Proposed changes to CSRF Tokens,

[r3wt]

This should provide you with all the tools now to setup the token system. I'm not good with js but i determined you were generating the views from userfrosting.js. i will let you figure out how best to handle adding the tokens to the forms, but validating them will be straight forward. simply require_once of models/post.php in a validation script, but make sure that $errors = array(); has been called prior to including it, or the error messages will be overwritten with the blank array.

r3

[alexweissman]

CSRF attacks rely on tricking the user into submitting a form with malicious data. But, how do we know that the attacker can't trick the user into first loading the form (with the embedded token), attaching the malicious data, and then submitting the form?
According to this: http://halls-of-valhalla.org/beta/articles/cross-site-request-forgery-demystified,47/
CSRF tokens are useless if the site has an XSS vulnerability. So, we also need to make sure that there are no XSS vulnerabilities.

[r3wt]

A bit of js should do the trick, barring the victim of said attack doesn't have js disabled in his browser, but then again that would make the entire site useless to said victim.

if (top != self) {top.location.href = self.location.href;}

after adding that to either the main javascript you include on all pages, or to a static js file that is already included anyway, see here for xss filter evasion.

https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet