From 422de35e3c3141e418a73bfb39b430d5fd74077e Mon Sep 17 00:00:00 2001
From: Kai Reinhard <K.Reinhard@micromata.de>
Date: Fri, 6 Dec 2013 00:14:24 +0100
Subject: [PATCH] CSRF protection.

---
 .../org/projectforge/web/admin/SetupForm.java   | 15 +++++++++++++++
 .../projectforge/web/admin/SetupImportForm.java | 14 ++++++++++++++
 .../org/projectforge/web/admin/SetupPage.html   |  2 ++
 .../web/admin/SystemUpdateForm.java             | 14 ++++++++++++++
 .../web/admin/SystemUpdatePage.html             |  1 +
 .../org/projectforge/web/core/NavTopPanel.html  |  1 +
 .../org/projectforge/web/core/NavTopPanel.java  |  8 ++++++++
 .../projectforge/web/dialog/ModalDialog.html    |  5 ++++-
 .../projectforge/web/dialog/ModalDialog.java    | 15 +++++++++++++++
 .../web/fibu/RechnungCostEditTablePanel.html    |  5 ++++-
 .../web/fibu/RechnungCostEditTablePanel.java    | 17 ++++++++++++++++-
 .../web/mobile/AbstractMobileEditForm.java      | 14 ++++++++++++++
 .../web/mobile/AbstractMobileEditPage.html      |  1 +
 .../web/mobile/AbstractMobileListForm.java      | 14 ++++++++++++++
 .../web/mobile/AbstractMobileListPage.html      | 17 ++++++++++-------
 .../org/projectforge/web/task/TaskTreeForm.java | 11 ++++++++++-
 .../org/projectforge/web/task/TaskTreePage.html |  1 +
 .../web/wicket/CsrfTokenHandler.java            | 12 ++++++------
 .../wicket/components/DropFileContainer.html    |  6 ++++--
 .../wicket/components/DropFileContainer.java    | 12 +++++++++++-
 20 files changed, 165 insertions(+), 20 deletions(-)

diff --git a/src/main/java/org/projectforge/web/admin/SetupForm.java b/src/main/java/org/projectforge/web/admin/SetupForm.java
index 23bf99459..dc44fcefc 100644
--- a/src/main/java/org/projectforge/web/admin/SetupForm.java
+++ b/src/main/java/org/projectforge/web/admin/SetupForm.java
@@ -40,6 +40,7 @@
 import org.projectforge.database.InitDatabaseDao;
 import org.projectforge.user.UserDao;
 import org.projectforge.web.wicket.AbstractForm;
+import org.projectforge.web.wicket.CsrfTokenHandler;
 import org.projectforge.web.wicket.WicketUtils;
 import org.projectforge.web.wicket.bootstrap.GridBuilder;
 import org.projectforge.web.wicket.components.MaxLengthTextField;
@@ -86,9 +87,15 @@ public class SetupForm extends AbstractForm<SetupForm, SetupPage>
 
   private String encryptedPassword;
 
+  /**
+   * Cross site request forgery token.
+   */
+  private final CsrfTokenHandler csrfTokenHandler;
+
   public SetupForm(final SetupPage parentPage)
   {
     super(parentPage, "setupform");
+    csrfTokenHandler = new CsrfTokenHandler(this);
   }
 
   @Override
@@ -227,6 +234,7 @@ public void validate(final IValidatable<String> validatable)
         @Override
         public final void onSubmit()
         {
+          csrfTokenHandler.onSubmit();
           parentPage.finishSetup();
         }
       };
@@ -237,6 +245,13 @@ public final void onSubmit()
     }
   }
 
+  @Override
+  protected void onSubmit()
+  {
+    super.onSubmit();
+    csrfTokenHandler.onSubmit();
+  }
+
   public SetupTarget getSetupMode()
   {
     return setupMode;
diff --git a/src/main/java/org/projectforge/web/admin/SetupImportForm.java b/src/main/java/org/projectforge/web/admin/SetupImportForm.java
index f4df9dd9c..d2a50d017 100644
--- a/src/main/java/org/projectforge/web/admin/SetupImportForm.java
+++ b/src/main/java/org/projectforge/web/admin/SetupImportForm.java
@@ -29,6 +29,7 @@
 import org.apache.wicket.model.Model;
 import org.apache.wicket.util.lang.Bytes;
 import org.projectforge.web.wicket.AbstractForm;
+import org.projectforge.web.wicket.CsrfTokenHandler;
 import org.projectforge.web.wicket.bootstrap.GridBuilder;
 import org.projectforge.web.wicket.components.SingleButtonPanel;
 import org.projectforge.web.wicket.flowlayout.FieldsetPanel;
@@ -42,10 +43,23 @@ public class SetupImportForm extends AbstractForm<SetupImportForm, SetupPage>
 
   protected String filename;
 
