- title: Migrating from WSC 5.3
subfolderitems:
+ - title: Templates
+ url: /migration_wsc-53_templates.html
- title: Third Party Libraries
url: /migration_wsc-53_libraries.html
<div class="formSubmit">
<input type="submit" value="{lang}wcf.global.button.submit{/lang}" accesskey="s">
- {@SECURITY_TOKEN_INPUT_TAG}
+ {csrfToken}
</div>
</form>
<div class="formSubmit">
<input type="submit" value="{lang}wcf.global.button.submit{/lang}" accesskey="s">
- {@SECURITY_TOKEN_INPUT_TAG}
+ {csrfToken}
</div>
</form>
--- /dev/null
+---
+title: Migrating from WSC 5.3- Templates and Languages
+sidebar: sidebar
+permalink: migration_wsc-53_templates.html
+folder: migration/wsc-523
+---
+
+## `{csrfToken}`
+
+Going forward, any uses of the `SECURITY_TOKEN_*` constants should be avoided.
+To reference the CSRF token (“Security Token”) within templates, the `{csrfToken}` template plugin was added.
+
+Before:
+
+```smarty
+{@SECURITY_TOKEN_INPUT_TAG}
+{link controller="Foo"}t={@SECURITY_TOKEN}{/link}
+```
+
+After:
+
+```smarty
+{csrfToken}
+{link controller="Foo"}t={csrfToken type=url}{/link} {* The use of the CSRF token in URLs is discouraged.
+ Modifications should happen by means of a POST request. *}
+```
+
+The `{csrfToken}` plugin was backported to WoltLab Suite 5.2 and higher, allowing compatibility with a large range of WoltLab Suite branches.
+See [WoltLab/WCF #3612](https://github.com/WoltLab/WCF/pull/3612) for details.
The first part of the event name should reflect the type of fields in the particular `.section` element.
Here, the input fields are just general “data” fields so that the event is called `dataFields`.
- After the last `.section` element, fire a `section` event so that plugins can add further sections.
- - Lastly, the `.formSubmit` shows the submit button and `{@SECURITY_TOKEN_INPUT_TAG}` contains a CSRF token that is automatically validated after the form is submitted.
+ - Lastly, the `.formSubmit` shows the submit button and `{csrfToken}` contains a CSRF token that is automatically validated after the form is submitted.
### Person Edit Form
| `start` | start counter value; `1` by default |
+## <span class="label label-info">5.4+</span> `csrfToken`
+
+`{csrfToken}` prints out the session's CSRF token (“Security Token”).
+
+```smarty
+<form action="{link controller="Foo"}{/link}" method="post">
+ {* snip *}
+
+ {csrfToken}
+</form>
+```
+
+The `{csrfToken}` template plugin supports a `type` parameter.
+Specifying this parameter might be required in rare situations.
+Please [check the implementation](https://github.com/WoltLab/WCF/blob/master/wcfsetup/install/files/lib/system/template/plugin/CsrfTokenFunctionTemplatePlugin.class.php) for details.
+
## `currency`
`currency` is a modifier used to format currency values with two decimals using language dependent thousands separators and decimal point:
<div class="formSubmit">
<input type="submit" value="{lang}wcf.global.button.submit{/lang}" accesskey="s">
- {@SECURITY_TOKEN_INPUT_TAG}
+ {csrfToken}
</div>
</form>
```
projects / GitHub / WoltLab / woltlab.github.io.git / commitdiff