From 790d85a88a2b4094eba1c1d0c0554d0ef7bd4b96 Mon Sep 17 00:00:00 2001
From: Slawomir Boczek <slawkens@gmail.com>
Date: Sat, 11 Nov 2023 10:57:57 +0100
Subject: [PATCH] CSRF Protection (#235)

* Fix alert class name

* feature: csrf protection

* Cosmetics

* Fix token generate

* Admin Panel: changelogs csrf protection

* news/id route

* Refactor admin newses + add csrf

* Use admin.links instead

* Admin panel: Pages csrf

* Menus: better csrf + add success message on reset colors

* Plugins csrf

* Move definitions

* add info function, same as note($message)

* Update mailer.php

* Fix new page/news links

* clear_cache & maintenance csrf

* Formatting

* Fix news type

* Fix changelog link

* Add new changelog link

* More info to confirm dialog

* This is always true
---
 admin/pages/accounts.php                      |   8 +-
 admin/pages/changelog.php                     |  49 ++---
 admin/pages/dashboard.php                     |   6 +-
 admin/pages/login.php                         |   2 +
 admin/pages/mailer.php                        |   4 +-
 admin/pages/mass_account.php                  |   2 +
 admin/pages/mass_teleport.php                 |   2 +
 admin/pages/menus.php                         |  21 +-
 admin/pages/modules/templates/web_status.twig |  46 +++--
 admin/pages/news.php                          |  40 ++--
 admin/pages/notepad.php                       |   2 +
 admin/pages/pages.php                         | 193 ++++--------------
 admin/pages/players.php                       |   8 +-
 admin/pages/plugins.php                       |  17 +-
 admin/tools/settings_save.php                 |   2 +
 common.php                                    |   7 +
 system/functions.php                          |  35 +++-
 system/init.php                               |   9 +
 system/libs/changelog.php                     |   1 +
 system/logout.php                             |   5 +
 system/pages/account/change_email.php         |   8 +-
 system/pages/faq.php                          |   4 +-
 system/pages/news.php                         |  25 +--
 system/router.php                             |   5 +-
 system/routes.php                             |   1 +
 system/settings.php                           |   6 +
 system/src/Admin/Pages.php                    | 134 ++++++++++++
 system/src/CsrfToken.php                      |  95 +++++++++
 .../templates/account.back_button.html.twig   |   1 +
 .../account.change_comment.html.twig          |   2 +
 .../templates/account.change_info.html.twig   |   4 +-
 .../templates/account.change_mail.html.twig   |   2 +
 .../templates/account.change_name.html.twig   |   2 +
 .../account.change_password.html.twig         |   2 +
 system/templates/account.change_sex.html.twig |   2 +
 system/templates/account.create.html.twig     |   1 +
 .../account.create_character.html.twig        |   2 +
 .../account.delete_character.html.twig        |   4 +-
 ...ccount.generate_new_recovery_key.html.twig |   2 +
 .../account.generate_recovery_key.html.twig   |   4 +-
 system/templates/account.login.html.twig      |   4 +-
 system/templates/account.lost.form.html.twig  |   5 +-
 system/templates/account.management.html.twig |   8 +
 system/templates/admin-bar.html.twig          |   9 +-
 .../templates/admin.changelog.form.html.twig  |   2 +
 system/templates/admin.changelog.html.twig    |  48 ++++-
 system/templates/admin.links.html.twig        |  22 ++
 system/templates/admin.login.html.twig        |   1 +
 system/templates/admin.mailer.html.twig       |   1 +
 system/templates/admin.menus.form.html.twig   |   1 +
 system/templates/admin.news.form.html.twig    |  14 +-
 system/templates/admin.news.html.twig         | 136 +-----------
 system/templates/admin.news.table.html.twig   |  64 ++++++
 system/templates/admin.notepad.html.twig      |   1 +
 system/templates/admin.pages.form.html.twig   |   4 +-
 system/templates/admin.pages.html.twig        |  36 +++-
 system/templates/admin.pages.links.html.twig  |  14 --
 system/templates/admin.plugins.form.html.twig |   1 +
 system/templates/admin.plugins.html.twig      |  24 ++-
 system/templates/admin.settings.html.twig     |   6 +
 .../templates/admin.tools.account.html.twig   |   3 +
 system/templates/characters.html.twig         |   4 +-
 system/templates/faq.form.html.twig           |   9 +-
 system/templates/forum.add_board.html.twig    |   3 +-
 system/templates/forum.edit_post.html.twig    |   3 +-
 system/templates/forum.move_thread.html.twig  |   3 +-
 system/templates/forum.new_post.html.twig     |   1 +
 system/templates/forum.new_thread.html.twig   |   3 +-
 system/templates/gallery.form.html.twig       |   3 +-
 .../templates/guilds.accept_invite.html.twig  |   4 +-
 system/templates/guilds.back_button.html.twig |   3 +-
 .../guilds.change_description.html.twig       |   2 +
 system/templates/guilds.change_logo.html.twig |   2 +
 system/templates/guilds.change_motd.html.twig |   2 +
 system/templates/guilds.change_rank.html.twig |   4 +-
 system/templates/guilds.create.html.twig      |   4 +-
 .../templates/guilds.create.success.html.twig |   3 +-
 .../templates/guilds.delete_guild.html.twig   |   4 +-
 .../templates/guilds.delete_invite.html.twig  |   4 +-
 system/templates/guilds.invite.html.twig      |   3 +-
 system/templates/guilds.kick_player.html.twig |   4 +-
 system/templates/guilds.leave_guild.html.twig |   4 +-
 system/templates/guilds.list.html.twig        |  12 +-
 system/templates/guilds.manager.html.twig     |   5 +-
 .../guilds.pass_leadership.html.twig          |   4 +-
 system/templates/guilds.view.html.twig        |   7 +
 system/templates/templates.header.html.twig   |   2 +
 system/twig.php                               |  11 +
 .../tibiacom/news.featured_article.html.twig  |  11 +-
 89 files changed, 789 insertions(+), 504 deletions(-)
 create mode 100644 system/src/Admin/Pages.php
 create mode 100644 system/src/CsrfToken.php
 create mode 100644 system/templates/admin.links.html.twig
 create mode 100644 system/templates/admin.news.table.html.twig
 delete mode 100644 system/templates/admin.pages.links.html.twig

diff --git a/admin/pages/accounts.php b/admin/pages/accounts.php
index 214b82f017..4d410f11d9 100644
--- a/admin/pages/accounts.php
+++ b/admin/pages/accounts.php
@@ -13,6 +13,9 @@
 defined('MYAAC') or die('Direct access not allowed!');
 
 $title = 'Account editor';
+
+csrfProtect();
+
 $admin_base = ADMIN_URL . '?p=accounts';
 $use_datatable = true;
 
@@ -82,7 +85,7 @@
 		$account = new OTS_Account();
 		$account->load($id);
 
-		if (isset($account, $_POST['save']) && $account->isLoaded()) {
+		if (isset($_POST['save']) && $account->isLoaded()) {
 			$error = false;
 
 			$_error = '';
@@ -289,6 +292,7 @@
 					<div class="tab-content" id="accounts-tabContent">
 						<div class="tab-pane fade active show" id="accounts-acc">
 							<form action="<?php echo $admin_base . ((isset($id) && $id > 0) ? '&id=' . $id : ''); ?>" method="post">
+								<?php csrf(); ?>
 								<div class="form-group row">
 									<?php if (USE_ACCOUNT_NAME): ?>
 										<div class="col-12 col-sm-12 col-lg-4">
@@ -581,6 +585,7 @@ class="form-check-input"/>
 				<div class="row">
 					<div class="col-6 col-lg-12">
 						<form action="<?php echo $admin_base; ?>" method="post">
+							<?php csrf(); ?>
 							<label for="search">Account Name:</label>
 							<div class="input-group input-group-sm">
 								<input type="text" class="form-control" id="search" name="search" value="<?= escapeHtml($search_account); ?>" maxlength="32" size="32">
@@ -590,6 +595,7 @@ class="form-check-input"/>
 					</div>
 					<div class="col-6 col-lg-12">
 						<form action="<?php echo $admin_base; ?>" method="post">
+							<?php csrf(); ?>
 							<label for="id">Account ID:</label>
 							<div class="input-group input-group-sm">
 								<input type="text" class="form-control" id="id" name="id" value="<?= $id; ?>" maxlength="32" size="32">
diff --git a/admin/pages/changelog.php b/admin/pages/changelog.php
index 3d5cad6464..ae2fd7b03e 100644
--- a/admin/pages/changelog.php
+++ b/admin/pages/changelog.php
@@ -13,30 +13,29 @@
 
 defined('MYAAC') or die('Direct access not allowed!');
 
+$title = 'Changelog';
+
+csrfProtect();
+
 if (!hasFlag(FLAG_CONTENT_PAGES) && !superAdmin()) {
 	echo 'Access denied.';
 	return;
 }
 
-$title = 'Changelog';
 $use_datatable = true;
 const CL_LIMIT = 600; // maximum changelog body length
-?>
 
-<link rel="stylesheet" type="text/css" href="<?php echo BASE_URL; ?>tools/css/jquery.datetimepicker.css"/ >
-<script src="<?php echo BASE_URL; ?>tools/js/jquery.datetimepicker.js"></script>
-<?php
 $id = $_GET['id'] ?? 0;
 require_once LIBS . 'changelog.php';
 
 if(!empty($action))
 {
-	$id = $_REQUEST['id'] ?? null;
-	$body = isset($_REQUEST['body']) ? stripslashes($_REQUEST['body']) : null;
-	$create_date = isset($_REQUEST['createdate']) ? (int)strtotime($_REQUEST['createdate'] ): null;
-	$player_id = isset($_REQUEST['player_id']) ? (int)$_REQUEST['player_id'] : null;
-	$type = isset($_REQUEST['type']) ? (int)$_REQUEST['type'] : null;
-	$where = isset($_REQUEST['where']) ? (int)$_REQUEST['where'] : null;
+	$id = $_POST['id'] ?? null;
+	$body = isset($_POST['body']) ? stripslashes($_POST['body']) : null;
+	$create_date = isset($_POST['createdate']) ? (int)strtotime($_POST['createdate'] ): null;
+	$player_id = isset($_POST['player_id']) ? (int)$_POST['player_id'] : null;
+	$type = isset($_POST['type']) ? (int)$_POST['type'] : null;
+	$where = isset($_POST['where']) ? (int)$_POST['where'] : null;
 
 	$errors = array();
 
@@ -46,12 +45,13 @@
 			$body = '';
 			$type = $where = $player_id = $create_date = 0;
 
-			success("Added successful.");
+			success('Added successful.');
 		}
 	}
 	else if($action == 'delete') {
-		Changelog::delete($id, $errors);
-		success("Deleted successful.");
+		if (Changelog::delete($id, $errors)) {
+			success('Deleted successful.');
+		}
 	}
 	else if($action == 'edit')
 	{
@@ -68,13 +68,14 @@
 				$action = $body = '';
 				$type = $where = $player_id = $create_date = 0;
 