+  /**
+   * Cross site request forgery token.
+   */
+  private final CsrfTokenHandler csrfTokenHandler;
+
   public SetupImportForm(final SetupPage parentPage)
   {
     super(parentPage, "importform");
     initUpload(Bytes.megabytes(100));
+    csrfTokenHandler = new CsrfTokenHandler(this);
+  }
+
+  @Override
+  protected void onSubmit()
+  {
+    super.onSubmit();
+    csrfTokenHandler.onSubmit();
   }
 
   @Override
diff --git a/src/main/java/org/projectforge/web/admin/SetupPage.html b/src/main/java/org/projectforge/web/admin/SetupPage.html
index 2a1333f30..67f79c790 100644
--- a/src/main/java/org/projectforge/web/admin/SetupPage.html
+++ b/src/main/java/org/projectforge/web/admin/SetupPage.html
@@ -21,6 +21,7 @@
             <div class="button_bar">
               <wicket:container wicket:id="buttons">[action buttons]</wicket:container>
             </div>
+            <input type="hidden" wicket:id="csrfToken" />
           </form>
         </div>
       </div>
@@ -32,6 +33,7 @@
           <div class="button_bar">
             <wicket:container wicket:id="buttons">[action buttons]</wicket:container>
           </div>
+          <input type="hidden" wicket:id="csrfToken" />
         </form>
       </div>
     </div>
diff --git a/src/main/java/org/projectforge/web/admin/SystemUpdateForm.java b/src/main/java/org/projectforge/web/admin/SystemUpdateForm.java
index 34e9bbd9e..e8ed6aec9 100644
--- a/src/main/java/org/projectforge/web/admin/SystemUpdateForm.java
+++ b/src/main/java/org/projectforge/web/admin/SystemUpdateForm.java
@@ -38,6 +38,7 @@
 import org.projectforge.continuousdb.UpdatePreCheckStatus;
 import org.projectforge.web.HtmlHelper;
 import org.projectforge.web.wicket.AbstractForm;
+import org.projectforge.web.wicket.CsrfTokenHandler;
 import org.projectforge.web.wicket.bootstrap.GridBuilder;
 import org.projectforge.web.wicket.components.SingleButtonPanel;
 import org.projectforge.web.wicket.flowlayout.CheckBoxPanel;
@@ -54,6 +55,11 @@ public class SystemUpdateForm extends AbstractForm<SystemUpdateForm, SystemUpdat
 
   private GridBuilder gridBuilder;
 
+  /**
+   * Cross site request forgery token.
+   */
+  private final CsrfTokenHandler csrfTokenHandler;
+
   /**
    * List to create content menu in the desired order before creating the RepeatingView.
    */
@@ -62,6 +68,7 @@ public class SystemUpdateForm extends AbstractForm<SystemUpdateForm, SystemUpdat
   public SystemUpdateForm(final SystemUpdatePage parentPage)
   {
     super(parentPage);
+    csrfTokenHandler = new CsrfTokenHandler(this);
   }
 
