @BASE }}/admin/sprints/{{@sprint.id}}" method="post" class="form-horizontal" autocomplete="off">
+        <csrf-token />
         <legend>{{ @dict.edit_sprint }}</legend>
         <div class="form-group">
             <label for="name" class="col-md-2 control-label label-sm">{{ @dict.name }}</label>
diff --git a/app/view/admin/sprints/new.html b/app/view/admin/sprints/new.html
index bfc067ec..bad4109a 100644
--- a/app/view/admin/sprints/new.html
+++ b/app/view/admin/sprints/new.html
@@ -8,6 +8,7 @@
 <div class="container">
     <include href="blocks/admin/tabs.html" />
     <form action="{{ @BASE }}/admin/sprints/new" method="post" class="form-horizontal" autocomplete="off">
+        <csrf-token />
         <legend>{{ @dict.new_sprint }}</legend>
         <div class="form-group">
             <label for="name" class="col-md-2 control-label label-sm">{{ @dict.name }}</label>
diff --git a/app/view/admin/users.html b/app/view/admin/users.html
index babea7bd..2c92c29f 100644
--- a/app/view/admin/users.html
+++ b/app/view/admin/users.html
@@ -33,12 +33,12 @@
                         <td>{{ @user.email | esc }}</td>
                         <td class="user-name">{{ @user.name | esc }}</td>
                         <td>{{ ucfirst(@user.role) }}</td>
-                        <td><span class="badge" style="background-color: #{{ @user.task_color }};">&ensp;</span>&ensp;#{{ @user.task_color }}</td>
+                        <td><span class="badge" style="background-color: #{{ @user.task_color | esc }};">&ensp;</span>&ensp;#{{ @user.task_color }}</td>
                         <td>
                             <check if="{{ @user.id != @user_obj.id }}">
-                                <a href="{{ @BASE }}/admin/users/{{ @user.id }}/delete" class="delete has-tooltip" title="{{ @dict.deactivate }}">
+                                <button type="button" class="delete has-tooltip" title="{{ @dict.deactivate }}" aria-label="{{ @dict.deactivate }}">
                                     <span class="fa fa-remove"></span>
-                                </a>
+                                </button>
                             </check>
                         </td>
                     </tr>
@@ -77,6 +77,7 @@
 <div class="modal" id="mdl-delete" tabindex="-1" role="dialog" aria-hidden="true">
     <div class="modal-dialog">
         <form class="modal-content" action="#" method="post">
+            <csrf-token />
             <div class="modal-header">
                 <button type="button" class="close" data-dismiss="modal" aria-hidden="true">&times;</button>
                 <h4 class="modal-title">{{ @dict.deactivate }} <span class="user-name"></span></h4>
diff --git a/app/view/admin/users/deleted.html b/app/view/admin/users/deleted.html
index fdf941fc..de8684ab 100644
--- a/app/view/admin/users/deleted.html
+++ b/app/view/admin/users/deleted.html
@@ -13,7 +13,8 @@
         <include href="blocks/admin/tabs.html" />
     </div>
     <p>
-        <a class="btn btn-default btn-sm" href="{{ @BASE }}/admin/users"><span class="fa fa-chevron-left"></span>&ensp;Show Active Users</a>
+        <a class="btn btn-link btn-sm" href="{{ @BASE }}/admin/users"><span class="fa fa-chevron-left"></span>&ensp;Back</a>
+        &ensp;<b>Deactivated Users</b>
     </p>
     <table class="table table-striped table-condensed">
         <thead>
@@ -27,16 +28,23 @@
                 <th></th>
             </tr>
         </thead>
-        <tbody class="text-muted">
+        <tbody>
             <repeat group="{{ @users }}" value="{{ @user }}">
                 <tr>
-                    <td style="text-decoration: line-through;">{{ @user.id }}</a></td>
+                    <td>{{ @user.id }}</a></td>
                     <td>{{ @user.username | esc }}</td>
                     <td>{{ @user.email | esc }}</td>