-				success("Updated successful.");
+				success('Updated successful.');
 			}
 		}
 	}
 	else if($action == 'hide') {
-		Changelog::toggleHidden($id, $errors, $status);
-		success(($status == 1 ? 'Show' : 'Hide') . " successful.");
+		if (Changelog::toggleHidden($id, $errors, $status)) {
+			success(($status == 1 ? 'Hide' : 'Show') . ' successful.');
+		}
 	}
 
 	if(!empty($errors))
@@ -113,7 +114,7 @@
 	$account_players->orderBy('group_id', POT::ORDER_DESC);
 	$twig->display('admin.changelog.form.html.twig', array(
 		'action' => $action,
-		'cl_link_form' => constant('ADMIN_URL').'?p=changelog&action=' . ($action == 'edit' ? 'edit' : 'new'),
+		'cl_link_form' => constant('ADMIN_URL').'?p=changelog',
 		'cl_id' => $id ?? null,
 		'body' => isset($body) ? escapeHtml($body) : '',
 		'create_date' => $create_date ?? '',
@@ -128,15 +129,3 @@
 $twig->display('admin.changelog.html.twig', array(
 	'changelogs' => $changelogs,
 ));
-
-?>
-<script>
-	$(document).ready(function () {
-		$('#createdate').datetimepicker({format: "M d Y, H:i:s",});
-
-		$('.tb_datatable').DataTable({
-			"order": [[0, "desc"]],
-			"columnDefs": [{targets: [1, 2,4,5],orderable: false}]
-		});
-	});
-</script>
diff --git a/admin/pages/dashboard.php b/admin/pages/dashboard.php
index e24b98ad22..734304565e 100644
--- a/admin/pages/dashboard.php
+++ b/admin/pages/dashboard.php
@@ -10,7 +10,9 @@
 defined('MYAAC') or die('Direct access not allowed!');
 $title = 'Dashboard';
 
-if (isset($_GET['clear_cache'])) {
+csrfProtect();
+
+if (isset($_POST['clear_cache'])) {
 	if (clearCache()) {
 		success('Cache cleared.');
 	} else {
@@ -18,7 +20,7 @@
 	}
 }
 
-if (isset($_GET['maintenance'])) {
+if (isset($_POST['maintenance'])) {
 	$message = (!empty($_POST['message']) ? $_POST['message'] : null);
 	$_status = (isset($_POST['status']) && $_POST['status'] == 'true');
 	$_status = ($_status ? '0' : '1');
diff --git a/admin/pages/login.php b/admin/pages/login.php
index 8bb25f3624..eb6466d312 100644
--- a/admin/pages/login.php
+++ b/admin/pages/login.php
@@ -10,6 +10,8 @@
 defined('MYAAC') or die('Direct access not allowed!');
 $title = 'Login';
 
+csrfProtect();
+
 require PAGES . 'account/login.php';
 if ($logged) {
 	header('Location: ' . (admin() ? ADMIN_URL : BASE_URL));
diff --git a/admin/pages/mailer.php b/admin/pages/mailer.php
index 732b74615f..d9cf8888b2 100644
--- a/admin/pages/mailer.php
+++ b/admin/pages/mailer.php
@@ -10,6 +10,8 @@
 defined('MYAAC') or die('Direct access not allowed!');
 $title = 'Mailer';
 
+csrfProtect();
+
 if (!hasFlag(FLAG_CONTENT_MAILER) && !superAdmin()) {
 	echo 'Access denied.';
 	return;
@@ -20,7 +22,7 @@
 	return;
 }
 
-$mail_to = isset($_REQUEST['mail_to']) ? stripslashes(trim($_REQUEST['mail_to'])) : null;
+$mail_to = isset($_POST['mail_to']) ? stripslashes(trim($_POST['mail_to'])) : null;
 $mail_subject = isset($_POST['mail_subject']) ? stripslashes($_POST['mail_subject']) : null;
 $mail_content = isset($_POST['mail_content']) ? stripslashes($_POST['mail_content']) : null;
 
diff --git a/admin/pages/mass_account.php b/admin/pages/mass_account.php
index 63bec54cf4..549310a54c 100644
--- a/admin/pages/mass_account.php
+++ b/admin/pages/mass_account.php
@@ -16,6 +16,8 @@
 
 $title = 'Mass Account Actions';
 
+csrfProtect();
+
 $hasCoinsColumn = $db->hasColumn('accounts', 'coins');
 $hasPointsColumn = $db->hasColumn('accounts', 'premium_points');
 $freePremium = $config['lua']['freePremium'];
diff --git a/admin/pages/mass_teleport.php b/admin/pages/mass_teleport.php
index 5027fa1cd6..f2a7ee27e7 100644
--- a/admin/pages/mass_teleport.php
+++ b/admin/pages/mass_teleport.php
@@ -16,6 +16,8 @@
 
 $title = 'Mass Teleport Actions';
 
+csrfProtect();
+
 function admin_teleport_position($x, $y, $z) {
 	if (!Player::query()->update([
 		'posx' => $x, 'posy' => $y, 'posz' => $z
diff --git a/admin/pages/menus.php b/admin/pages/menus.php
index a0b492dfe4..4a908eb513 100644
--- a/admin/pages/menus.php
+++ b/admin/pages/menus.php
@@ -13,19 +13,21 @@
 defined('MYAAC') or die('Direct access not allowed!');
 $title = 'Menus';
 
+csrfProtect();
+
 if (!hasFlag(FLAG_CONTENT_MENUS) && !superAdmin()) {
 	echo 'Access denied.';
 	return;
 }
 
-if (isset($_REQUEST['template'])) {
-	$template = $_REQUEST['template'];
+if (isset($_POST['template'])) {
+	$template = $_POST['template'];
 
-	if (isset($_REQUEST['menu'])) {
-		$post_menu = $_REQUEST['menu'];
-		$post_menu_link = $_REQUEST['menu_link'];
-		$post_menu_blank = $_REQUEST['menu_blank'];
-		$post_menu_color = $_REQUEST['menu_color'];
+	if (isset($_POST['menu'])) {
+		$post_menu = $_POST['menu'];
+		$post_menu_link = $_POST['menu_link'];
+		$post_menu_blank = $_POST['menu_blank'];
+		$post_menu_color = $_POST['menu_color'];
 		if (count($post_menu) != count($post_menu_link)) {
 			echo 'Menu count is not equal menu links. Something went wrong when sending form.';
 			return;
@@ -69,9 +71,10 @@
 		return;
 	}
 
-	if (isset($_REQUEST['reset_colors'])) {
+	if (isset($_GET['reset_colors'])) {
 		if (isset($config['menu_default_color'])) {
 			Menu::where('template', $template)->update(['color' => str_replace('#', '', $config['menu_default_color'])]);
+			success('Colors has been reset.');
 		}
 		else {
 			warning('There is no default color defined, cannot reset colors.');
@@ -93,6 +96,7 @@
 		</p>
 		<?php if (isset($config['menu_default_color'])) {?>
 		<form method="post" action="?p=menus&reset_colors" onsubmit="return confirm('Do you really want to reset colors?');">
+			<?php csrf(); ?>
 			<input type="hidden" name="template" value="<?php echo $template ?>"/>
 			<button type="submit" class="btn btn-danger">Reset Colors to default</button>
 		</form>
@@ -112,6 +116,7 @@
 	$last_id = array();
 	?>
 	<form method="post" id="menus-form" action="?p=menus">
+		<?php csrf(); ?>
 		<input type="hidden" name="template" value="<?php echo $template ?>"/>
 		<button type="submit" class="btn btn-info">Save</button><br/><br/>
 		<div class="row">
diff --git a/admin/pages/modules/templates/web_status.twig b/admin/pages/modules/templates/web_status.twig
index 2b0ec1e825..5b111a471d 100644
--- a/admin/pages/modules/templates/web_status.twig
+++ b/admin/pages/modules/templates/web_status.twig
@@ -1,28 +1,32 @@
 <div class="col-12 col-md-6">
 	<div class="card card-warning card-outline">
-		<form action="?p=dashboard&maintenance" method="post" class="form-horizontal">
-			<div class="card-header">
-				<span class="m-0">Website Status<span class="float-right">
-				<div class="custom-control custom-switch custom-switch-off-danger custom-switch-on-success">
-					<input type="checkbox" class="custom-control-input" name="status" id="status" value="true" {% if not is_closed %} checked{% endif %}>
-					<label id="status-label" class="custom-control-label" for="status"> {% if is_closed %}Closed{% else %}Open{% endif %}</label>
-				</div></span>
-				</span>
+		<div class="card-header">
+			<span class="m-0">Website Status<span class="float-right">
+			<div class="custom-control custom-switch custom-switch-off-danger custom-switch-on-success">
+				<input form="maintenance-form" type="checkbox" class="custom-control-input" name="status" id="status" value="true" {% if not is_closed %} checked{% endif %}>
+				<label id="status-label" class="custom-control-label" for="status"> {% if is_closed %}Closed{% else %}Open{% endif %}</label>
+			</div></span>
+			</span>
+		</div>
+		<div class="card-body p-2">
+			<div class="col-sm-12">
+				<label for="message" class="col-form-label">Maintenance Message</label>
+				<textarea form="maintenance-form" name="message" class="form-control" cols="40" rows="3" maxlength="255" placeholder="Enter ...">{{ closed_message }}</textarea>
+				<small>(only visible if closed)</small>
 			</div>
-			<div class="card-body p-2">
-				<div class="col-sm-12">
-					<label for="message" class="col-form-label">Maintenance Message</label>
-					<textarea name="message" class="form-control" cols="40" rows="3" maxlength="255" placeholder="Enter ...">{{ closed_message }}</textarea>
-					<small>(only visible if closed)</small>
-				</div>
-			</div>
-			<div class="card-footer">
+		</div>
+		<div class="card-footer">
+			<form id="maintenance-form" method="post" action="?p=dashboard" class="float-left">
+				{{ csrf() }}
+				<input type="hidden" name="maintenance" value="1" />
 				<button type="submit" class="btn btn-info"><i class="far fa-update"></i> Update</button>
-				<a href="?p=dashboard&clear_cache" onclick="return confirm('Are you sure?');" class="float-right">
-					<span class="btn btn-danger"><i class="fas fa-clear"></i>Clear cache</span>
-				</a>
-			</div>
-		</form>
+			</form>
+			<form method="post" action="?p=dashboard" class="float-right">
+				{{ csrf() }}
+				<input type="hidden" name="clear_cache" value="1" />
+				<button type="submit" onclick="return confirm('Are you sure that you want to clear cache?');" class="btn btn-danger" title="Clear Cache"><i class="fas fa-clear"></i>Clear cache</button>
+			</form>
+		</div>
 	</div>
 </div>
 
diff --git a/admin/pages/news.php b/admin/pages/news.php
index 81153e4f75..a7c739c5cd 100644
--- a/admin/pages/news.php
+++ b/admin/pages/news.php
@@ -9,12 +9,15 @@
  */
 defined('MYAAC') or die('Direct access not allowed!');
 