   @Override
@@ -165,4 +172,11 @@ public void onBeforeRender()
     super.onBeforeRender();
     actionButtons.render();
   }
+
+  @Override
+  protected void onSubmit()
+  {
+    super.onSubmit();
+    csrfTokenHandler.onSubmit();
+  }
 }
diff --git a/src/main/java/org/projectforge/web/admin/SystemUpdatePage.html b/src/main/java/org/projectforge/web/admin/SystemUpdatePage.html
index 84942e07f..ba6c2f66b 100644
--- a/src/main/java/org/projectforge/web/admin/SystemUpdatePage.html
+++ b/src/main/java/org/projectforge/web/admin/SystemUpdatePage.html
@@ -47,6 +47,7 @@ <h3 class="section">Update scripts</h3>
       <div class="button_bar">
         <wicket:container wicket:id="buttons">[action buttons]</wicket:container>
       </div>
+      <input type="hidden" wicket:id="csrfToken" />
     </form>
   </wicket:extend>
 </body>
diff --git a/src/main/java/org/projectforge/web/core/NavTopPanel.html b/src/main/java/org/projectforge/web/core/NavTopPanel.html
index 19498d2f9..eb1079824 100644
--- a/src/main/java/org/projectforge/web/core/NavTopPanel.html
+++ b/src/main/java/org/projectforge/web/core/NavTopPanel.html
@@ -39,6 +39,7 @@
           </div>
           <form class="navbar-search pull-left" wicket:id="searchForm" autocomplete="off">
             <input type="text" class="search-query span2" placeholder="Search" wicket:id="searchField">
+            <input type="hidden" wicket:id="csrfToken" />
           </form>
           <ul class="nav pull-right">
             <li class="dropdown"><a href="#" class="dropdown-toggle" data-toggle="dropdown"><span wicket:id="user">[Kai Reinhard]</span><b
diff --git a/src/main/java/org/projectforge/web/core/NavTopPanel.java b/src/main/java/org/projectforge/web/core/NavTopPanel.java
index 74f63e682..c099387a0 100644
--- a/src/main/java/org/projectforge/web/core/NavTopPanel.java
+++ b/src/main/java/org/projectforge/web/core/NavTopPanel.java
@@ -59,6 +59,7 @@
 import org.projectforge.web.user.ChangePasswordPage;
 import org.projectforge.web.user.MyAccountEditPage;
 import org.projectforge.web.wicket.AbstractSecuredPage;
+import org.projectforge.web.wicket.CsrfTokenHandler;
 import org.projectforge.web.wicket.FeedbackPage;
 import org.projectforge.web.wicket.MySession;
 import org.projectforge.web.wicket.WicketUtils;
@@ -82,6 +83,11 @@ public class NavTopPanel extends NavAbstractPanel
 
   private BookmarkDialog bookmarkDialog;
 
+  /**
+   * Cross site request forgery token.
+   */
+  private CsrfTokenHandler csrfTokenHandler;
+
   public NavTopPanel(final String id, final UserXmlPreferencesCache userXmlPreferencesCache, final AccessChecker accessChecker)
   {
     super(id);
@@ -117,6 +123,7 @@ public void init(final AbstractSecuredPage page)
       @Override
       protected void onSubmit()
       {
+        csrfTokenHandler.onSubmit();
         if (StringUtils.isNotBlank(searchString) == true) {
           final SearchPage searchPage = new SearchPage(new PageParameters(), searchString);
           setResponsePage(searchPage);
@@ -124,6 +131,7 @@ protected void onSubmit()
         super.onSubmit();
       }
     };
+    csrfTokenHandler = new CsrfTokenHandler(searchForm);
     add(searchForm);
     final TextField<String> searchField = new TextField<String>("searchField", new PropertyModel<String>(searchForm, "searchString"));
     WicketUtils.setPlaceHolderAttribute(searchField, getString("search.search"));
diff --git a/src/main/java/org/projectforge/web/dialog/ModalDialog.html b/src/main/java/org/projectforge/web/dialog/ModalDialog.html
index 68aae466f..4197e7cc5 100644
--- a/src/main/java/org/projectforge/web/dialog/ModalDialog.html
+++ b/src/main/java/org/projectforge/web/dialog/ModalDialog.html
@@ -3,7 +3,9 @@
     <wicket:container wicket:id="mainSubContainer">
       <div class="modal-header">
         <button type="button" class="close" data-dismiss="modal" aria-hidden="true">×</button>
-        <h3 id="myModalLabel" wicket:id="titleContainer"><span wicket:id="titleText">[title]</span></h3>
+        <h3 id="myModalLabel" wicket:id="titleContainer">
+          <span wicket:id="titleText">[title]</span>
+        </h3>
       </div>
       <form wicket:id="form" autocomplete="off">
         <div class="modal-body" wicket:id="gridContent">
@@ -13,6 +15,7 @@ <h3 id="myModalLabel" wicket:id="titleContainer"><span wicket:id="titleText">[ti
         <div class="modal-footer" wicket:id="buttonBar">
           <wicket:container wicket:id="actionButtons" />
         </div>
+        <input type="hidden" wicket:id="csrfToken" />
       </form>
     </wicket:container>
   </div>
diff --git a/src/main/java/org/projectforge/web/dialog/ModalDialog.java b/src/main/java/org/projectforge/web/dialog/ModalDialog.java
index f4b543bc8..13bfda4b7 100644
--- a/src/main/java/org/projectforge/web/dialog/ModalDialog.java
+++ b/src/main/java/org/projectforge/web/dialog/ModalDialog.java
@@ -39,6 +39,7 @@
 import org.apache.wicket.model.IModel;
 import org.apache.wicket.model.Model;
 import org.projectforge.web.core.NavTopPanel;
+import org.projectforge.web.wicket.CsrfTokenHandler;
 import org.projectforge.web.wicket.WicketUtils;
 import org.projectforge.web.wicket.bootstrap.GridBuilder;
 import org.projectforge.web.wicket.components.SingleButtonPanel;
@@ -97,6 +98,11 @@ public abstract class ModalDialog extends Panel
    */
   protected MyComponentsRepeater<Component> actionButtons;
 