                     <td>{{ @user.name | esc }}</td>
                     <td>{{ ucfirst(@user.role) }}</td>
                     <td><span class="badge" style="background-color: #{{ @user.task_color }};">&ensp;</span>&ensp;#{{ @user.task_color }}</td>
-                    <td><a href="{{ @BASE }}/admin/users/{{ @user.id }}/undelete" class="has-tooltip" title="{{ @dict.reactivate }}"><span class="fa fa-repeat" style="transform: scaleX(-1);"></span></a></td>
+                    <td>
+                        <form action="{{ @BASE }}/admin/users/{{ @user.id }}/undelete" method="post">
+                            <csrf-token />
+                            <button type="submit" class="has-tooltip" title="{{ @dict.reactivate }}">
+                                <span class="fa fa-repeat" style="transform: scaleX(-1);"></span>
+                            </button>
+                        </form>
+                    </td>
                 </tr>
             </repeat>
         </tbody>
diff --git a/app/view/admin/users/edit.html b/app/view/admin/users/edit.html
index 269c3634..d9035486 100644
--- a/app/view/admin/users/edit.html
+++ b/app/view/admin/users/edit.html
@@ -8,6 +8,7 @@
 <div class="container">
     <include href="blocks/admin/tabs.html" />
     <form action="{{ @BASE }}/admin/users/save" method="post" class="form-horizontal" autocomplete="off">
+        <csrf-token />
         <check if="{{ empty(@this_user) }}">
             <true>
                 <legend>{{ @dict.new_user }}</legend>
diff --git a/app/view/blocks/footer.html b/app/view/blocks/footer.html
index e91a2ab1..68468f49 100644
--- a/app/view/blocks/footer.html
+++ b/app/view/blocks/footer.html
@@ -9,7 +9,12 @@
 </check>
 <footer class="row">
     <div class="col-xs-4">
-        <p class="visible-sm visible-xs"><a href="{{ @BASE }}/logout" class="btn btn-default btn-xs">{{ @dict.log_out }}</a></p>
+        <form class="visible-sm visible-xs" method="{{ @BASE }}/logout" method="post">
+            <csrf-token />
+            <button type="submit" class="btn btn-default btn-xs">
+                {{ @dict.log_out }}
+            </button>
+        </form>
     </div>
     <div class="col-xs-8">
         <p class="text-right text-muted">
diff --git a/app/view/blocks/head.html b/app/view/blocks/head.html
index 3da097e9..84ef71a4 100644
--- a/app/view/blocks/head.html
+++ b/app/view/blocks/head.html
@@ -3,6 +3,7 @@
 <meta name="viewport" content="width=device-width, initial-scale=1.0">
 <meta name="description" content="{{ @site.description | esc }}">
 <meta name="generator" content="alanaktion/phproject">
+<meta name="csrf-token" content="{{ @csrf_token | esc }}">
 <title>{{ empty(@title) ? @site.name : @title . ' - ' . @site.name | esc }}</title>
 <link rel="stylesheet" href="{{ @BASE }}/{{ empty(@user.theme) ? @site.theme : @user.theme }}">
 <link rel="stylesheet" href="{{ @BASE }}/css/style.css">
diff --git a/app/view/blocks/issue-list/bulk-update.html b/app/view/blocks/issue-list/bulk-update.html
index 545801af..1e4e8d51 100644
--- a/app/view/blocks/issue-list/bulk-update.html
+++ b/app/view/blocks/issue-list/bulk-update.html
@@ -2,6 +2,7 @@
 <div class="modal fade" id="bulk-actions" tabindex="-1" aria-hidden="true">
     <div class="modal-dialog">
         <form class="modal-content form-horizontal" action="{{ @BASE }}/issues/bulk_update" method="post">
+            <csrf-token />
             <div class="modal-header">
                 <button type="button" class="close" data-dismiss="modal">
                     <span aria-hidden="true">&times;</span><span class="sr-only">{{ @dict.close }}</span>
diff --git a/app/view/blocks/navbar-public.html b/app/view/blocks/navbar-public.html
index dd26164b..a7fbe24a 100644
--- a/app/view/blocks/navbar-public.html
+++ b/app/view/blocks/navbar-public.html
@@ -12,6 +12,7 @@
 