-require_once LIBS . 'forum.php';
-require_once LIBS . 'news.php';
-
 $title = 'News Panel';
+
+csrfProtect();
+
 $use_datatable = true;
 
+require_once LIBS . 'forum.php';
+require_once LIBS . 'news.php';
+
 if (!hasFlag(FLAG_CONTENT_PAGES) && !superAdmin()) {
 	echo 'Access denied.';
 	return;
@@ -31,17 +34,17 @@
 $name = $p_title = '';
 if(!empty($action))
 {
-	$id = isset($_REQUEST['id']) ? $_REQUEST['id'] : null;
-	$p_title = isset($_REQUEST['title']) ? $_REQUEST['title'] : null;
-	$body = isset($_REQUEST['body']) ? stripslashes($_REQUEST['body']) : null;
-	$comments = isset($_REQUEST['comments']) ? $_REQUEST['comments'] : null;
-	$type = isset($_REQUEST['type']) ? (int)$_REQUEST['type'] : null;
-	$category = isset($_REQUEST['category']) ? (int)$_REQUEST['category'] : null;
-	$player_id = isset($_REQUEST['player_id']) ? (int)$_REQUEST['player_id'] : null;
-	$article_text = isset($_REQUEST['article_text']) ? $_REQUEST['article_text'] : null;
-	$article_image = isset($_REQUEST['article_image']) ? $_REQUEST['article_image'] : null;
-	$forum_section = isset($_REQUEST['forum_section']) ? $_REQUEST['forum_section'] : null;
-	$errors = array();
+	$id = $_POST['id'] ?? null;
+	$p_title = $_POST['title'] ?? null;
+	$body = isset($_POST['body']) ? stripslashes($_POST['body']) : null;
+	$comments = $_POST['comments'] ?? null;
+	$type = isset($_REQUEST['type']) ? (int)$_REQUEST['type'] : 1;
+	$category = isset($_POST['category']) ? (int)$_POST['category'] : null;
+	$player_id = isset($_POST['player_id']) ? (int)$_POST['player_id'] : null;
+	$article_text = $_POST['article_text'] ?? null;
+	$article_image = $_POST['article_image'] ?? null;
+	$forum_section = $_POST['forum_section'] ?? null;
+	$errors = [];
 
 	if($action == 'new') {
 		if(isset($forum_section) && $forum_section != '-1') {
@@ -88,8 +91,9 @@
 		}
 	}
 	else if($action == 'hide') {
-		News::toggleHidden($id, $errors, $status);
-		success(($status == 1 ? 'Show' : 'Hide') . " successful.");
+		if (News::toggleHidden($id, $errors, $status)) {
+			success(($status == 1 ? 'Hide' : 'Show') . ' successful.');
+		}
 	}
 
 	if(!empty($errors))
@@ -115,12 +119,10 @@
 	$account_players->orderBy('group_id', POT::ORDER_DESC);
 	$twig->display('admin.news.form.html.twig', array(
 		'action' => $action,
-		'news_link' => getLink(PAGE),
-		'news_link_form' => '?p=news&action=' . ($action == 'edit' ? 'edit' : 'new'),
 		'news_id' => $id ?? null,
 		'title' => $p_title ?? '',
 		'body' => isset($body) ? escapeHtml($body) : '',
-		'type' => $type ?? null,
+		'type' => $type,
 		'player' => isset($player) && $player->isLoaded() ? $player : null,
 		'player_id' => $player_id ?? null,
 		'account_players' => $account_players,
diff --git a/admin/pages/notepad.php b/admin/pages/notepad.php
index c18d837e20..d6c6358b69 100644
--- a/admin/pages/notepad.php
+++ b/admin/pages/notepad.php
@@ -13,6 +13,8 @@
 defined('MYAAC') or die('Direct access not allowed!');
 $title = 'Notepad';
 
+csrfProtect();
+
 /**
  * @var $account_logged OTS_Account
  */
diff --git a/admin/pages/pages.php b/admin/pages/pages.php
index 6be569f321..0a4f4ade8b 100644
--- a/admin/pages/pages.php
+++ b/admin/pages/pages.php
@@ -9,11 +9,14 @@
  */
 
 use MyAAC\Models\Pages as ModelsPages;
+use MyAAC\Admin\Pages;
 
 defined('MYAAC') or die('Direct access not allowed!');
 $title = 'Pages';
 $use_datatable = true;
 
+csrfProtect();
+
 if (!hasFlag(FLAG_CONTENT_PAGES) && !superAdmin()) {
 	echo 'Access denied.';
 	return;
@@ -29,31 +32,36 @@
 $access = 0;
 
 // some constants, used mainly by database (cannot by modified without schema changes)
-define('PAGE_TITLE_LIMIT', 30);
-define('PAGE_NAME_LIMIT', 30);
-define('PAGE_BODY_LIMIT', 65535); // maximum page body length
+const PAGE_TITLE_LIMIT = 30;
+const PAGE_NAME_LIMIT = 30;
+const PAGE_BODY_LIMIT = 65535; // maximum page body length
 
 if (!empty($action)) {
-	if ($action == 'delete' || $action == 'edit' || $action == 'hide')
-		$id = $_REQUEST['id'];
-
-	if (isset($_REQUEST['name']))
-		$name = $_REQUEST['name'];
-
-	if (isset($_REQUEST['title']))
-		$p_title = $_REQUEST['title'];
-
-	$php = isset($_REQUEST['php']) && $_REQUEST['php'] == 1;
-	$enable_tinymce = isset($_REQUEST['enable_tinymce']) && $_REQUEST['enable_tinymce'] == 1;
-	if ($php)
-		$body = $_REQUEST['body'];
-	else if (isset($_REQUEST['body'])) {
-		//$body = $_REQUEST['body'];
-		$body = html_entity_decode(stripslashes($_REQUEST['body']));
+	if ($action == 'delete' || $action == 'edit' || $action == 'hide') {
+		$id = $_POST['id'];
+	}
+
+	if (isset($_POST['name'])) {
+		$name = $_POST['name'];
 	}
 
-	if (isset($_REQUEST['access']))
-		$access = $_REQUEST['access'];
+	if (isset($_POST['title'])) {
+		$p_title = $_POST['title'];
+	}
+
+	$php = isset($_POST['php']) && $_POST['php'] == 1;
+	$enable_tinymce = isset($_POST['enable_tinymce']) && $_POST['enable_tinymce'] == 1;
+	if ($php) {
+		$body = $_POST['body'];
+	}
+	else if (isset($_POST['body'])) {
+		//$body = $_POST['body'];
+		$body = html_entity_decode(stripslashes($_POST['body']));
+	}
+
+	if (isset($_POST['access'])) {
+		$access = $_POST['access'];
+	}
 
 	$errors = array();
 	$player_id = 1;
@@ -70,7 +78,7 @@
 		if (Pages::delete($id, $errors))
 			success('Page with id ' . $id . ' has been deleted');
 	} else if ($action == 'edit') {
-		if (isset($id) && !isset($_REQUEST['name'])) {
+		if (isset($id) && !isset($_POST['name'])) {
 			$_page = Pages::get($id);
 			$name = $_page['name'];
 			$p_title = $_page['title'];
@@ -89,8 +97,9 @@
 			}
 		}
 	} else if ($action == 'hide') {
-		Pages::toggleHidden($id, $errors, $status);
-		success(($status == 1 ? 'Show' : 'Hide') . ' successful.');
+		if (Pages::toggleHidden($id, $errors, $status)) {
+			success(($status == 0 ? 'Show' : 'Hide') . ' successful.');
+		}
 	}
 
 	if (!empty($errors))
@@ -107,7 +116,7 @@
 	];
 })->toArray();
 
-$twig->display('admin.pages.form.html.twig', array(
+$twig->display('admin.pages.form.html.twig', [
 	'action' => $action,
 	'id' => $action == 'edit' ? $id : null,
 	'name' => $name,
@@ -117,136 +126,8 @@
 	'body' => isset($body) ? escapeHtml($body) : '',
 	'groups' => $groups->getGroups(),
 	'access' => $access
-));
+]);
 
-$twig->display('admin.pages.html.twig', array(
+$twig->display('admin.pages.html.twig', [
 	'pages' => $pages
-));
-
-class Pages
-{
-	static public function verify($name, $title, $body, $player_id, $php, $enable_tinymce, $access, &$errors)
-	{
-		if(!isset($title[0]) || !isset($body[0])) {
-			$errors[] = 'Please fill all inputs.';
-			return false;
-		}
-		if(strlen($name) > PAGE_NAME_LIMIT) {
-			$errors[] = 'Page name cannot be longer than ' . PAGE_NAME_LIMIT . ' characters.';
-			return false;
-		}
-		if(strlen($title) > PAGE_TITLE_LIMIT) {
-			$errors[] = 'Page title cannot be longer than ' . PAGE_TITLE_LIMIT . ' characters.';
-			return false;
-		}
-		if(strlen($body) > PAGE_BODY_LIMIT) {
-			$errors[] = 'Page content cannot be longer than ' . PAGE_BODY_LIMIT . ' characters.';
-			return false;
-		}
-		if(!isset($player_id) || $player_id == 0) {
-			$errors[] = 'Player ID is wrong.';
-			return false;
-		}
-		if(!isset($php) || ($php != 0 && $php != 1)) {
-			$errors[] = 'Enable PHP is wrong.';
-			return false;
-		}
-		if ($php == 1 && !getBoolean(setting('core.admin_pages_php_enable'))) {
-			$errors[] = 'PHP pages disabled on this server. To enable go to Settings in Admin Panel and enable <strong>Enable PHP Pages</strong>.';
-			return false;
-		}
-		if(!isset($enable_tinymce) || ($enable_tinymce != 0 && $enable_tinymce != 1)) {
-			$errors[] = 'Enable TinyMCE is wrong.';
-			return false;
-		}
-		if(!isset($access) || $access < 0 || $access > PHP_INT_MAX) {
-			$errors[] = 'Access is wrong.';
-			return false;
-		}
-
-		return true;
-	}
-
-	static public function get($id)
-	{
-		$row = ModelsPages::find($id);
-		if ($row) {
-			return $row->toArray();
-		}
-
-		return false;
-	}
-
-	static public function add($name, $title, $body, $player_id, $php, $enable_tinymce, $access, &$errors)
-	{
-		if(!self::verify($name, $title, $body, $player_id, $php, $enable_tinymce, $access, $errors)) {
-			return false;
-		}
-
-		if (!ModelsPages::where('name', $name)->exists())
-			ModelsPages::create([
-				'name' => $name,
-				'title' => $title,
-				'body' => $body,
-				'player_id' => $player_id,
-				'php' => $php ? '1' : '0',
-				'enable_tinymce' => $enable_tinymce ? '1' : '0',
-				'access' => $access
-			]);
-		else
-			$errors[] = 'Page with this link already exists.';
-
-		return !count($errors);
-	}
-
-	static public function update($id, $name, $title, $body, $player_id, $php, $enable_tinymce, $access, &$errors)
-	{
-		if(!self::verify($name, $title, $body, $player_id, $php, $enable_tinymce, $access, $errors)) {
-			return false;
-		}
-
-		ModelsPages::where('id', $id)->update([
-			'name' => $name,
-			'title' => $title,
-			'body' => $body,
-			'player_id' => $player_id,
-			'php' => $php ? '1' : '0',
-			'enable_tinymce' => $enable_tinymce ? '1' : '0',
-			'access' => $access
-		]);
-		return true;
-	}
-
-	static public function delete($id, &$errors)
-	{
-		if (isset($id)) {
-			$row = ModelsPages::find($id);
-			if ($row) {
-				$row->delete();
-			}
-			else
-				$errors[] = 'Page with id ' . $id . ' does not exists.';
-		} else
-			$errors[] = 'id not set';
-
-		return !count($errors);
-	}
-
-	static public function toggleHidden($id, &$errors, &$status)
-	{
-		if (isset($id)) {
-			$row = ModelsPages::find($id);
-			if ($row) {
-				$row->hidden = $row->hidden == 1 ? 0 : 1;
-				$row->save();
-				$status = $row->hidden;
-			}
-			else {
-				$errors[] = 'Page with id ' . $id . ' does not exists.';
-			}
-		} else
-			$errors[] = 'id not set';
-
-		return !count($errors);
-	}
-}
+]);
diff --git a/admin/pages/players.php b/admin/pages/players.php
index eaa06494fe..ff0e32c84a 100644
--- a/admin/pages/players.php
+++ b/admin/pages/players.php
@@ -13,6 +13,9 @@
 defined('MYAAC') or die('Direct access not allowed!');
 