+  /**
+   * Cross site request forgery token.
+   */
+  protected CsrfTokenHandler csrfTokenHandler;
+
   /**
    * @param id
    */
@@ -231,6 +237,7 @@ public ModalDialog wantsNotificationOnClose()
       @Override
       protected void onEvent(final AjaxRequestTarget target)
       {
+        csrfTokenHandler.onSubmit();
         handleCloseEvent(target);
       }
     });
@@ -288,6 +295,7 @@ public ModalDialog open(final AjaxRequestTarget target)
 
   public void close(final AjaxRequestTarget target)
   {
+    csrfTokenHandler.onSubmit();
     target.appendJavaScript("$('#" + getMainContainerMarkupId() + "').modal('hide');");
   }
 
@@ -366,6 +374,7 @@ public ModalDialog clearContent()
   protected void init(final Form< ? > form)
   {
     this.form = form;
+    csrfTokenHandler = new CsrfTokenHandler(form);
     mainSubContainer.add(form);
     form.add(gridContentContainer);
     form.add(buttonBarContainer);
@@ -374,6 +383,7 @@ protected void init(final Form< ? > form)
         @Override
         public void callback(final AjaxRequestTarget target)
         {
+          csrfTokenHandler.onSubmit();
           onCancelButtonSubmit(target);
           close(target);
         }
@@ -385,6 +395,7 @@ public void callback(final AjaxRequestTarget target)
       @Override
       public void callback(final AjaxRequestTarget target)
       {
+        csrfTokenHandler.onSubmit();
         if (onCloseButtonSubmit(target)) {
           close(target);
         }
@@ -393,6 +404,7 @@ public void callback(final AjaxRequestTarget target)
       @Override
       public void onError(final AjaxRequestTarget target, final Form< ? > form)
       {
+        csrfTokenHandler.onSubmit();
         ModalDialog.this.onError(target, form);
       }
     }, closeButtonLabel != null ? closeButtonLabel : getString("close"), SingleButtonPanel.NORMAL);
@@ -416,6 +428,7 @@ private void initFeedback(final WebMarkupContainer container)
 
   protected void ajaxError(final String error, final AjaxRequestTarget target)
   {
+    csrfTokenHandler.onSubmit();
     form.error(error);
     target.add(formFeedback);
   }
@@ -427,6 +440,7 @@ protected void ajaxError(final String error, final AjaxRequestTarget target)
    */
   protected void handleCloseEvent(final AjaxRequestTarget target)
   {
+    csrfTokenHandler.onSubmit();
   }
 
   /**
@@ -505,6 +519,7 @@ private SingleButtonPanel addNewAjaxActionButton(final AjaxCallback ajaxCallback
       @Override
       protected void onSubmit(final AjaxRequestTarget target, final Form< ? > form)
       {
+        csrfTokenHandler.onSubmit();
         ajaxCallback.callback(target);
       }
 
diff --git a/src/main/java/org/projectforge/web/fibu/RechnungCostEditTablePanel.html b/src/main/java/org/projectforge/web/fibu/RechnungCostEditTablePanel.html
index c9c0dc396..8837dcac5 100644
--- a/src/main/java/org/projectforge/web/fibu/RechnungCostEditTablePanel.html
+++ b/src/main/java/org/projectforge/web/fibu/RechnungCostEditTablePanel.html
@@ -32,7 +32,10 @@
         </tbody>
       </table>
       <div>
-      <wicket:message key="rest" />: <span wicket:id="restValue">[-1234,00]</span></div>
+        <wicket:message key="rest" />
+        : <span wicket:id="restValue">[-1234,00]</span>
+      </div>
+      <input type="hidden" wicket:id="csrfToken" />
     </form>
   </wicket:panel>
 </body>
diff --git a/src/main/java/org/projectforge/web/fibu/RechnungCostEditTablePanel.java b/src/main/java/org/projectforge/web/fibu/RechnungCostEditTablePanel.java
index cceacbdda..ff00fa656 100644
--- a/src/main/java/org/projectforge/web/fibu/RechnungCostEditTablePanel.java
+++ b/src/main/java/org/projectforge/web/fibu/RechnungCostEditTablePanel.java
@@ -54,6 +54,7 @@
 import org.projectforge.fibu.kost.Kost2Dao;
 import org.projectforge.fibu.kost.KostZuweisungDO;
 import org.projectforge.fibu.kost.KostZuweisungenCopyHelper;
+import org.projectforge.web.wicket.CsrfTokenHandler;
 import org.projectforge.web.wicket.WicketAjaxUtils;
 import org.projectforge.web.wicket.WicketUtils;
 import org.projectforge.web.wicket.components.MinMaxNumberField;
@@ -85,17 +86,31 @@ public class RechnungCostEditTablePanel extends Panel
 
   MyAjaxComponentHolder ajaxComponents = new MyAjaxComponentHolder();
 
+  /**
+   * Cross site request forgery token.
+   */
+  private final CsrfTokenHandler csrfTokenHandler;
+
   /**
    * @param id
    */
+  @SuppressWarnings("serial")
   public RechnungCostEditTablePanel(final String id)
   {
     super(id);
     feedbackPanel = new FeedbackPanel("feedback");
     ajaxComponents.register(feedbackPanel);
     add(feedbackPanel);
-    this.form = new Form<AbstractRechnungsPositionDO>("form");
+    this.form = new Form<AbstractRechnungsPositionDO>("form") {
+      @Override
+      protected void onSubmit()
+      {
+        super.onSubmit();
+        csrfTokenHandler.onSubmit();
+      }
+    };
     add(form);
+    csrfTokenHandler = new CsrfTokenHandler(form);
     rows = new RepeatingView("rows");
     form.add(rows);
   }
diff --git a/src/main/java/org/projectforge/web/mobile/AbstractMobileEditForm.java b/src/main/java/org/projectforge/web/mobile/AbstractMobileEditForm.java
index 208577dad..ff80e6cef 100644
--- a/src/main/java/org/projectforge/web/mobile/AbstractMobileEditForm.java
+++ b/src/main/java/org/projectforge/web/mobile/AbstractMobileEditForm.java
@@ -28,6 +28,7 @@
 import org.apache.wicket.markup.html.panel.FeedbackPanel;
 import org.apache.wicket.markup.repeater.RepeatingView;
 import org.projectforge.core.AbstractBaseDO;
+import org.projectforge.web.wicket.CsrfTokenHandler;
 import org.projectforge.web.wicket.mobileflowlayout.MobileGridBuilder;
 
 public abstract class AbstractMobileEditForm<O extends AbstractBaseDO< ? >, P extends AbstractMobileEditPage< ? , ? , ? >> extends
@@ -39,10 +40,23 @@ public abstract class AbstractMobileEditForm<O extends AbstractBaseDO< ? >, P ex
 
   protected MobileGridBuilder gridBuilder;
 
+  /**
+   * Cross site request forgery token.
+   */
+  private final CsrfTokenHandler csrfTokenHandler;
+
   public AbstractMobileEditForm(final P parentPage, final O data)
   {
     super(parentPage);
     this.data = data;
+    csrfTokenHandler = new CsrfTokenHandler(this);
+  }
+
+  @Override
+  protected void onSubmit()
+  {
+    super.onSubmit();
+    csrfTokenHandler.onSubmit();
   }
 
   public O getData()
diff --git a/src/main/java/org/projectforge/web/mobile/AbstractMobileEditPage.html b/src/main/java/org/projectforge/web/mobile/AbstractMobileEditPage.html
index 9ed7f0f49..ee47a24c8 100644
--- a/src/main/java/org/projectforge/web/mobile/AbstractMobileEditPage.html
+++ b/src/main/java/org/projectforge/web/mobile/AbstractMobileEditPage.html
@@ -19,6 +19,7 @@
         <p>
           <a wicket:id="submitButton" rel="external" data-role="button"><wicket:container wicket:id="label">[create or update]</wicket:container></a>
         </p>
+        <input type="hidden" wicket:id="csrfToken" />
       </form>
     </div>
   </wicket:extend>
diff --git a/src/main/java/org/projectforge/web/mobile/AbstractMobileListForm.java b/src/main/java/org/projectforge/web/mobile/AbstractMobileListForm.java
index 832cb1763..41557f4b4 100644
--- a/src/main/java/org/projectforge/web/mobile/AbstractMobileListForm.java
+++ b/src/main/java/org/projectforge/web/mobile/AbstractMobileListForm.java
@@ -27,6 +27,7 @@
 import org.apache.wicket.markup.html.form.TextField;
 import org.apache.wicket.model.PropertyModel;
 import org.projectforge.core.BaseSearchFilter;
+import org.projectforge.web.wicket.CsrfTokenHandler;
 
 public abstract class AbstractMobileListForm<F extends BaseSearchFilter, P extends AbstractMobileListPage< ? , ? , ? >> extends
 AbstractMobileForm<AbstractMobileListForm< ? , ? >, AbstractMobileListPage< ? , ? , ? >>
@@ -37,6 +38,11 @@ public abstract class AbstractMobileListForm<F extends BaseSearchFilter, P exten
 
   protected F filter;
 
+  /**
+   * Cross site request forgery token.
+   */
+  private final CsrfTokenHandler csrfTokenHandler;
+
   @SuppressWarnings("unchecked")
   public AbstractMobileListForm(final AbstractMobileListPage< ? , ? , ? > parentPage)
   {
@@ -51,6 +57,14 @@ public AbstractMobileListForm(final AbstractMobileListPage< ? , ? , ? > parentPa
       filter = newFilter();
       parentPage.putUserPrefEntry(userPrefFilterKey, filter, true);
     }
+    csrfTokenHandler = new CsrfTokenHandler(this);
+  }
+
+  @Override
+  protected void onSubmit()
+  {
+    super.onSubmit();
+    csrfTokenHandler.onSubmit();
   }
 
   protected void init()
diff --git a/src/main/java/org/projectforge/web/mobile/AbstractMobileListPage.html b/src/main/java/org/projectforge/web/mobile/AbstractMobileListPage.html
index 94d27929e..b4fa9c08f 100644
--- a/src/main/java/org/projectforge/web/mobile/AbstractMobileListPage.html
+++ b/src/main/java/org/projectforge/web/mobile/AbstractMobileListPage.html
@@ -6,12 +6,15 @@
 </head>
 
 <body>
-<wicket:extend>
-  <form wicket:id="form" autocomplete="off">
-  <div data-role="fieldcontain" id="searchfield"><input type="text" data-type="search" wicket:id="searchField" id="search" placeholder="Suche" /></div>
-  </form>
-  <wicket:container wicket:id="listViewPage">
-  </wicket:container>
-</wicket:extend>
+  <wicket:extend>
+    <form wicket:id="form" autocomplete="off">
+      <div data-role="fieldcontain" id="searchfield">
+        <input type="text" data-type="search" wicket:id="searchField" id="search" placeholder="Suche" />
+      </div>
+      <input type="hidden" wicket:id="csrfToken" />
+    </form>
+    <wicket:container wicket:id="listViewPage">
+    </wicket:container>
+  </wicket:extend>
 </body>
 </html>
diff --git a/src/main/java/org/projectforge/web/task/TaskTreeForm.java b/src/main/java/org/projectforge/web/task/TaskTreeForm.java
index 5d7613d03..56759e3e5 100644
--- a/src/main/java/org/projectforge/web/task/TaskTreeForm.java
+++ b/src/main/java/org/projectforge/web/task/TaskTreeForm.java
@@ -31,6 +31,7 @@
 import org.apache.wicket.model.PropertyModel;
 import org.projectforge.task.TaskFilter;
 import org.projectforge.web.wicket.AbstractForm;
+import org.projectforge.web.wicket.CsrfTokenHandler;
 import org.projectforge.web.wicket.WebConstants;
 import org.projectforge.web.wicket.WicketUtils;
 import org.projectforge.web.wicket.bootstrap.GridBuilder;
@@ -65,6 +66,11 @@ public class TaskTreeForm extends AbstractForm<TaskFilter, TaskTreePage>
 
