diff --git a/app/lib/BaseFindController.php b/app/lib/BaseFindController.php
index ba89fb7f07..b4076bc392 100755
--- a/app/lib/BaseFindController.php
+++ b/app/lib/BaseFindController.php
@@ -733,6 +733,11 @@ public function addToSet() {
  		public function createSetFromResult() {
  			global $g_ui_locale_id;
  			
+ 			if (!caValidateCSRFToken($this->request, null, ['notifications' => $this->notification])) {
+				throw new ApplicationException(_t('CSRF check failed'));
+				return;
+			}
+ 			
  			$vs_set_name = $vs_set_code = null;
  			$vn_added_items_count = 0;
  			
@@ -1150,6 +1155,11 @@ public function getResultsEditorData() {
  		 *  (2) "complex" editing from a popup editing window. Data is submitted from a form as standard editor UI form data from a psuedo editor UI screen.
  		 */
  		public function saveResultsEditorData() {
+ 			if (!caValidateCSRFToken($this->request, null, ['notifications' => $this->notification])) {
+				throw new ApplicationException(_t('CSRF check failed'));
+				return;
+			}
+			
  			$t_display = new ca_bundle_displays($this->opo_result_context->getCurrentBundleDisplay($this->opn_type_restriction_id, $this->_getShowInStr()));
  			$response = $t_display->saveResultsEditorData($this->ops_tablename, [
  													'request' => $this->request, 
diff --git a/assets/ca/ca.quickaddform.js b/assets/ca/ca.quickaddform.js
index 45ec7e6771..1aa7ec731f 100644
--- a/assets/ca/ca.quickaddform.js
+++ b/assets/ca/ca.quickaddform.js
@@ -6,7 +6,7 @@
  * ----------------------------------------------------------------------
  *
  * Software by Whirl-i-Gig (http://www.whirl-i-gig.com)
- * Copyright 2014-2019 Whirl-i-Gig
+ * Copyright 2014-2021 Whirl-i-Gig
  *
  * For more information visit http://www.CollectiveAccess.org
  *
@@ -43,6 +43,7 @@ var caUI = caUI || {};
 			
 			fileUploadUrl: null,
 			saveUrl: null,
+			csrfToken: null,
 			
 			headerText: "QuickAdd",
 			saveText: "Saved record: %1",
@@ -73,6 +74,7 @@ var caUI = caUI || {};
 			});
 			
 			formData = jQuery("#" + that.formID).serializeObject();
+			formData['csrfToken'] = that.csrfToken;
 			
 			// Added "forced relationship" settings if available
 			var relatedID = jQuery("#" + that.formID).parent().data('relatedID');
diff --git a/assets/ca/ca.tableview.js b/assets/ca/ca.tableview.js
index caaab9d683..e515f19fa2 100644
--- a/assets/ca/ca.tableview.js
+++ b/assets/ca/ca.tableview.js
@@ -6,7 +6,7 @@
  * ----------------------------------------------------------------------
  *
  * Software by Whirl-i-Gig (http://www.whirl-i-gig.com)
- * Copyright 2013-2020 Whirl-i-Gig
+ * Copyright 2013-2021 Whirl-i-Gig
  *
  * For more information visit http://www.CollectiveAccess.org
  *
@@ -44,6 +44,7 @@ var caUI = caUI || {};
 			
 			dataSaveUrl: null,
 			dataEditUrl: null,
+			csrfToken: null,
 			
 			rowHeaders: null,
 			colHeaders: null,
@@ -183,7 +184,7 @@ var caUI = caUI || {};
 			});
 			
 			that.saveQueue = [];
-			jQuery.post(that.dataSaveUrl, { changes: q },
+			jQuery.post(that.dataSaveUrl, { changes: q, csrfToken: that.csrfToken },
 				function(data) {
 					if (parseInt(data.status) !== 0) {
 						var errorMessages = [];
@@ -336,4 +337,4 @@ var caUI = caUI || {};
 		
 		// --------------------------------------------------------------------------------
 	};	
-})(jQuery);
\ No newline at end of file
+})(jQuery);
diff --git a/themes/default/views/administrate/setup/Search/search_sets_html.php b/themes/default/views/administrate/setup/Search/search_sets_html.php
index 893757ceaf..d1df38a468 100644
--- a/themes/default/views/administrate/setup/Search/search_sets_html.php
+++ b/themes/default/views/administrate/setup/Search/search_sets_html.php
@@ -175,7 +175,8 @@ function caCreateSetFromResults() {
 			{ 
 				set_name: jQuery('#caCreateSetFromResultsInput').val(),
 				mode: jQuery('#caCreateSetFromResultsMode').val(),
-				item_ids: caGetSelectedItemIDsToAddToSet().join(';')
+				item_ids: caGetSelectedItemIDsToAddToSet().join(';'),
+				csrfToken: <?= json_encode(caGenerateCSRFToken($this->request));?>
 			}, 
 			function(res) {
 				jQuery("#caCreateSetFromResultsIndicator").hide();
diff --git a/themes/default/views/find/Results/ajax_results_editable_complex_data_form_html.php b/themes/default/views/find/Results/ajax_results_editable_complex_data_form_html.php
index fb9dfdc4ad..d7bfe0f43c 100644
--- a/themes/default/views/find/Results/ajax_results_editable_complex_data_form_html.php
+++ b/themes/default/views/find/Results/ajax_results_editable_complex_data_form_html.php
@@ -7,7 +7,7 @@
  * ----------------------------------------------------------------------
  *
  * Software by Whirl-i-Gig (http://www.whirl-i-gig.com)
- * Copyright 2016-2020 Whirl-i-Gig
+ * Copyright 2016-2021 Whirl-i-Gig
  *
  * For more information visit http://www.CollectiveAccess.org
  *
@@ -82,17 +82,18 @@
 			formErrorsPanelID: 'caEditableResultsComplexDataFormErrors',
 			formTypeSelectID: null, 
 		