 $title = 'Player editor';
+
+csrfProtect();
+
 $player_base = ADMIN_URL . '?p=players';
 
 $use_datatable = true;
@@ -75,7 +78,7 @@
 		$player = new OTS_Player();
 		$player->load($id);
 
-		if (isset($player) && $player->isLoaded() && isset($_POST['save'])) {// we want to save
+		if ($player->isLoaded() && isset($_POST['save'])) {// we want to save
 			$error = false;
 
 			if ($player->isOnline())
@@ -373,6 +376,7 @@
 					</ul>
 				</div>
 				<form action="<?php echo $player_base . ((isset($id) && $id > 0) ? '&id=' . $id : ''); ?>" method="post">
+					<?php csrf(); ?>
 					<div class="card-body">
 						<div class="tab-content" id="tabs-tabContent">
 							<div class="tab-pane fade active show" id="tabs-home">
@@ -870,6 +874,7 @@ function updateOutfit() {
 			<div class="card-body row">
 				<div class="col-6 col-lg-12">
 					<form action="<?php echo $player_base; ?>" method="post">
+						<?php csrf(); ?>
 						<label for="search">Player Name:</label>
 						<div class="input-group input-group-sm">
 							<input type="text" class="form-control" id="search" name="search" value="<?= escapeHtml($search_player); ?>" maxlength="32" size="32">
@@ -879,6 +884,7 @@ function updateOutfit() {
 				</div>
 				<div class="col-6 col-lg-12">
 					<form action="<?php echo $player_base; ?>" method="post">
+						<?php csrf(); ?>
 						<label for="id">Player ID:</label>
 						<div class="input-group input-group-sm">
 							<input type="text" class="form-control" id="id" name="id" value="<?= $id; ?>" maxlength="32" size="32">
diff --git a/admin/pages/plugins.php b/admin/pages/plugins.php
index be9df2b0d7..6eb0862efe 100644
--- a/admin/pages/plugins.php
+++ b/admin/pages/plugins.php
@@ -9,6 +9,9 @@
  */
 defined('MYAAC') or die('Direct access not allowed!');
 $title = 'Plugin manager';
+
+csrfProtect();
+
 $use_datatable = true;
 
 require_once LIBS . 'plugins.php';
@@ -19,23 +22,23 @@
 else {
 	$twig->display('admin.plugins.form.html.twig');
 
-	if (isset($_REQUEST['uninstall'])) {
-		$uninstall = $_REQUEST['uninstall'];
+	if (isset($_POST['uninstall'])) {
+		$uninstall = $_POST['uninstall'];
 
 		if (Plugins::uninstall($uninstall)) {
 			success('Successfully uninstalled plugin ' . $uninstall);
 		} else {
 			error('Error while uninstalling plugin ' . $uninstall . ': ' . Plugins::getError());
 		}
-	} else if (isset($_REQUEST['enable'])) {
-		$enable = $_REQUEST['enable'];
+	} else if (isset($_POST['enable'])) {
+		$enable = $_POST['enable'];
 		if (Plugins::enable($enable)) {
 			success('Successfully enabled plugin ' . $enable);
 		} else {
 			error('Error while enabling plugin ' . $enable . ': ' . Plugins::getError());
 		}
-	} else if (isset($_REQUEST['disable'])) {
-		$disable = $_REQUEST['disable'];
+	} else if (isset($_POST['disable'])) {
+		$disable = $_POST['disable'];
 		if (Plugins::disable($disable)) {
 			success('Successfully disabled plugin ' . $disable);
 		} else {
@@ -116,7 +119,7 @@
 	if (!$plugin_info) {
 		warning('Cannot load plugin info ' . $plugin . '.json');
 	} else {
-		$disabled = (strpos($plugin, 'disabled.') !== false);
+		$disabled = (str_contains($plugin, 'disabled.'));
 		$pluginOriginal = ($disabled ? str_replace('disabled.', '', $plugin) : $plugin);
 		$plugins[] = array(
 			'name' => $plugin_info['name'] ?? '',
diff --git a/admin/tools/settings_save.php b/admin/tools/settings_save.php
index 2fdd5fc490..500c83bb7f 100644
--- a/admin/tools/settings_save.php
+++ b/admin/tools/settings_save.php
@@ -16,6 +16,8 @@
 	die('Access denied.');
 }
 
+csrfProtect();
+
 if (!isset($_REQUEST['plugin'])) {
 	http_response_code(500);
 	die('Please enter plugin name.');
diff --git a/common.php b/common.php
index 8684cc4b2e..229a8c0803 100644
--- a/common.php
+++ b/common.php
@@ -108,6 +108,13 @@
 const TFS_LAST = TFS_03;
 
 // other definitions
+const MAIL_MAIL = 0;
+const MAIL_SMTP = 1;
+
+const SMTP_SECURITY_NONE = 0;
+const SMTP_SECURITY_SSL = 1;
+const SMTP_SECURITY_TLS = 2;
+
 const ACCOUNT_NUMBER_LENGTH = 8;
 
 if (!IS_CLI) {
diff --git a/system/functions.php b/system/functions.php
index b4e21bb6dd..13faf3d658 100644
--- a/system/functions.php
+++ b/system/functions.php
@@ -9,6 +9,7 @@
  */
 defined('MYAAC') or die('Direct access not allowed!');
 
+use MyAAC\CsrfToken;
 use MyAAC\Models\Config;
 use MyAAC\Models\Guild;
 use MyAAC\Models\House;
@@ -43,7 +44,10 @@ function warning($message, $return = false) {
 	return message($message, 'warning', $return);
 }
 function note($message, $return = false) {
-	return message($message, 'note', $return);
+	return info($message, $return);
+}
+function info($message, $return = false) {
+	return message($message, 'info', $return);
 }
 function error($message, $return = false) {
 	return message($message, ((defined('MYAAC_INSTALL') || defined('MYAAC_ADMIN')) ? 'danger' : 'error'), $return);
@@ -855,9 +859,6 @@ function _mail($to, $subject, $body, $altBody = '', $add_html_tags = true)
 	else
 		$tmp_body = $body . '<br/><br/>' . $signature_html;
 
-	define('MAIL_MAIL', 0);
-	define('MAIL_SMTP', 1);
-
 	$mailOption = setting('core.mail_option');
 	if($mailOption == MAIL_SMTP)
 	{
@@ -868,10 +869,6 @@ function _mail($to, $subject, $body, $altBody = '', $add_html_tags = true)
 		$mailer->Username = setting('core.smtp_user');
 		$mailer->Password = setting('core.smtp_pass');
 
-		define('SMTP_SECURITY_NONE', 0);
-		define('SMTP_SECURITY_SSL', 1);
-		define('SMTP_SECURITY_TLS', 2);
-
 		$security = setting('core.smtp_security');
 
 		$tmp = '';
@@ -1045,6 +1042,28 @@ function unsetSession($key) {
 	unset($_SESSION[setting('core.session_prefix') . $key]);
 }
 
+function csrf(): void {
+	CsrfToken::create();
+}
+
+function csrfToken(): string {
+	return CsrfToken::get();
+}
+
+function isValidToken(): bool {
+	$token = $_POST['csrf_token'] ?? $_SERVER['HTTP_X_CSRF_TOKEN'] ?? null;
+	return ($_SERVER['REQUEST_METHOD'] !== 'POST' || (isset($token) && CsrfToken::isValid($token)));
+}
+
+function csrfProtect(): void
+{
+	if (!isValidToken()) {
+		$lastUri = BASE_URL . str_replace_first('/', '', getSession('last_uri'));
+		echo 'Request has been cancelled due to security reasons - token is invalid. Go <a href="' . $lastUri . '">back</a>';
+		exit();
+	}
+}
+
 function getTopPlayers($limit = 5) {
 	global $db;
 
diff --git a/system/init.php b/system/init.php
index 3d8ded4271..672e583ed5 100644
--- a/system/init.php
+++ b/system/init.php
@@ -7,6 +7,9 @@
  * @copyright 2019 MyAAC
  * @link      https://my-aac.org
  */
+
+use MyAAC\CsrfToken;
+
 defined('MYAAC') or die('Direct access not allowed!');
 
 if(!isset($config['installed']) || !$config['installed']) {
@@ -137,6 +140,12 @@
 $settings = Settings::getInstance();
 $settings->load();
 