         <div class="collapse navbar-collapse" id="nb-collapse">
             <form class="navbar-form navbar-right" method="post" action="{{ @BASE }}/login">
+                <csrf-token />
                 <div class="form-group">
                     <input type="text" name="username" class="form-control" placeholder="{{ @dict.username }}">
                 </div>
diff --git a/app/view/blocks/navbar.html b/app/view/blocks/navbar.html
index 73cab7e7..3370001b 100644
--- a/app/view/blocks/navbar.html
+++ b/app/view/blocks/navbar.html
@@ -114,7 +114,17 @@
                             </repeat>
                         </check>
                         <li role="presentation" class="divider"></li>
-                        <li><a href="{{ @BASE }}/logout">{{ @dict.log_out }}</a></li>
+                        <li>
+                            <a style="position: relative;">
+                                <form action="{{ @BASE }}/logout" method="post">
+                                    <csrf-token />
+                                    <button type="submit" style="appearance: none; border: none; background: transparent; padding: 0; line-height: inherit;">
+                                        {{ @dict.log_out }}
+                                        <div style="position: absolute; inset: 0;">
+                                    </button>
+                                </form>
+                            </a>
+                        </li>
                     </ul>
                 </li>
             </ul>
diff --git a/app/view/index/login.html b/app/view/index/login.html
index d11cc08f..80b940e3 100644
--- a/app/view/index/login.html
+++ b/app/view/index/login.html
@@ -22,6 +22,7 @@ <h1 class="h2 text-center">
     <div class="row">
         <div class="col-sm-4 {{ @site.public_registration ? 'col-sm-offset-2' : 'col-sm-offset-4' }}">
             <form action="{{ @BASE }}/login" method="post" class="form-horizontal">
+                <csrf-token />
                 <div class="clearfix">
                     <h3 class="col-md-8 col-md-offset-4">{{ @dict.log_in }}</h3>
                 </div>
@@ -67,6 +68,7 @@ <h3 class="col-md-8 col-md-offset-4">{{ @dict.log_in }}</h3>
         <check if="{{ @site.public_registration }}">
             <div class="col-sm-4">
                 <form action="{{ @BASE }}/register" method="post" class="form-horizontal">
+                    <csrf-token />
                     <div class="clearfix">
                         <h3 class="col-md-8 col-md-offset-4">{{ @dict.register }}</h3>
                     </div>
diff --git a/app/view/index/reset.html b/app/view/index/reset.html
index d3dd1d4a..6af533ed 100644
--- a/app/view/index/reset.html
+++ b/app/view/index/reset.html
@@ -9,6 +9,7 @@
     <div class="row">
         <div class="col-sm-4 col-sm-offset-4">
             <form action="{{ @BASE }}/reset" method="post" class="form-horizontal">
+                <csrf-token />
                 <fieldset>
                     <legend>{{ @dict.reset_password }}</legend>
                     <check if="{{ !empty(@reset.success) }}">
diff --git a/app/view/index/reset_complete.html b/app/view/index/reset_complete.html
index 4daf5592..b776ebad 100644
--- a/app/view/index/reset_complete.html
+++ b/app/view/index/reset_complete.html
@@ -9,6 +9,7 @@
     <div class="row">
         <div class="col-sm-4 col-sm-offset-4">
             <form action="{{ @BASE }}/reset/{{ @PARAMS.token }}" method="post" class="form-horizontal">
+                <csrf-token />
                 <fieldset>
                     <legend>{{ @dict.reset_password }}</legend>
                     <check if="{{ !empty(@reset.success) }}">
diff --git a/app/view/index/reset_forced.html b/app/view/index/reset_forced.html
index cfef06a0..eb8467ad 100644
--- a/app/view/index/reset_forced.html
+++ b/app/view/index/reset_forced.html
@@ -9,6 +9,7 @@
     <div class="row">
         <div class="col-sm-4 col-sm-offset-4">
             <form action="{{ @BASE }}/reset/forced" method="post" class="form-horizontal">
+                <csrf-token />
                 <fieldset>
                     <legend>{{ @dict.reset_password }}</legend>
                     <check if="{{ !empty(@reset.error) }}">
diff --git a/app/view/issues/edit-form.html b/app/view/issues/edit-form.html
index 5dfcf9f1..d879fc00 100644
--- a/app/view/issues/edit-form.html
+++ b/app/view/issues/edit-form.html
@@ -1,4 +1,5 @@
 <form id="edit-form" class="form-horizontal well" action="{{ @BASE }}/issues/save" method="post">
+    <csrf-token />
     <check if="{{ !empty(@issue) }}">
         <a href="{{ @BASE }}/issues/{{ @issue.id }}" class="close"><span aria-hidden="true">&times;</span><span class="sr-only">{{ @dict.close }}</span></a>
         <input type="hidden" name="id" value="{{ @issue.id }}">
diff --git a/app/view/issues/single.html b/app/view/issues/single.html
index 2b04f15e..38c6f31b 100644
--- a/app/view/issues/single.html
+++ b/app/view/issues/single.html
@@ -22,10 +22,13 @@
     </div>
 
     <check if="{{ @issue.deleted_date }}">
-        <p id="alert" class="alert alert-danger">
+        <div id="alert" class="alert alert-danger">
             {{ @dict.deleted_notice }}&ensp;
-            <a href="{{ @BASE }}/issues/undelete/{{ @issue.id }}" class="btn btn-default btn-xs">{{ @dict.restore_issue }}</a>
-        </p>
+            <form style="display: inline-block;" action="{{ @BASE }}/issues/undelete/{{ @issue.id }}" method="post">
+                <csrf-token />
+                <button type="submit" class="btn btn-default btn-xs">{{ @dict.restore_issue }}</button>
+            </form>
+        </div>
     </check>
 
     <check if="{{ count(@ancestors) > 1 }}">
@@ -54,17 +57,22 @@ <h3 class="pull-left issue-heading">
         <div class="pull-right">
             <check if="{{ @issue.status_closed }}">
                 <false>
-                    <a id="btn-issue-close" href="{{ @BASE }}/issues/close/{{ @issue.id }}" class="btn btn-success btn-xs">
-                        <span class="fa fa-check"></span>&ensp;{{ @dict.complete }}
-                    </a>
+                    <form style="display: inline-block;" action="{{ @BASE }}/issues/close/{{ @issue.id }}" method="post">
+                        <csrf-token />
+                        <button type="submit" id="btn-issue-close" class="btn btn-success btn-xs">
+                            <span class="fa fa-check"></span>&ensp;{{ @dict.complete }}
+                        </button>
+                    </form>
                 </false>
                 <true>
-                    <a id="btn-issue-reopen" href="{{ @BASE }}/issues/reopen/{{ @issue.id }}" class="btn btn-warning btn-xs">
-                        <span class="fa fa-repeat"></span>&ensp;{{ @dict.reopen }}
-                    </a>
+                    <form style="display: inline-block;" action="{{ @BASE }}/issues/reopen/{{ @issue.id }}" method="post">
+                        <button type="submit" id="btn-issue-reopen" class="btn btn-warning btn-xs">
+                            <span class="fa fa-repeat"></span>&ensp;{{ @dict.reopen }}
+                        </button>
+                    </form>
                 </true>
             </check>
-            <a id="btn-copy" href="{{ @BASE }}/issues/copy/{{ @issue.id }}" class="btn btn-default btn-xs">
+            <a id="btn-copy" href="#" class="btn btn-default btn-xs">
                 <span class="fa fa-file"></span>&ensp;{{ @dict.copy }}
             </a>
             <check if="{{ @watching }}">
@@ -83,9 +91,12 @@ <h3 class="pull-left issue-heading">
                 <span class="fa fa-pencil"></span>&ensp;{{ @dict.edit }}
             </a>
             <check if="{{ @user.role == 'admin' || @user.rank >= \Model\User::RANK_MANAGER || @user.id == @issue.author_id }}">
-                <a href="{{ @BASE }}/issues/delete/{{ @issue.id }}" class="btn btn-danger btn-xs">
-                    <span class="fa fa-remove"></span><span class="hidden-xs">&ensp;{{ @dict.delete }}</span>
-                </a>
+                <form style="display: inline-block;" action="{{ @BASE }}/issues/delete/{{ @issue.id }}" method="post">
+                    <csrf-token />
+                    <button type="submit" class="btn btn-danger btn-xs">
+                        <span class="fa fa-remove"></span><span class="hidden-xs">&ensp;{{ @dict.delete }}</span>
+                    </button>
+                </form>
             </check>
         </div>
     </div>
@@ -259,6 +270,7 @@ <h3 class="pull-left issue-heading">
                 <div class="tab-pane fade in active" id="comments">
                     <div class="comments">
                         <form action="{{ @BASE }}/issues/comment/save" method="POST" id="comment_form" class="form-horizontal">
+                            <csrf-token />
                             <input type="hidden" name="issue_id" value="{{ @issue.id }}">
                             <div class="form-group">
                                 <div class="col-md-12">
@@ -326,6 +338,7 @@ <h3 class="pull-left issue-heading">
 </div>
 
 <form class="modal fade in" id="upload" tabindex="-1" method="post" enctype="multipart/form-data" action="{{ @BASE }}/issues/upload">
+    <csrf-token />
     <div class="modal-dialog">
         <div class="modal-content">
             <div class="modal-header">
@@ -355,7 +368,8 @@ <h4 class="modal-title">{{ @dict.upload_a_file }}</h4>
 
 <div class="modal fade" id="modal-copy" tabindex="-1" role="dialog" aria-labelledby="modal-copy-label" aria-hidden="true">
     <div class="modal-dialog">
-        <div class="modal-content">
+        <form class="modal-content" action="{{ @BASE }}/issues/copy/{{ @issue.id }}" method="post">
+            <csrf-token />
             <div class="modal-header">
                 <button type="button" class="close" data-dismiss="modal"><span aria-hidden="true">&times;</span><span class="sr-only">{{ @dict.close }}</span></button>
                 <h4 class="modal-title" id="modal-copy-label">{{ @dict.copy_issue }}</h4>
@@ -365,7 +379,7 @@ <h4 class="modal-title" id="modal-copy-label">{{ @dict.copy_issue }}</h4>
             </div>
             <div class="modal-footer">
                 <button type="button" class="btn btn-default btn-sm" data-dismiss="modal">{{ @dict.cancel }}</button>
-                <a id="btn-copy-confirm" class="btn btn-primary btn-sm" href="{{ @BASE }}/issues/copy/{{ @issue.id }}">{{ @dict.copy_issue }}</a>
+                <button type="submit" id="btn-copy-confirm" class="btn btn-primary btn-sm">{{ @dict.copy_issue }}</button>
             </div>
         </div>
     </div>
@@ -389,9 +403,12 @@ <h4 class="modal-title" id="modal-copy-label">{{ @dict.copy_issue }}</h4>
         e.preventDefault();
     });
     $("#btn-copy-confirm").click(function(e) {
-        $(this).prop('disabled', true)
-            .addClass('disabled')
-            .html('{{ addslashes(@dict.loading) }}');
+        var $btn = $(this);
+        setTimeout(function () {
+            $btn.prop('disabled', true)
+                .addClass('disabled')
+                .html('{{ addslashes(@dict.loading) }}');
+        }, 100);
     });
 
     var canDelete = parseInt("{{ (@user.role == 'admin' || @user.rank >= \Model\User::RANK_MANAGER) && @menuitem != 'index' }}");
diff --git a/app/view/taskboard/index.html b/app/view/taskboard/index.html
index bf8fdc5c..805115ac 100644
--- a/app/view/taskboard/index.html
+++ b/app/view/taskboard/index.html
@@ -264,6 +264,7 @@
     <div class="modal" id="task-dialog" tabindex="-1" role="dialog" aria-hidden="true" aria-labelledby="#task-dialog-title">
         <div class="modal-dialog">
             <form class="modal-content" method="post">
+                <csrf-token />
                 <div class="modal-header">
                     <button type="button" class="close" data-dismiss="modal"><span aria-hidden="true">&times;</span><span class="sr-only">{{ @dict.close }}</span></button>
                     <h4 class="modal-title" id="task-dialog-title">{{ @dict.edit }}</h4>
diff --git a/app/view/user/account.html b/app/view/user/account.html
index 744c9703..d1aeebe8 100644
--- a/app/view/user/account.html
+++ b/app/view/user/account.html
@@ -14,6 +14,7 @@
     <div class="tab-content">
         <div class="tab-pane fade in active" id="profile">
             <form class="form-horizontal" action="{{ @BASE }}/user" method="post">
+                <csrf-token />
                 <div class="row">
                     <div class="col-md-6">
                         <div class="form-group">
@@ -86,6 +87,7 @@
                             </false>
                         </check>
                         <form class="clearfix" method="post" enctype="multipart/form-data" action="{{ @BASE }}/user/avatar">
+                            <csrf-token />
                             <input type="file" name="avatar" id="input_avatar" class="pull-left">
                             <button type="submit" class="btn btn-default btn-sm pull-left nojs">{{ @dict.upload }}</button>
                         </form>
@@ -98,6 +100,7 @@
         </div>
         <div class="tab-pane fade" id="settings">
             <form action="{{ @BASE }}/user" method="post">
+                <csrf-token />
                 <input type="hidden" name="action" value="options">
                 <div class="checkbox">
                     <label>
@@ -122,6 +125,7 @@
         </div>
         <div class="tab-pane fade" id="password">
             <form class="form-horizontal" action="{{ @BASE }}/user" method="post">
+                <csrf-token />
                 <div class="form-group">
                     <label for="opass" class="col-lg-4 col-sm-2 control-label label-sm">{{ @dict.current_password }}</label>
                     <div class="col-lg-6 col-sm-10">
diff --git a/app/view/user/dashboard-widget-modal.html b/app/view/user/dashboard-widget-modal.html
index 4d4adc5c..222fca13 100644
--- a/app/view/user/dashboard-widget-modal.html
+++ b/app/view/user/dashboard-widget-modal.html
@@ -1,6 +1,7 @@
 <div class="modal fade" id="mdl-manage-widgets" tabindex="-1" role="dialog" aria-hidden="true">
     <div class="modal-dialog">
         <form class="modal-content" action="{{ @BASE }}/user/dashboard" method="post">
+            <csrf-token />
             <input type="hidden" id="input-widgets" name="widgets" value="">
             <div class="modal-header">
                 <button type="button" class="close" data-dismiss="modal" aria-label="{{ @dict.close }}">
diff --git a/index.php b/index.php
index 78fc70b3..72cb4d3d 100644
--- a/index.php
+++ b/index.php
@@ -90,6 +90,12 @@
     \Helper\Security::instance()->updateDatabase($version);
 }
 
+// Set up CSRF protection
+\Helper\Security::instance()->initCsrfToken();
+
+// Initialize template extensions
+\Helper\View::instance()->extend("csrf-token", "Helper\Template::csrfToken");
+
 // Minify static resources
 // Cache for 1 week
 // This route is deprecated, and will be removed in a future release.
diff --git a/js/global.js b/js/global.js
index 73962425..d9a43a26 100644
--- a/js/global.js
+++ b/js/global.js
@@ -1,6 +1,13 @@
 /* globals $ BASE Mousetrap issue_types */
 $(function() {
 
+	// Set XSRF-TOKEN header
+	$.ajaxSetup({
+		headers: {
+			'X-XSRF-Token': $('meta[name="csrf-token"]').attr('content')
+		}
+	});
+
 	// Tooltips and popovers
 	$('.has-tooltip').tooltip();
 	$('.has-popover').popover({delay: {show: 500, hide: 100}});

From 9a93b54fc1fa032a8c3656ce10acce8f637f62a6 Mon Sep 17 00:00:00 2001
From: Alan Hardman <alanaktion@gmail.com>
Date: Fri, 10 Sep 2021 13:21:46 -0600
Subject: [PATCH 3/4] Bumping version to 1.7.10

This is a major security update that adds CSRF protection. It is strongly recommended to update to this version.
---
 SECURITY.md   |  2 +-
 composer.lock | 98 +++++++++++++++++++++++++--------------------------
 index.php     |  2 +-
 3 files changed, 51 insertions(+), 51 deletions(-)

diff --git a/SECURITY.md b/SECURITY.md
index 6aaee3b9..a9e50a37 100644
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -6,6 +6,6 @@ Since our team is small, and we don't update often, we only support the latest r
 
 ## Reporting a Vulnerability
 
-If you find an issue with the security of Phproject, let me know personally via email at alan@phpizza.com. I'll do my best to get back to you within 48 hours, at least with an idea of when we can fix the issue. Major issues that involve significant changes to the application can take several weeks since no one works on this project full time, but we'll do what we can to fix things.
+If you find an issue with the security of Phproject, you may report the vulnerability on [huntr.dev](https://huntr.dev/bounties/disclose), or let me know personally via email at alan@phpizza.com. I'll do my best to get back to you within 48 hours, at least with an idea of when we can fix the issue. Major issues that involve significant changes to the application can take several weeks since no one works on this project full time, but we'll do what we can to fix things.
 
 If it's been more than a week and we haven't replied, or if we have replied but it's been a while and we haven't communicated or fixed the issue you found, let us know and we'll invite you to a private fork where we can collaborate on a fix.
diff --git a/composer.lock b/composer.lock
index eefddd93..e5279119 100644
--- a/composer.lock
+++ b/composer.lock
@@ -93,7 +93,7 @@
         },
         {
             "name": "neos/diff",
-            "version": "4.3.18",
+            "version": "4.3.19",
             "source": {
                 "type": "git",
                 "url": "https://github.com/neos/diff.git",
@@ -191,16 +191,16 @@
         },
         {
             "name": "symfony/polyfill-iconv",
-            "version": "v1.22.1",
+            "version": "v1.23.0",
             "source": {
                 "type": "git",
                 "url": "https://github.com/symfony/polyfill-iconv.git",
-                "reference": "06fb361659649bcfd6a208a0f1fcaf4e827ad342"
+                "reference": "63b5bb7db83e5673936d6e3b8b3e022ff6474933"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/symfony/polyfill-iconv/zipball/06fb361659649bcfd6a208a0f1fcaf4e827ad342",
-                "reference": "06fb361659649bcfd6a208a0f1fcaf4e827ad342",
+                "url": "https://api.github.com/repos/symfony/polyfill-iconv/zipball/63b5bb7db83e5673936d6e3b8b3e022ff6474933",
+                "reference": "63b5bb7db83e5673936d6e3b8b3e022ff6474933",
                 "shasum": ""
             },
             "require": {
@@ -212,7 +212,7 @@
             "type": "library",
             "extra": {
                 "branch-alias": {
-                    "dev-main": "1.22-dev"
+                    "dev-main": "1.23-dev"
                 },
                 "thanks": {
                     "name": "symfony/polyfill",
@@ -251,7 +251,7 @@
                 "shim"
             ],
             "support": {
-                "source": "https://github.com/symfony/polyfill-iconv/tree/v1.22.1"
+                "source": "https://github.com/symfony/polyfill-iconv/tree/v1.23.0"
             },
             "funding": [
                 {
@@ -267,20 +267,20 @@
                     "type": "tidelift"
                 }
             ],
-            "time": "2021-01-22T09:19:47+00:00"
+            "time": "2021-05-27T09:27:20+00:00"
         },
         {
             "name": "symfony/polyfill-intl-grapheme",
-            "version": "v1.22.1",
+            "version": "v1.23.1",
             "source": {
                 "type": "git",
                 "url": "https://github.com/symfony/polyfill-intl-grapheme.git",
-                "reference": "5601e09b69f26c1828b13b6bb87cb07cddba3170"
+                "reference": "16880ba9c5ebe3642d1995ab866db29270b36535"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/symfony/polyfill-intl-grapheme/zipball/5601e09b69f26c1828b13b6bb87cb07cddba3170",
-                "reference": "5601e09b69f26c1828b13b6bb87cb07cddba3170",
+                "url": "https://api.github.com/repos/symfony/polyfill-intl-grapheme/zipball/16880ba9c5ebe3642d1995ab866db29270b36535",
+                "reference": "16880ba9c5ebe3642d1995ab866db29270b36535",
                 "shasum": ""
             },
             "require": {
@@ -292,7 +292,7 @@
             "type": "library",
             "extra": {
                 "branch-alias": {
-                    "dev-main": "1.22-dev"
+                    "dev-main": "1.23-dev"
                 },
                 "thanks": {
                     "name": "symfony/polyfill",
@@ -332,7 +332,7 @@
                 "shim"
             ],
             "support": {
-                "source": "https://github.com/symfony/polyfill-intl-grapheme/tree/v1.22.1"
+                "source": "https://github.com/symfony/polyfill-intl-grapheme/tree/v1.23.1"
             },
             "funding": [
                 {
@@ -348,20 +348,20 @@
                     "type": "tidelift"
                 }
             ],
-            "time": "2021-01-22T09:19:47+00:00"
+            "time": "2021-05-27T12:26:48+00:00"
         },
         {
             "name": "symfony/polyfill-intl-normalizer",
-            "version": "v1.22.1",
+            "version": "v1.23.0",
             "source": {
                 "type": "git",
                 "url": "https://github.com/symfony/polyfill-intl-normalizer.git",
-                "reference": "43a0283138253ed1d48d352ab6d0bdb3f809f248"
+                "reference": "8590a5f561694770bdcd3f9b5c69dde6945028e8"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/symfony/polyfill-intl-normalizer/zipball/43a0283138253ed1d48d352ab6d0bdb3f809f248",
-                "reference": "43a0283138253ed1d48d352ab6d0bdb3f809f248",
+                "url": "https://api.github.com/repos/symfony/polyfill-intl-normalizer/zipball/8590a5f561694770bdcd3f9b5c69dde6945028e8",
+                "reference": "8590a5f561694770bdcd3f9b5c69dde6945028e8",
                 "shasum": ""
             },
             "require": {
@@ -373,7 +373,7 @@
             "type": "library",
             "extra": {
                 "branch-alias": {
-                    "dev-main": "1.22-dev"
+                    "dev-main": "1.23-dev"
                 },
                 "thanks": {
                     "name": "symfony/polyfill",
@@ -416,7 +416,7 @@
                 "shim"
             ],
             "support": {
-                "source": "https://github.com/symfony/polyfill-intl-normalizer/tree/v1.22.1"
+                "source": "https://github.com/symfony/polyfill-intl-normalizer/tree/v1.23.0"
             },
             "funding": [
                 {
@@ -432,20 +432,20 @@
                     "type": "tidelift"
                 }
             ],
-            "time": "2021-01-22T09:19:47+00:00"
+            "time": "2021-02-19T12:13:01+00:00"
         },
         {
             "name": "symfony/polyfill-mbstring",
-            "version": "v1.22.1",
+            "version": "v1.23.1",
             "source": {
                 "type": "git",
                 "url": "https://github.com/symfony/polyfill-mbstring.git",
-                "reference": "5232de97ee3b75b0360528dae24e73db49566ab1"
+                "reference": "9174a3d80210dca8daa7f31fec659150bbeabfc6"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/symfony/polyfill-mbstring/zipball/5232de97ee3b75b0360528dae24e73db49566ab1",