-			formUrl: '<?php print caNavUrl($this->request, '*', '*', 'resultsComplexDataEditor'); ?>',
-			fileUploadUrl: '<?php print caNavUrl($this->request, "*", "*", "saveResultsEditorFiles"); ?>',
-			saveUrl: '<?php print caNavUrl($this->request, "*", "*", "saveResultsEditorData"); ?>',
+			formUrl: <?= json_encode(caNavUrl($this->request, '*', '*', 'resultsComplexDataEditor')); ?>,
+			fileUploadUrl: <?= json_encode(caNavUrl($this->request, "*", "*", "saveResultsEditorFiles")); ?>,
+			saveUrl: <?= json_encode(caNavUrl($this->request, "*", "*", "saveResultsEditorData")); ?>,
+			csrfToken: <?= json_encode(caGenerateCSRFToken($this->request)); ?>,
 		
-			headerText: '<?php print addslashes(_t('Edit %1', $t_subject->getTypeName())); ?>',
-			saveText: '<?php print addslashes(_t('Updated %1 ', $t_subject->getTypeName())); ?> <em>%1</em>',
-			busyIndicator: '<?php print addslashes(caBusyIndicatorIcon($this->request)); ?>',
+			headerText: <?= json_encode(_t('Edit %1', $t_subject->getTypeName())); ?>,
+			saveText: <?= json_encode(_t('Updated %1 ', $t_subject->getTypeName())." <em>%1</em>"); ?>,
+			busyIndicator: <?= json_encode(caBusyIndicatorIcon($this->request)); ?>,
 			onSave: function(resp) { 
 				if (resp.status == 0) {
 					var ht = jQuery("#caResultsEditorWrapper .caResultsEditorContent").data('handsontable');
-					ht.setDataAtCell(<?php print (int)$vn_row; ?>, <?php print (int)$vn_col; ?>, resp.display, 'external');
+					ht.setDataAtCell(<?= (int)$vn_row; ?>, <?= (int)$vn_col; ?>, resp.display, 'external');
 					if (jQuery("#caEditableResultsComplexDataForm") && jQuery("#caEditableResultsComplexDataForm").parent() && jQuery("#caEditableResultsComplexDataForm").parent().parent() && jQuery("#caEditableResultsComplexDataForm").parent().parent().data("panel")) { jQuery("#caEditableResultsComplexDataForm").parent().parent().data("panel").hidePanel();  }
 					jQuery(".caResultsEditorStatus").html("Saved changes").show();
 					setTimeout(function() { jQuery('.caResultsEditorStatus').fadeOut(500); }, 5000);
diff --git a/themes/default/views/find/Results/results_editable_html.php b/themes/default/views/find/Results/results_editable_html.php
index 3a45a6aa4c..e843fb63a0 100644
--- a/themes/default/views/find/Results/results_editable_html.php
+++ b/themes/default/views/find/Results/results_editable_html.php
@@ -7,7 +7,7 @@
  * ----------------------------------------------------------------------
  *
  * Software by Whirl-i-Gig (http://www.whirl-i-gig.com)
- * Copyright 2015-2016 Whirl-i-Gig
+ * Copyright 2015-2021 Whirl-i-Gig
  *
  * For more information visit http://www.CollectiveAccess.org
  *
@@ -54,16 +54,17 @@
 <script type="text/javascript">
 	jQuery(document).ready(function() {
 		caUI.initTableView('#caResultsEditorWrapper', {
-			dataLoadUrl: '<?php print caNavUrl($this->request, '*', '*', 'getResultsEditorData'); ?>',
-			dataSaveUrl: '<?php print caNavUrl($this->request, '*', '*', 'saveResultsEditorData'); ?>',
-			dataEditUrl: '<?php print caNavUrl($this->request, '*', '*', 'resultsComplexDataEditor'); ?>',
+			dataLoadUrl: <?= json_encode(caNavUrl($this->request, '*', '*', 'getResultsEditorData'), JSON_UNESCAPED_SLASHES); ?>,
+			dataSaveUrl: <?= json_encode(caNavUrl($this->request, '*', '*', 'saveResultsEditorData'), JSON_UNESCAPED_SLASHES); ?>,
+			dataEditUrl: <?= json_encode(caNavUrl($this->request, '*', '*', 'resultsComplexDataEditor'), JSON_UNESCAPED_SLASHES); ?>,
+			csrfToken: <?= json_encode(caGenerateCSRFToken($this->request)); ?>,
 			rowHeaders: true,
 			dataEditorID: 'caResultsComplexDataEditorPanel',
 			
-			colHeaders: <?php print json_encode($va_column_headers); ?>,
-			columns: <?php print json_encode($va_columns); ?>,
+			colHeaders: <?= json_encode($va_column_headers); ?>,
+			columns: <?= json_encode($va_columns); ?>,
 			
-			rowCount: <?php print (int)$this->getVar('num_rows'); ?>
+			rowCount: <?= (int)$this->getVar('num_rows'); ?>
 		});
 	});
-</script>
\ No newline at end of file
+</script>