+// csrf protection
+$token = getSession('csrf_token');
+if (!isset($token) || !$token) {
+	CsrfToken::generate();
+}
+
 // deprecated config values
 require_once SYSTEM . 'compat/config.php';
 
diff --git a/system/libs/changelog.php b/system/libs/changelog.php
index e612aa5b79..f6d2011b30 100644
--- a/system/libs/changelog.php
+++ b/system/libs/changelog.php
@@ -95,6 +95,7 @@ static public function toggleHidden($id, &$errors, &$status)
 				if (!$row->save()) {
 					$errors[] = 'Fail during toggle hidden Changelog.';
 				}
+				$status = $row->hidden;
 			} else {
 				$errors[] = 'Changelog with id ' . $id . ' does not exists.';
 			}
diff --git a/system/logout.php b/system/logout.php
index af443aa360..4f653ecbe5 100644
--- a/system/logout.php
+++ b/system/logout.php
@@ -7,6 +7,9 @@
  * @copyright 2019 MyAAC
  * @link      https://my-aac.org
  */
+
+use MyAAC\CsrfToken;
+
 defined('MYAAC') or die('Direct access not allowed!');
 
 if(isset($account_logged) && $account_logged->isLoaded()) {
@@ -15,6 +18,8 @@
 		unsetSession('password');
 		unsetSession('remember_me');
 
+		CsrfToken::generate();
+
 		$logged = false;
 		unset($account_logged);
 
diff --git a/system/pages/account/change_email.php b/system/pages/account/change_email.php
index 4168131c52..90f5b54d8f 100644
--- a/system/pages/account/change_email.php
+++ b/system/pages/account/change_email.php
@@ -92,18 +92,22 @@
 	<tr>
 		<td width="30">&nbsp;</td>
 		<td align=left>
-			<form action="' . getLink('account/email') . '" method="post"><input type="hidden" name="changeemailsave" value=1 >
+			<form action="' . getLink('account/email') . '" method="post">
+				' . csrf() . '
+				<input type="hidden" name="changeemailsave" value=1 >
 				<INPUT TYPE=image NAME="I Agree" SRC="' . $template_path . '/images/global/buttons/sbutton_iagree.gif" BORDER=0 WIDTH=120 HEIGHT=17>
 			</form>
 		</td>
 		<td align=left>
 			<form action="' . getLink('account/email') . '" method="post">
+				' . csrf() . '
 				<input type="hidden" name="emailchangecancel" value=1 >
 				' . $twig->render('buttons.cancel.html.twig') . '
 			</form>
 		</td>
 		<td align=right>
 			<form action="?subtopic=accountmanagement" method="post" >
+				' . csrf() . '
 				' . $twig->render('buttons.back.html.twig') . '
 			</form>
 		</td>
@@ -125,6 +129,7 @@
 		<td>
 			<table border="0" cellspacing="0" cellpadding="0" >
 				<form action="' .getLink('account/email') . '" method="post" >
+					' . csrf() . '
 					<tr>
 						<td style="border:0px;" >
 							<input type="hidden" name="emailchangecancel" value="1" >
@@ -137,6 +142,7 @@
 		<td>
 			<table border="0" cellspacing="0" cellpadding="0" >
 				<form action="' . getLink('account/manage') . '" method="post" >
+					' . csrf() . '
 					<tr>
 						<td style="border:0px;" >
 							' . $twig->render('buttons.back.html.twig') . '
diff --git a/system/pages/faq.php b/system/pages/faq.php
index f99a9fa8e2..1c7f5a294b 100644
--- a/system/pages/faq.php
+++ b/system/pages/faq.php
@@ -153,7 +153,9 @@ static public function toggleHidden($id, &$errors)
 			$row = ModelsFAQ::find($id);
 			if ($row) {
 				$row->hidden = ($row->hidden == 1 ? 0 : 1);
-				$row->save();
+				if (!$row->save()) {
+					$errors[] = 'Fail during toggle hidden FAQ.';
+				}
 			} else {
 				$errors[] = 'FAQ with id ' . $id . ' does not exists.';
 			}
diff --git a/system/pages/news.php b/system/pages/news.php
index 5f30454f82..521017c9a2 100644
--- a/system/pages/news.php
+++ b/system/pages/news.php
@@ -13,6 +13,7 @@
 require_once LIBS . 'forum.php';
 require_once LIBS . 'news.php';
 
+$canEdit = hasFlag(FLAG_CONTENT_NEWS) || superAdmin();
 if(isset($_GET['archive']))
 {
 	$title = 'News Archive';
@@ -57,9 +58,14 @@
 				}
 			}
 
+			$admin_options = '';
+			if($canEdit) {
+				$admin_options = $twig->render('admin.links.html.twig', ['page' => 'news', 'id' => $news['id'], 'hidden' => $news['hidden']]);
+			}
+
 			$twig->display('news.html.twig', array(
 				'title' => stripslashes($news['title']),
-				'content' => $content_,
+				'content' => $content_ . $admin_options,
 				'date' => $news['date'],
 				'icon' => $categories[$news['category']]['icon_id'],
 				'author' => setting('core.news_author') ? $author : '',
@@ -81,7 +87,7 @@
 	foreach($news_DB as $news)
 	{
 		$newses[] = array(
-			'link' => getLink('news') . '/archive/' . $news['id'],
+			'link' => getLink('news') . '/' . $news['id'],
 			'icon_id' => $categories[$news['category']]['icon_id'],
 			'title' => stripslashes($news['title']),
 			'date' => $news['date']
@@ -99,7 +105,6 @@
 $title = 'Latest News';
 
 $cache = Cache::getInstance();
-$canEdit = hasFlag(FLAG_CONTENT_NEWS) || superAdmin();
 
 $news_cached = false;
 if($cache->enabled())
@@ -180,18 +185,8 @@
 			}
 
 			$admin_options = '';
-			if($canEdit)
-			{
-				$admin_options = '<br/><br/><a target="_blank" rel="noopener noreferrer" href="' . ADMIN_URL . '?p=news&action=edit&id=' . $news['id'] . '" title="Edit">
-					<img src="images/edit.png"/>Edit
-				</a>
-				<a id="delete" target="_blank" rel="noopener noreferrer" href="' . ADMIN_URL . '?p=news&action=delete&id=' . $news['id'] . '" onclick="return confirm(\'Are you sure?\');" title="Delete">
-					<img src="images/del.png"/>Delete
-				</a>
-				<a target="_blank" rel="noopener noreferrer" href="' . ADMIN_URL . '?p=news&action=hide&id=' . $news['id'] . '" title="' . ($news['hidden'] != 1 ? 'Hide' : 'Show') . '">
-					<img src="images/' . ($news['hidden'] != 1 ? 'success' : 'error') . '.png"/>
-					' . ($news['hidden'] != 1 ? 'Hide' : 'Show') . '
-				</a>';
+			if($canEdit) {
+				$admin_options = $twig->render('admin.links.html.twig', ['page' => 'news', 'id' => $news['id'], 'hidden' => $news['hidden']]);
 			}
 
 			$content_ = $news['body'];
diff --git a/system/router.php b/system/router.php
index d45889f959..ca5454ff78 100644
--- a/system/router.php
+++ b/system/router.php
@@ -220,9 +220,8 @@
 					$content .= $tmp_content;
 					if (hasFlag(FLAG_CONTENT_PAGES) || superAdmin()) {
 						$pageInfo = getCustomPageInfo($pageName);
-						$content = $twig->render('admin.pages.links.html.twig', array(
-								'page' => array('id' => $pageInfo !== null ? $pageInfo['id'] : 0, 'hidden' => $pageInfo !== null ? $pageInfo['hidden'] : '0')
-							)) . $content;
+						$content = $twig->render('admin.links.html.twig', ['page' => 'pages', 'id' => $pageInfo !== null ? $pageInfo['id'] : 0, 'hidden' => $pageInfo !== null ? $pageInfo['hidden'] : '0']
+							) . $content;
 					}
 
 					$page = $pageName;
diff --git a/system/routes.php b/system/routes.php
index 53c121a568..3bb2a0dfba 100644
--- a/system/routes.php
+++ b/system/routes.php
@@ -12,6 +12,7 @@
 return [
 	['GET', '', 'news.php'], // empty URL = show news
 	['GET', 'news/archive/{id:int}[/]', 'news/archive.php'],
+	['GET', 'news/{id:int}[/]', 'news/archive.php'],
 
 	// block access to some files
 	['*', 'account/base[/]', '404.php'], // this is to block account/base.php
diff --git a/system/settings.php b/system/settings.php
index 29149e1f28..d95e16d7a3 100644
--- a/system/settings.php
+++ b/system/settings.php
@@ -65,6 +65,12 @@
 			'default' => false,
 			'is_config' => true,
 		],
+		'csrf_protection' => [
+			'name' => 'CSRF protection',
+			'type' => 'boolean',
+			'desc' => 'Its recommended to keep it enabled. Disable only if you know what you are doing.',
+			'default' => true,
+		],
 		'google_analytics_id' => [
 			'name' => 'Google Analytics ID',
 			'type' => 'text',
diff --git a/system/src/Admin/Pages.php b/system/src/Admin/Pages.php
new file mode 100644
index 0000000000..24efec00b0
--- /dev/null
+++ b/system/src/Admin/Pages.php
@@ -0,0 +1,134 @@
+<?php
+namespace MyAAC\Admin;
+
+use MyAAC\Models\Pages as ModelsPages;
+
+class Pages
+{
+	static public function verify($name, $title, $body, $player_id, $php, $enable_tinymce, $access, &$errors)
+	{
+		if(!isset($title[0]) || !isset($body[0])) {
+			$errors[] = 'Please fill all inputs.';
+			return false;
+		}
+		if(strlen($name) > PAGE_NAME_LIMIT) {
+			$errors[] = 'Page name cannot be longer than ' . PAGE_NAME_LIMIT . ' characters.';
+			return false;
+		}
+		if(strlen($title) > PAGE_TITLE_LIMIT) {
+			$errors[] = 'Page title cannot be longer than ' . PAGE_TITLE_LIMIT . ' characters.';
+			return false;
+		}
+		if(strlen($body) > PAGE_BODY_LIMIT) {
+			$errors[] = 'Page content cannot be longer than ' . PAGE_BODY_LIMIT . ' characters.';
+			return false;
+		}
+		if(!isset($player_id) || $player_id == 0) {
+			$errors[] = 'Player ID is wrong.';
+			return false;
+		}
+		if(!isset($php) || ($php != 0 && $php != 1)) {
+			$errors[] = 'Enable PHP is wrong.';
+			return false;
+		}
+		if ($php == 1 && !getBoolean(setting('core.admin_pages_php_enable'))) {
+			$errors[] = 'PHP pages disabled on this server. To enable go to Settings in Admin Panel and enable <strong>Enable PHP Pages</strong>.';
+			return false;
+		}
+		if(!isset($enable_tinymce) || ($enable_tinymce != 0 && $enable_tinymce != 1)) {
+			$errors[] = 'Enable TinyMCE is wrong.';
+			return false;
+		}
+		if(!isset($access) || $access < 0 || $access > PHP_INT_MAX) {
+			$errors[] = 'Access is wrong.';
+			return false;
+		}
+
+		return true;
+	}
+
+	static public function get($id)
+	{
+		$row = ModelsPages::find($id);
+		if ($row) {
+			return $row->toArray();
+		}
+
+		return false;
+	}
+
+	static public function add($name, $title, $body, $player_id, $php, $enable_tinymce, $access, &$errors)
+	{
+		if(!self::verify($name, $title, $body, $player_id, $php, $enable_tinymce, $access, $errors)) {
+			return false;
+		}
+
+		if (!ModelsPages::where('name', $name)->exists())
+			ModelsPages::create([
+				'name' => $name,
+				'title' => $title,
+				'body' => $body,
+				'player_id' => $player_id,
+				'php' => $php ? '1' : '0',
+				'enable_tinymce' => $enable_tinymce ? '1' : '0',
+				'access' => $access
+			]);
+		else
+			$errors[] = 'Page with this link already exists.';
+
+		return !count($errors);
+	}
+
+	static public function update($id, $name, $title, $body, $player_id, $php, $enable_tinymce, $access, &$errors)
+	{
+		if(!self::verify($name, $title, $body, $player_id, $php, $enable_tinymce, $access, $errors)) {
+			return false;
+		}
+
+		ModelsPages::where('id', $id)->update([
+			'name' => $name,
+			'title' => $title,
+			'body' => $body,
+			'player_id' => $player_id,
+			'php' => $php ? '1' : '0',
+			'enable_tinymce' => $enable_tinymce ? '1' : '0',
+			'access' => $access
+		]);
+		return true;
+	}
+
+	static public function delete($id, &$errors)
+	{
+		if (isset($id)) {
+			$row = ModelsPages::find($id);
+			if ($row) {
+				$row->delete();
+			}
+			else
+				$errors[] = 'Page with id ' . $id . ' does not exists.';
+		} else
+			$errors[] = 'id not set';
+
+		return !count($errors);
+	}
+
+	static public function toggleHidden($id, &$errors, &$status)
+	{
+		if (isset($id)) {
+			$row = ModelsPages::find($id);
+			if ($row) {
+				$row->hidden = $row->hidden == 1 ? 0 : 1;
+				if (!$row->save()) {
+					$errors[] = 'Fail during toggle hidden Page.';
+				}
+				$status = $row->hidden;
+			}
+			else {
+				$errors[] = 'Page with id ' . $id . ' does not exists.';
+			}
+		} else
+			$errors[] = 'id not set';
+
+		return !count($errors);
+	}
+}
diff --git a/system/src/CsrfToken.php b/system/src/CsrfToken.php
new file mode 100644
index 0000000000..4a92baf2fc
--- /dev/null
+++ b/system/src/CsrfToken.php
@@ -0,0 +1,95 @@
+<?php
+/**
+ * CsrfToken
+ *
+ * @package   MyAAC
+ * @author    Znote
+ * @author    Slawkens <slawkens@gmail.com>
+ * @copyright 2023 MyAAC
+ * @link      https://my-aac.org
+ */
+
+namespace MyAAC;
+
+class CsrfToken
+{
+	public static function generate(): void
+	{
+		$token = sha1(uniqid(time(), true));
+
+		setSession('csrf_token', $token);
+	}
+
+	/**
+	 * Displays a random token to prevent CSRF attacks.
+	 *
+	 * @access public
+	 * @static true
+	 * @return void
+	 **/
+	public static function create(): void {
+		echo '<input type="hidden" name="csrf_token" value="' . self::get() . '" />';
+	}
+
+	/**
+	 * Returns the active token, if there is one.
+	 *
+	 * @access public
+	 * @static true
+	 * @return mixed
+	 **/
+	public static function get(): mixed
+	{
+		$token = getSession('csrf_token');
+		return $token ?? false;
+	}
+
+	/**
+	 * Validates whether the active token is valid or not.
+	 *
+	 * @param string $post
+	 * @access public
+	 * @static true
+	 * @return boolean
+	 **/
+	public static function isValid($post): bool
+	{
+		if (!setting('core.csrf_protection')) {
+			return true;
+		}
+
+		// Token doesn't exist yet, return false.
+		if (!self::get()) {
+			return false;
+		}
+
+		return ($post == getSession('csrf_token'));
+	}
+
+	/**
+	 * Destroys the active token.
+	 *
+	 * @access protected
+	 * @static true
+	 * @return void
+	 **/
+	protected static function reset(): void {
+		unsetSession('csrf_token');
+	}
+
+	/**
+	 * Displays information on both the post token and the session token.
+	 *
+	 * @param string $post
+	 * @access public
+	 * @static true
+	 * @return void
+	 **/
+	public static function debug($post): void
+	{
+		echo '<pre>', var_export([
+			'post' => $post,
+			'token' => self::get()
+		], true), '</pre>';
+	}
+}
diff --git a/system/templates/account.back_button.html.twig b/system/templates/account.back_button.html.twig
index e4ed688418..e2d784ca93 100644
--- a/system/templates/account.back_button.html.twig
+++ b/system/templates/account.back_button.html.twig
@@ -2,5 +2,6 @@
 	<br/>
 {% endif %}
 <form action="{% if action is not defined %}{{ getLink('account/manage') }}{% else %}{{ action }}{% endif %}" method="post">
+	{{ csrf() }}
 	{{ include('buttons.back.html.twig') }}
 </form>
diff --git a/system/templates/account.change_comment.html.twig b/system/templates/account.change_comment.html.twig
index c69e3f6b0e..6c133d2b05 100644
--- a/system/templates/account.change_comment.html.twig
+++ b/system/templates/account.change_comment.html.twig
@@ -1,6 +1,7 @@
 Here you can see and edit the information about your character.<br/>
 If you do not want to specify a certain field, just leave it blank.<br/><br/>
 <form action="{{ getLink('account/character/comment') }}" method="post">
+	{{ csrf() }}
 	<div class="TableContainer" >
 		<table class="Table5" cellpadding="0" cellspacing="0">
 			<div class="CaptionContainer">
@@ -99,6 +100,7 @@ If you do not want to specify a certain field, just leave it blank.<br/><br/>
 			<td>
 				<table border="0" cellspacing="0" cellpadding="0">
 					<form action="{{ getLink('account/manage') }}" method="post">
+						{{ csrf() }}
 						<tr>
 							<td style="border:0px;">
 								{{ include('buttons.back.html.twig') }}
diff --git a/system/templates/account.change_info.html.twig b/system/templates/account.change_info.html.twig
index fb503e8ec3..067eabc590 100644
--- a/system/templates/account.change_info.html.twig
+++ b/system/templates/account.change_info.html.twig
@@ -1,5 +1,6 @@
 Here you can tell other players about yourself. This information will be displayed alongside the data of your characters. If you do not want to fill in a certain field, just leave it blank.<br/><br/>
-<form action="{{ getLink('account/info') }}" method=post>
+<form action="{{ getLink('account/info') }}" method="post">
+	{{ csrf() }}
 	<div class="TableContainer" >
 		<table class="Table1" cellpadding="0" cellspacing="0" >
 			<div class="CaptionContainer" >
@@ -88,6 +89,7 @@ Here you can tell other players about yourself. This information will be display
 </form>
 				<table border="0" cellspacing="0" cellpadding="0" >
 					<form action="{{ getLink('account/manage') }}" method="post" >
+						{{ csrf() }}
 						<tr>
 							<td style="border:0px;" >
 								{{ include('buttons.back.html.twig') }}
diff --git a/system/templates/account.change_mail.html.twig b/system/templates/account.change_mail.html.twig
index 35d64854d7..f093fbff96 100644
--- a/system/templates/account.change_mail.html.twig
+++ b/system/templates/account.change_mail.html.twig
@@ -1,5 +1,6 @@
 Please enter your password and the new email address. Make sure that you enter a valid email address which you have access to. <br/><b>For security reasons, the actual change will be finalised after a waiting period of {{ setting('core.account_mail_change') }} days.</b><br/><br/>
 <form action="{{ getLink('account/email') }}" method="post">
+	{{ csrf() }}
 <div class="TableContainer">
 	<table class="Table1" cellpadding="0" cellspacing="0">
 		<div class="CaptionContainer">
@@ -58,6 +59,7 @@ Please enter your password and the new email address. Make sure that you enter a
 		<td>
 			<table border="0" cellspacing="0" cellpadding="0">
 				<form action="{{ getLink('account/manage') }}" method="post">
+					{{ csrf() }}
 					<tr>
 						<td style="border:0px;">
 							{{ include('buttons.back.html.twig') }}
diff --git a/system/templates/account.change_name.html.twig b/system/templates/account.change_name.html.twig
index 76c038d4dd..2f38bb6024 100644
--- a/system/templates/account.change_name.html.twig
+++ b/system/templates/account.change_name.html.twig
@@ -1,6 +1,7 @@
 To change a name of character select player and choose a new name.<br/>
 <span style="color: red">Change name cost {{ setting('core.account_change_character_name_price') }} premium points. You have {{ points }} premium points.</span><br/><br/>
 <form action="{{ getLink('account/character/name') }}" method="post">
+	{{ csrf() }}
 	<input type="hidden" name="changenamesave" value="1">
 	<div class="TableContainer">
 		<table class="Table1" cellpadding="0" cellspacing="0">
@@ -64,6 +65,7 @@ To change a name of character select player and choose a new name.<br/>
 			<td>
 				<table border="0" cellspacing="0" cellpadding="0">
 					<form action="{{ getLink('account/manage') }}" method="post">
+						{{ csrf() }}
 						<tr>
 							<td style="border:0px;">
 								{{ include('buttons.back.html.twig') }}
diff --git a/system/templates/account.change_password.html.twig b/system/templates/account.change_password.html.twig
index bb0d782312..89ccf59219 100644
--- a/system/templates/account.change_password.html.twig
+++ b/system/templates/account.change_password.html.twig
@@ -1,6 +1,7 @@
 Please enter your current password and a new password. For your security, please enter the new password twice.<br/>
 <br/>
 <form action="{{ getLink('account/password') }}" method="post">
+	{{ csrf() }}
 	<div class="TableContainer">
 		<table class="Table1" cellpadding="0" cellspacing="0">
 			<div class="CaptionContainer">
@@ -66,6 +67,7 @@ Please enter your current password and a new password. For your security, please
 			<td>
 				<table border="0" cellspacing="0" cellpadding="0">
 					<form action="{{ getLink('account/manage') }}" method="post">
+						{{ csrf() }}
 						<tr>
 							<td style="border:0px;">
 								{{ include('buttons.back.html.twig') }}
diff --git a/system/templates/account.change_sex.html.twig b/system/templates/account.change_sex.html.twig
index 24141f61f2..7e7fff321a 100644
--- a/system/templates/account.change_sex.html.twig
+++ b/system/templates/account.change_sex.html.twig
@@ -1,6 +1,7 @@
 To change a sex of character select player and choose a new sex.<br/>
 <span style="color: red">Change sex cost {{ setting('core.account_change_character_sex_price') }} premium points. You have {{ points }} premium points.</span><br/><br/>
 <form action="{{ getLink('account/character/sex') }}" method="post">
+	{{ csrf() }}
 	<input type="hidden" name="changesexsave" value="1"/>
 	<div class="TableContainer">
 		<table class="Table1" cellpadding="0" cellspacing="0">
@@ -64,6 +65,7 @@ To change a sex of character select player and choose a new sex.<br/>
 			<td>
 				<table border="0" cellspacing="0" cellpadding="0">
 					<form action="{{ getLink('account/manage') }}" method="post">
+						{{ csrf() }}
 						<tr>
 							<td style="border:0px;" >
 								{{ include('buttons.back.html.twig') }}
diff --git a/system/templates/account.create.html.twig b/system/templates/account.create.html.twig
index 4563154bd7..7611a0c298 100644
--- a/system/templates/account.create.html.twig
+++ b/system/templates/account.create.html.twig
@@ -1,5 +1,6 @@
 {{ hook('HOOK_ACCOUNT_CREATE_BEFORE_FORM') }}
 <form action="{{ getLink('account/create') }}" method="post" id="createaccount">
+	{{ csrf() }}
 	<div class="TableContainer" >
 		<table class="Table5" cellpadding="0" cellspacing="0" >
 			<div class="CaptionContainer" >
diff --git a/system/templates/account.create_character.html.twig b/system/templates/account.create_character.html.twig
index c116cec2b1..a860a8b12e 100644
--- a/system/templates/account.create_character.html.twig
+++ b/system/templates/account.create_character.html.twig
@@ -7,6 +7,7 @@ In any case the name must not violate the naming conventions stated in the <a hr
 {% endif %}
 <br/><br/>
 <form action="{{ getLink('account/character/create') }}" method="post">
+	{{ csrf() }}
 	<input type="hidden" name="save" value="1">
 	<div class="TableContainer">
 		<table class="Table3" cellpadding="0" cellspacing="0">
@@ -135,6 +136,7 @@ In any case the name must not violate the naming conventions stated in the <a hr
 			<td>
 				<table border="0" cellspacing="0" cellpadding="0">
 					<form action="{{ getLink('account/manage') }}" method="post">
+						{{ csrf() }}
 						<tr>
 							<td style="border:0px;">
 								{{ include('buttons.back.html.twig') }}
diff --git a/system/templates/account.delete_character.html.twig b/system/templates/account.delete_character.html.twig
index 4a481f3a11..c5953cc71d 100644
--- a/system/templates/account.delete_character.html.twig
+++ b/system/templates/account.delete_character.html.twig
@@ -1,5 +1,6 @@
 To delete a character enter the name of the character and your password.<br/><br/>
 <form action="{{ getLink('account/character/delete') }}" method="post">
+	{{ csrf() }}
 	<input type="hidden" name="deletecharactersave" value="1"/>
 	<div class="TableContainer">
 		<table class="Table1" cellpadding="0" cellspacing="0" >
@@ -54,6 +55,7 @@ To delete a character enter the name of the character and your password.<br/><br
 			<td>
 				<table border="0" cellspacing="0" cellpadding="0">
 					<form action="{{ getLink('account/manage') }}" method="post">
+						{{ csrf() }}
 						<tr>
 							<td style="border:0px;">
 								{{ include('buttons.back.html.twig') }}
@@ -63,4 +65,4 @@ To delete a character enter the name of the character and your password.<br/><br
 				</table>
 			</td>
 		</tr>
-	</table>
\ No newline at end of file
+	</table>
diff --git a/system/templates/account.generate_new_recovery_key.html.twig b/system/templates/account.generate_new_recovery_key.html.twig
index 6f3e5c509e..9b28cebc52 100644
--- a/system/templates/account.generate_new_recovery_key.html.twig
+++ b/system/templates/account.generate_new_recovery_key.html.twig
@@ -1,6 +1,7 @@
 To generate new recovery key for your account please enter your password.<br/>
 <span style="color: red"><b>New recovery key cost {{ setting('core.account_generate_new_reckey_price') }} Premium Points.</span> You have {{ points }} premium points. You will receive e-mail with this recovery key.</b><br/>
 <form action="{{ getLink('account/register/new') }}" method="post">
+	{{ csrf() }}
 	<input type="hidden" name="registeraccountsave" value="1">
 	<div class="TableContainer" >
 		<table class="Table1" cellpadding="0" cellspacing="0">
@@ -47,6 +48,7 @@ To generate new recovery key for your account please enter your password.<br/>
 			<td>
 				<table border="0" cellspacing="0" cellpadding="0">
 					<form action="{{ getLink('account/manage') }}" method="post">
+						{{ csrf() }}
 						<tr>
 							<td style="border:0px;">
 								{{ include('buttons.back.html.twig') }}
diff --git a/system/templates/account.generate_recovery_key.html.twig b/system/templates/account.generate_recovery_key.html.twig
index c1193edd2d..cb69476c88 100644
--- a/system/templates/account.generate_recovery_key.html.twig
+++ b/system/templates/account.generate_recovery_key.html.twig
@@ -1,5 +1,6 @@
 To generate recovery key for your account please enter your password.<br/><br/>
 <form action="{{ getLink('account/register') }}" method="post">
+	{{ csrf() }}
 <input type="hidden" name="registeraccountsave" value="1"/>
 <div class="TableContainer">
 	<table class="Table1" cellpadding="0" cellspacing="0">
@@ -50,6 +51,7 @@ To generate recovery key for your account please enter your password.<br/><br/>
 		<td>
 			<table border="0" cellspacing="0" cellpadding="0">
 				<form action="{{ getLink('account/manage') }}" method="post">
+					{{ csrf() }}
 					<tr>
 						<td style="border: 0px;">
 							{{ include('buttons.back.html.twig') }}
@@ -59,4 +61,4 @@ To generate recovery key for your account please enter your password.<br/><br/>
 			</table>
 		</td>
 	</tr>
-</table>
\ No newline at end of file
+</table>
diff --git a/system/templates/account.login.html.twig b/system/templates/account.login.html.twig
index 2431f1d199..aec1e22206 100644
--- a/system/templates/account.login.html.twig
+++ b/system/templates/account.login.html.twig
@@ -1,6 +1,7 @@
 {{ hook('HOOK_ACCOUNT_LOGIN_BEFORE_PAGE') }}
 Please enter your account {{ account|lower }} and your password.<br/><a href="{{ getLink('account/create') }}">Create an account</a> if you do not have one yet.<br/><br/>
-<form action="{{ getLink('account/manage') }}" method="post" >
+<form action="{{ getLink('account/manage') }}" method="post">
+	{{ csrf() }}
 	{% if redirect is not null %}
 		<input type="hidden" name="redirect" value="{{ redirect }}" />
 	{% endif %}
@@ -66,6 +67,7 @@ Please enter your account {{ account|lower }} and your password.<br/><a href="{{
 			<td>
 				<table border="0" cellspacing="0" cellpadding="0">
 					<form action="{{ getLink('account/lost') }}" method="post">
+						{{ csrf() }}
 						<tr>
 							<td style="border:0px;">
 								{{ include('buttons.account_lost.html.twig') }}
diff --git a/system/templates/account.lost.form.html.twig b/system/templates/account.lost.form.html.twig
index 33456fd05b..9c29ccd851 100644
--- a/system/templates/account.lost.form.html.twig
+++ b/system/templates/account.lost.form.html.twig
@@ -1,5 +1,6 @@
 The Lost Account Interface can help you to get back your account name and password. Please enter your character name and select what you want to do.<br/>
-<form action="?subtopic=lostaccount&action=step1" method=post>
+<form action="?subtopic=lostaccount&action=step1" method="post">
+	{{ csrf() }}
 	<input type="hidden" name="character" value="">
 	<table cellspacing="1" cellpadding="4" border="0" width="100%">
 		<tr>
@@ -32,4 +33,4 @@ The Lost Account Interface can help you to get back your account name and passwo
 			</td>
 		</tr>
 	</table>
-</form>
\ No newline at end of file
+</form>
diff --git a/system/templates/account.management.html.twig b/system/templates/account.management.html.twig
index 95fc097522..a648f28ea9 100644
--- a/system/templates/account.management.html.twig
+++ b/system/templates/account.management.html.twig
@@ -68,6 +68,7 @@
 		<div style="text-align:center">
 			You can register your account for increased protection. Click on "Register Account" and get your free recovery key today!<br/>
 			<form action="{{ getLink('account/register') }}" method="post">
+				{{ csrf() }}
 				{% set button_name = 'Register Account' %}
 				{% include('buttons.base.html.twig') %}
 			</form>
@@ -80,6 +81,7 @@
 				A request has been submitted to change the email address of this account to <b>{{ email_new }}</b>. After <b>{{ email_new_time|date("j F Y, G:i:s") }}</b> you can accept the new email address and finish the process. Please cancel the request if you do not want your email address to be changed! Also cancel the request if you have no access to the new email address!
 
 				<form action="{{ getLink('account/email') }}" method="post">
+					{{ csrf() }}
 					{% set button_name = 'Edit' %}
 					{% include('buttons.base.html.twig') %}
 				</form>
@@ -99,6 +101,7 @@
 				<td style="width: 90px;">Email Address:</td>
 				<td>{{ account_email ~ email_change }}
 					<form action="{{ getLink('account/email') }}" method="post">
+						{{ csrf() }}
 						{% set button_name = 'Change Email' %}
 						{% include('buttons.base.html.twig') %}
 					</form>
@@ -137,6 +140,7 @@
 			</tr>
 		</table>
 		<form action="{{ getLink('account/info') }}" method="post">
+			{{ csrf() }}
 			{% set button_name = 'Change Info' %}
 			{% include('buttons.base.html.twig') %}
 		</form>
@@ -188,6 +192,7 @@
 			<tr>
 				<td>
 					<form action="{{ getLink('account/character/create') }}" method="post" >
+						{{ csrf() }}
 						{% set button_name = 'Create Character' %}
 						{% include('buttons.base.html.twig') %}
 					</form>
@@ -195,6 +200,7 @@
 				{% if setting('core.account_change_character_name') %}
 				<td>
 					<form action="{{ getLink('account/character/name') }}" method="post" >
+						{{ csrf() }}
 						{% set button_name = 'Change Name' %}
 						{% include('buttons.base.html.twig') %}
 					</form>
@@ -203,6 +209,7 @@
 				{% if setting('core.account_change_character_sex') %}
 				<td>
 					<form action="{{ getLink('account/character/sex') }}" method="post" >
+						{{ csrf() }}
 						{% set button_name = 'Change Sex' %}
 						{% include('buttons.base.html.twig') %}
 					</form>
@@ -210,6 +217,7 @@
 				{% endif %}
 				<td>
 					<form action="{{ getLink('account/character/delete') }}" method="post">
+						{{ csrf() }}
 						{% set button_name = 'Delete Character' %}
 						{% include('buttons.base.html.twig') %}
 					</form>
diff --git a/system/templates/admin-bar.html.twig b/system/templates/admin-bar.html.twig
index 0825dd27e4..b14eb84e8d 100644
--- a/system/templates/admin-bar.html.twig
+++ b/system/templates/admin-bar.html.twig
@@ -98,6 +98,7 @@ html { margin-top: 32px !important; }
 			<div class="dropdown-content">
 				<a href="{{ constant('ADMIN_URL') }}?p=news&action=new">News</a>
 				<a href="{{ constant('ADMIN_URL') }}?p=pages&action=new">Page</a>
+				<a href="{{ constant('ADMIN_URL') }}?p=changelog&action=new">Changelog</a>
 			</div>
 		</li>
 		<li>
@@ -106,9 +107,11 @@ html { margin-top: 32px !important; }
 			</a>
 		</li>
 		<li>
-			<a class="ab-item" href="{{ constant('ADMIN_URL') }}?p=dashboard&clear_cache">
-				Clear Cache
-			</a>
+			<form method="post" action="{{ constant('ADMIN_URL') }}?p=dashboard">
+				{{ csrf() }}
+				<input type="hidden" name="clear_cache" value="1" />
+				<a class="ab-item" href="#" onclick="confirm('Are you sure that you want to clear cache?') && $(this).closest('form').submit()" title="Clear Cache">Clear Cache</a>
+			</form>
 		</li>
 	</ul>
 	<ul class="ab-top-secondary">
diff --git a/system/templates/admin.changelog.form.html.twig b/system/templates/admin.changelog.form.html.twig
index 99b90f7a67..f0505644b6 100644
--- a/system/templates/admin.changelog.form.html.twig
+++ b/system/templates/admin.changelog.form.html.twig
@@ -4,6 +4,8 @@
 			<h5 class="m-0">{{ (action == 'edit') ? 'Edit' : 'Add' }}</h5>
 		</div>
 		<form role="form" method="post" action="{{ cl_link_form }}" id="cl-edit-form">
+			{{ csrf() }}
+			<input type="hidden" name="action" value="{{ action }}" />
 			<div class="card-body">
 				{% if action == 'edit' %}
 					<input type="hidden" name="id" value="{{ cl_id }}"/>
diff --git a/system/templates/admin.changelog.html.twig b/system/templates/admin.changelog.html.twig
index 28ee35e47a..7826a0fe55 100644
--- a/system/templates/admin.changelog.html.twig
+++ b/system/templates/admin.changelog.html.twig
@@ -1,8 +1,11 @@
 <div class="card card-info card-outline">
 	<div class="card-header">
 		<h5 class="m-0">News:
-			<a href="{{ constant('ADMIN_URL') }}?p=changelog&action=new" class="float-right"><span
-					class="btn btn-sm btn-success">New</span></a>
+			<form method="post" class="float-right">
+				{{ csrf() }}
+				<input type="hidden" name="action" value="new" />
+				<button type="submit" class="btn btn-sm btn-success">New</button>
+			</form>
 		</h5>
 	</div>
 