-                "reference": "5232de97ee3b75b0360528dae24e73db49566ab1",
+                "url": "https://api.github.com/repos/symfony/polyfill-mbstring/zipball/9174a3d80210dca8daa7f31fec659150bbeabfc6",
+                "reference": "9174a3d80210dca8daa7f31fec659150bbeabfc6",
                 "shasum": ""
             },
             "require": {
@@ -457,7 +457,7 @@
             "type": "library",
             "extra": {
                 "branch-alias": {
-                    "dev-main": "1.22-dev"
+                    "dev-main": "1.23-dev"
                 },
                 "thanks": {
                     "name": "symfony/polyfill",
@@ -496,7 +496,7 @@
                 "shim"
             ],
             "support": {
-                "source": "https://github.com/symfony/polyfill-mbstring/tree/v1.22.1"
+                "source": "https://github.com/symfony/polyfill-mbstring/tree/v1.23.1"
             },
             "funding": [
                 {
@@ -512,20 +512,20 @@
                     "type": "tidelift"
                 }
             ],
-            "time": "2021-01-22T09:19:47+00:00"
+            "time": "2021-05-27T12:26:48+00:00"
         },
         {
             "name": "symfony/polyfill-php72",
-            "version": "v1.22.1",
+            "version": "v1.23.0",
             "source": {
                 "type": "git",
                 "url": "https://github.com/symfony/polyfill-php72.git",
-                "reference": "cc6e6f9b39fe8075b3dabfbaf5b5f645ae1340c9"
+                "reference": "9a142215a36a3888e30d0a9eeea9766764e96976"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/symfony/polyfill-php72/zipball/cc6e6f9b39fe8075b3dabfbaf5b5f645ae1340c9",
-                "reference": "cc6e6f9b39fe8075b3dabfbaf5b5f645ae1340c9",
+                "url": "https://api.github.com/repos/symfony/polyfill-php72/zipball/9a142215a36a3888e30d0a9eeea9766764e96976",
+                "reference": "9a142215a36a3888e30d0a9eeea9766764e96976",
                 "shasum": ""
             },
             "require": {
@@ -534,7 +534,7 @@
             "type": "library",
             "extra": {
                 "branch-alias": {
-                    "dev-main": "1.22-dev"
+                    "dev-main": "1.23-dev"
                 },
                 "thanks": {
                     "name": "symfony/polyfill",
@@ -572,7 +572,7 @@
                 "shim"
             ],
             "support": {
-                "source": "https://github.com/symfony/polyfill-php72/tree/v1.22.1"
+                "source": "https://github.com/symfony/polyfill-php72/tree/v1.23.0"
             },
             "funding": [
                 {
@@ -588,20 +588,20 @@
                     "type": "tidelift"
                 }
             ],
-            "time": "2021-01-07T16:49:33+00:00"
+            "time": "2021-05-27T09:17:38+00:00"
         },
         {
             "name": "voku/anti-xss",
-            "version": "4.1.31",
+            "version": "4.1.32",
             "source": {
                 "type": "git",
                 "url": "https://github.com/voku/anti-xss.git",
-                "reference": "22dea9be8dbffa466995ea87a12da5f3bce874bb"
+                "reference": "159b49a50cf3f6cf72ee43b0dcf7c2580a0c12d1"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/voku/anti-xss/zipball/22dea9be8dbffa466995ea87a12da5f3bce874bb",
-                "reference": "22dea9be8dbffa466995ea87a12da5f3bce874bb",
+                "url": "https://api.github.com/repos/voku/anti-xss/zipball/159b49a50cf3f6cf72ee43b0dcf7c2580a0c12d1",
+                "reference": "159b49a50cf3f6cf72ee43b0dcf7c2580a0c12d1",
                 "shasum": ""
             },
             "require": {
@@ -634,7 +634,7 @@
                 {
                     "name": "Lars Moelleken",
                     "email": "lars@moelleken.org",
-                    "homepage": "http://www.moelleken.org/"
+                    "homepage": "https://www.moelleken.org/"
                 }
             ],
             "description": "anti xss-library",
@@ -647,7 +647,7 @@
             ],
             "support": {
                 "issues": "https://github.com/voku/anti-xss/issues",
-                "source": "https://github.com/voku/anti-xss/tree/4.1.31"
+                "source": "https://github.com/voku/anti-xss/tree/4.1.32"
             },
             "funding": [
                 {
@@ -671,7 +671,7 @@
                     "type": "tidelift"
                 }
             ],
-            "time": "2020-12-02T02:10:30+00:00"
+            "time": "2021-03-29T14:29:34+00:00"
         },
         {
             "name": "voku/portable-ascii",
@@ -850,16 +850,16 @@
     "packages-dev": [
         {
             "name": "squizlabs/php_codesniffer",
-            "version": "3.5.8",
+            "version": "3.6.0",
             "source": {
                 "type": "git",
                 "url": "https://github.com/squizlabs/PHP_CodeSniffer.git",
-                "reference": "9d583721a7157ee997f235f327de038e7ea6dac4"
+                "reference": "ffced0d2c8fa8e6cdc4d695a743271fab6c38625"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/squizlabs/PHP_CodeSniffer/zipball/9d583721a7157ee997f235f327de038e7ea6dac4",
-                "reference": "9d583721a7157ee997f235f327de038e7ea6dac4",
+                "url": "https://api.github.com/repos/squizlabs/PHP_CodeSniffer/zipball/ffced0d2c8fa8e6cdc4d695a743271fab6c38625",
+                "reference": "ffced0d2c8fa8e6cdc4d695a743271fab6c38625",
                 "shasum": ""
             },
             "require": {
@@ -902,7 +902,7 @@
                 "source": "https://github.com/squizlabs/PHP_CodeSniffer",
                 "wiki": "https://github.com/squizlabs/PHP_CodeSniffer/wiki"
             },
-            "time": "2020-10-23T02:01:07+00:00"
+            "time": "2021-04-09T00:54:41+00:00"
         }
     ],
     "aliases": [],
@@ -917,5 +917,5 @@
     "platform-overrides": {
         "php": "7.1.33"
     },
-    "plugin-api-version": "2.0.0"
+    "plugin-api-version": "2.1.0"
 }
diff --git a/index.php b/index.php
index 72cb4d3d..176948a1 100644
--- a/index.php
+++ b/index.php
@@ -1,5 +1,5 @@
 <?php
-define('PHPROJECT_VERSION', '1.7.9');
+define('PHPROJECT_VERSION', '1.7.10');
 
 // Initialize core
 require_once "vendor/autoload.php";

From ea028517b7e15e2dbbb7eb6ff8db0c1a373d24e7 Mon Sep 17 00:00:00 2001
From: Alan Hardman <alanaktion@gmail.com>
Date: Fri, 10 Sep 2021 13:30:36 -0600
Subject: [PATCH 4/4] Adding a link to my PGP public key

---
 SECURITY.md | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/SECURITY.md b/SECURITY.md
index a9e50a37..d19ea627 100644
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -6,6 +6,8 @@ Since our team is small, and we don't update often, we only support the latest r
 
 ## Reporting a Vulnerability
 
-If you find an issue with the security of Phproject, you may report the vulnerability on [huntr.dev](https://huntr.dev/bounties/disclose), or let me know personally via email at alan@phpizza.com. I'll do my best to get back to you within 48 hours, at least with an idea of when we can fix the issue. Major issues that involve significant changes to the application can take several weeks since no one works on this project full time, but we'll do what we can to fix things.
+If you find an issue with the security of Phproject, you may report the vulnerability on [huntr.dev](https://huntr.dev/bounties/disclose), or let me know personally via email at alan@phpizza.com. If emailing, I recommend encrypting your communication with [my PGP public key](https://keybase.io/alanaktion/pgp_keys.asc).
+
+I'll do my best to get back to you within 48 hours, at least with an idea of when we can fix the issue. Major issues that involve significant changes to the application can take several weeks since no one works on this project full time, but we'll do what we can to fix things.
 
 If it's been more than a week and we haven't replied, or if we have replied but it's been a while and we haven't communicated or fixed the issue you found, let us know and we'll invite you to a private fork where we can collaborate on a fix.