   protected GridBuilder gridBuilder;
 
+  /**
+   * Cross site request forgery token.
+   */
+  private final CsrfTokenHandler csrfTokenHandler;
+
   @Override
   @SuppressWarnings("serial")
   protected void init()
@@ -131,7 +137,8 @@ public final void onSubmit()
         }
       };
 
-      listViewButtonPanel = new SingleButtonPanel(actionButtons.newChildId(), listViewButton, getString("listView"), SingleButtonPanel.NORMAL);
+      listViewButtonPanel = new SingleButtonPanel(actionButtons.newChildId(), listViewButton, getString("listView"),
+          SingleButtonPanel.NORMAL);
       actionButtons.add(listViewButtonPanel);
     }
     {
@@ -153,6 +160,7 @@ public final void onSubmit()
   public TaskTreeForm(final TaskTreePage parentPage)
   {
     super(parentPage);
+    csrfTokenHandler = new CsrfTokenHandler(this);
   }
 
   @Override
@@ -198,6 +206,7 @@ public TaskFilter getSearchFilter()
   protected void onSubmit()
   {
     super.onSubmit();
+    csrfTokenHandler.onSubmit();
     parentPage.refresh();
   }
 
diff --git a/src/main/java/org/projectforge/web/task/TaskTreePage.html b/src/main/java/org/projectforge/web/task/TaskTreePage.html
index 92e466c8d..fcbbb4248 100644
--- a/src/main/java/org/projectforge/web/task/TaskTreePage.html
+++ b/src/main/java/org/projectforge/web/task/TaskTreePage.html
@@ -23,6 +23,7 @@
         <wicket:container wicket:id="actionButtons">[cancel] [search]</wicket:container>
       </div>
       <div wicket:id="tree">[tree]</div>
+      <input type="hidden" wicket:id="csrfToken" />
     </form>
     <div class="alert alert-info" wicket:id="info">[Click on row to select one task.]</div>
   </wicket:extend>
diff --git a/src/main/java/org/projectforge/web/wicket/CsrfTokenHandler.java b/src/main/java/org/projectforge/web/wicket/CsrfTokenHandler.java
index 838bc1244..ebe962e29 100644
--- a/src/main/java/org/projectforge/web/wicket/CsrfTokenHandler.java
+++ b/src/main/java/org/projectforge/web/wicket/CsrfTokenHandler.java
@@ -29,7 +29,7 @@
 import org.apache.wicket.Session;
 import org.apache.wicket.markup.html.form.Form;
 import org.apache.wicket.markup.html.form.HiddenField;
-import org.apache.wicket.model.Model;
+import org.apache.wicket.model.PropertyModel;
 import org.projectforge.core.InternalErrorException;
 
 /**
@@ -43,7 +43,7 @@ public class CsrfTokenHandler implements Serializable
 
   private static final org.apache.log4j.Logger log = org.apache.log4j.Logger.getLogger(CsrfTokenHandler.class);
 
-  private HiddenField<String> csrfTokenField;
+  private final String csrfToken;
 
   /**
    * The given form should contain a hidden field named 'csrfToken'.
@@ -51,7 +51,8 @@ public class CsrfTokenHandler implements Serializable
    */
   public CsrfTokenHandler(final Form< ? > form)
   {
-    form.add(csrfTokenField = new HiddenField<String>("csrfToken", Model.of(getCsrfSessionToken())));
+    csrfToken = getCsrfSessionToken();
+    form.add(new HiddenField<String>("csrfToken", new PropertyModel<String>(this, "csrfToken")));
   }
 
   /**
@@ -71,12 +72,11 @@ private String getCsrfSessionToken()
   public void onSubmit()
   {
     final String sessionCsrfToken = getCsrfSessionToken();
-    final String postedCsrfToken = this.csrfTokenField.getInput();
-    if (StringUtils.equals(sessionCsrfToken, postedCsrfToken) == false) {
+    if (StringUtils.equals(sessionCsrfToken, csrfToken) == false) {
       log.error("Cross site request forgery alert. csrf token doesn't match! session csrf token="
           + sessionCsrfToken
           + ", posted csrf token="
-          + postedCsrfToken);
+          + csrfToken);
       throw new InternalErrorException("errorpage.csrfError");
     }
   }
diff --git a/src/main/java/org/projectforge/web/wicket/components/DropFileContainer.html b/src/main/java/org/projectforge/web/wicket/components/DropFileContainer.html
index d93687322..5e895610a 100644
--- a/src/main/java/org/projectforge/web/wicket/components/DropFileContainer.html
+++ b/src/main/java/org/projectforge/web/wicket/components/DropFileContainer.html
@@ -1,11 +1,13 @@
 <wicket:panel xmlns:wicket="http://wicket.apache.org/dtds.data/wicket-xhtml1.4-strict.dtd">
   <div class="pf_dnd" wicket:id="main">
     <input type="file" id="fileselect" class="pf_fileselect" />
-    <div class="pf_filedrag"><wicket:message key="drop" /></div>
+    <div class="pf_filedrag">
+      <wicket:message key="drop" />
+    </div>
     <form wicket:id="hiddenForm" class="pf_hiddenForm">
       <textarea class="pf_text" wicket:id="importString"></textarea>
       <textarea class="pf_name" wicket:id="importFileName"></textarea>
-      <input type="submit" class="pf_submit" wicket:id="submitButton" />
+      <input type="submit" class="pf_submit" wicket:id="submitButton" /> <input type="hidden" wicket:id="csrfToken" />
     </form>
   </div>
 </wicket:panel>
diff --git a/src/main/java/org/projectforge/web/wicket/components/DropFileContainer.java b/src/main/java/org/projectforge/web/wicket/components/DropFileContainer.java
index d049ad332..ff4f8ffd1 100644
--- a/src/main/java/org/projectforge/web/wicket/components/DropFileContainer.java
+++ b/src/main/java/org/projectforge/web/wicket/components/DropFileContainer.java
@@ -33,6 +33,7 @@
 import org.apache.wicket.markup.html.form.TextArea;
 import org.apache.wicket.markup.html.panel.Panel;
 import org.apache.wicket.model.CompoundPropertyModel;
+import org.projectforge.web.wicket.CsrfTokenHandler;
 import org.projectforge.web.wicket.WicketUtils;
 
 /**
@@ -47,8 +48,14 @@ public abstract class DropFileContainer extends Panel
   private static final long serialVersionUID = 3622467918922963503L;
 
   private final WebMarkupContainer main;
+
   private final String mimeType;
 
+  /**
+   * Cross site request forgery token.
+   */
+  private  CsrfTokenHandler csrfTokenHandler;
+
   /**
    * @param id
    */
@@ -57,7 +64,8 @@ public DropFileContainer(final String id)
     this(id, null);
   }
 
-  public DropFileContainer(final String id, final String mimeType) {
+  public DropFileContainer(final String id, final String mimeType)
+  {
     super(id);
     this.mimeType = mimeType;
     main = new WebMarkupContainer("main");
@@ -82,6 +90,7 @@ protected void onInitialize()
       @Override
       protected void onSubmit(final AjaxRequestTarget target, final Form< ? > form)
       {
+        csrfTokenHandler.onSubmit();
         final FormBean modelObject = hiddenForm.getModel().getObject();
         onStringImport(target, modelObject.importFileName, modelObject.importString);
       }
@@ -93,6 +102,7 @@ protected void onError(final AjaxRequestTarget target, final Form< ? > form)
       }
 
     });
+    csrfTokenHandler = new CsrfTokenHandler(hiddenForm);
   }
 
   /**