Skip to content

Migrating from WSC 5.3 - Templates and Languages#

{csrfToken}#

Going forward, any uses of the SECURITY_TOKEN_* constants should be avoided. To reference the CSRF token (“Security Token”) within templates, the {csrfToken} template plugin was added.

Before:

1
2
{@SECURITY_TOKEN_INPUT_TAG}
{link controller="Foo"}t={@SECURITY_TOKEN}{/link}

After:

1
2
3
{csrfToken}
{link controller="Foo"}t={csrfToken type=url}{/link} {* The use of the CSRF token in URLs is discouraged.
                                                        Modifications should happen by means of a POST request. *}

The {csrfToken} plugin was backported to WoltLab Suite 5.2 and higher, allowing compatibility with a large range of WoltLab Suite branches. See WoltLab/WCF#3612 for details.

Prior to version 5.4 of WoltLab Suite, all RSS feed links contained the access token for logged-in users so that the feed shows all contents the specific user has access to. With version 5.4, links with the CSS class rssFeed will open a dialog when clicked that offers the feed link with the access token for personal use and an anonymous feed link that can be shared with others.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
{* before *}
<li>
    <a rel="alternate" {*
        *}href="{if $__wcf->getUser()->userID}{link controller='ArticleFeed'}at={@$__wcf->getUser()->userID}-{@$__wcf->getUser()->accessToken}{/link}{else}{link controller='ArticleFeed'}{/link}{/if}" {*
        *}title="{lang}wcf.global.button.rss{/lang}" {*
        *}class="jsTooltip"{*
    *}>
        <span class="icon icon16 fa-rss"></span>
        <span class="invisible">{lang}wcf.global.button.rss{/lang}</span>
    </a>
</li>

{* after *}
<li>
    <a rel="alternate" {*
        *}href="{if $__wcf->getUser()->userID}{link controller='ArticleFeed'}at={@$__wcf->getUser()->userID}-{@$__wcf->getUser()->accessToken}{/link}{else}{link controller='ArticleFeed'}{/link}{/if}" {*
        *}title="{lang}wcf.global.button.rss{/lang}" {*
        *}class="rssFeed jsTooltip"{*
    *}>
        <span class="icon icon16 fa-rss"></span>
        <span class="invisible">{lang}wcf.global.button.rss{/lang}</span>
    </a>
</li>

Last update: 2021-04-19