@@ -30,15 +33,26 @@
 						<td><img src="{{ constant('BASE_URL') }}images/changelog/{{ log.where }}.png" alt="icon" title="{{ log.where|capitalize }}"/> {{ log.where|capitalize }}</td>
 						<td>
 							<div class="btn-group">
-								<a href="{{ constant('ADMIN_URL') }}?p=changelog&action=edit&id={{ log.id }}" class="btn btn-success btn-sm" title="Edit">
-									<i class="fas fa-pencil-alt"></i>
-								</a>
-								<a href="{{ constant('ADMIN_URL') }}?p=changelog&action=delete&id={{ log.id }}" class="btn btn-danger btn-sm" onclick="return confirm('Are you sure?');" title="Delete">
-									<i class="fas fa-trash"></i>
-								</a>
-								<a href="{{ constant('ADMIN_URL') }}?p=changelog&action=hide&id={{ log.id }}" class="btn btn-{{ (log.hidden != 1) ? 'info' : 'default' }} btn-sm" title="{% if log.hidden != 1 %}Hide{% else %}Show{% endif %}">
-									<i class="fas fa-eye{{ (log.hidden != 1) ? '' : '-slash' }}"></i>
-								</a>
+								<form method="post">
+									{{ csrf() }}
+									<input type="hidden" name="action" value="edit" />
+									<input type="hidden" name="id" value="{{ log.id }}" />
+									<button type="submit" class="btn btn-success btn-sm" title="Edit"><i class="fas fa-pencil-alt"></i></button>
+								</form>
+
+								<form method="post">
+									{{ csrf() }}
+									<input type="hidden" name="action" value="delete" />
+									<input type="hidden" name="id" value="{{ log.id }}" />
+									<button type="submit" class="btn btn-danger btn-sm" title="Delete" onclick="return confirm('Are you sure?');"><i class="fas fa-pencil-alt"></i></button>
+								</form>
+
+								<form method="post">
+									{{ csrf() }}
+									<input type="hidden" name="action" value="hide" />
+									<input type="hidden" name="id" value="{{ log.id }}" />
+									<button type="submit" class="btn btn-{{ (log.hidden != 1) ? 'info' : 'default' }} btn-sm" title="{% if log.hidden != 1 %}Hide{% else %}Show{% endif %}"><i class="fas fa-eye{{ (log.hidden != 1) ? '' : '-slash' }}"></i></button>
+								</form>
 							</div>
 						</td>
 					</tr>
@@ -53,3 +67,15 @@
 		</table>
 	</div>
 </div>
+<link rel="stylesheet" type="text/css" href="{{ constant('BASE_URL') }}tools/css/jquery.datetimepicker.css"/ >
+<script src="{{ constant('BASE_URL') }}tools/js/jquery.datetimepicker.js"></script>
+<script>
+	$(document).ready(function () {
+		$('#createdate').datetimepicker({format: "M d Y, H:i:s",});
+
+		$('.tb_datatable').DataTable({
+			"order": [[0, "desc"]],
+			"columnDefs": [{targets: [1, 2,4,5],orderable: false}]
+		});
+	});
+</script>
diff --git a/system/templates/admin.links.html.twig b/system/templates/admin.links.html.twig
new file mode 100644
index 0000000000..986133c3b9
--- /dev/null
+++ b/system/templates/admin.links.html.twig
@@ -0,0 +1,22 @@
+<br/><br/>
+
+<form action="{{ constant('ADMIN_URL') }}?p={{ page }}" method="post" style="float: left">
+	{{ csrf() }}
+	<input type="hidden" name="action" value="edit" />
+	<input type="hidden" name="id" value="{{ id }}" />
+	<button type="submit" class="btn btn-success btn-sm" title="Edit"><img src="images/edit.png"/> Edit</button>
+</form>
+
+<form action="{{ constant('ADMIN_URL') }}?p={{ page }}" method="post" style="float: left">
+	{{ csrf() }}
+	<input type="hidden" name="action" value="delete" />
+	<input type="hidden" name="id" value="{{ id }}" />
+	<button type="submit" class="btn btn-danger btn-sm" onclick="return confirm('Are you sure?');" title="Delete"><img src="images/del.png"/>Delete</button>
+</form>
+
+<form action="{{ constant('ADMIN_URL') }}?p={{ page }}" method="post" style="float: left">
+	{{ csrf() }}
+	<input type="hidden" name="action" value="hide" />
+	<input type="hidden" name="id" value="{{ id }}" />
+	<button type="submit" class="btn btn-{{ (hidden != 1) ? 'info' : 'default' }} btn-sm" title="{% if hidden != 1 %}Hide{% else %}Show{% endif %}"><img src="images/{{ hidden != 1 ? 'success' : 'error' }}.png"/>{{ hidden != 1 ? 'Hide' : 'Show' }}</button>
+</form>
diff --git a/system/templates/admin.login.html.twig b/system/templates/admin.login.html.twig
index acbcf04032..afba47e1bc 100644
--- a/system/templates/admin.login.html.twig
+++ b/system/templates/admin.login.html.twig
@@ -19,6 +19,7 @@
 				<p class="login-box-msg">Please login.</p>
 
 				<form method="post" action="{{ constant('ADMIN_URL') }}">
+					{{ csrf() }}
 					<div class="input-group mb-3">
 						<div class="input-group-prepend">
 							<span class="input-group-text"><i class="fa fa-lock"></i></span>
diff --git a/system/templates/admin.mailer.html.twig b/system/templates/admin.mailer.html.twig
index eaf3221364..0b77ccb3df 100644
--- a/system/templates/admin.mailer.html.twig
+++ b/system/templates/admin.mailer.html.twig
@@ -9,6 +9,7 @@
 		<h5 class="m-0">Mailer</h5>
 	</div>
 	<form id="form" method="post">
+		{{ csrf() }}
 		<div class="card-body">
 			<div class="form-group row">
 				<label for="mail_to">To: (enter email, or leave empty to all)</label>
diff --git a/system/templates/admin.menus.form.html.twig b/system/templates/admin.menus.form.html.twig
index da4c126bfe..ae5c4dd1b6 100644
--- a/system/templates/admin.menus.form.html.twig
+++ b/system/templates/admin.menus.form.html.twig
@@ -4,6 +4,7 @@
 	</div>
 	<div class="card-body">
 		<form method="post" action="?p=menus">
+			{{ csrf() }}
 			<p>Please choose template in which you want to edit menu items.</p>
 			<div class="col-md-6">
 				<div class="input-group input-group-sm">
diff --git a/system/templates/admin.news.form.html.twig b/system/templates/admin.news.form.html.twig
index ddad9dd9bd..a0acaf9ed9 100644
--- a/system/templates/admin.news.form.html.twig
+++ b/system/templates/admin.news.form.html.twig
@@ -1,9 +1,11 @@
 {% if action %}
 	<div class="card card-info card-outline">
 		<div class="card-header">
-			<h5 class="m-0">{% if action == 'edit' %}Edit{% else %}Add{% endif %} news</h5>
+			<h5 class="m-0">{% if action == 'edit' %}Edit{% else %}Add{% endif %} {% if type == constant('NEWS') %}News{% elseif type == constant('TICKER') %}Ticker{% else %}Article{% endif %}</h5>
 		</div>
-		<form id="form" role="form" method="post" action="{{ news_link_form }}">
+		<form id="form" role="form" method="post">
+			{{ csrf() }}
+			<input type="hidden" name="action" value="{{ action == 'edit' ? 'edit' : 'new' }}" />
 			<div class="card-body " id="page-edit-table">
 				{% if action == 'edit' %}
 					<input type="hidden" name="id" value="{{ news_id }}"/>
@@ -22,9 +24,9 @@
 				<div class="form-group row">
 					<label for="select-type">Type</label>
 					<select class="form-control" name="type" id="select-type">
-						<option value="{{ constant('NEWS') }}" {% if type is defined and type == constant('NEWS') %}selected="selected"{% endif %}{% if action == 'edit' and type != constant('NEWS') %} disabled{% endif %}>News</option>
-						<option value="{{ constant('TICKER') }}" {% if type is defined and type == constant('TICKER') %}selected="selected"{% endif %}{% if action == 'edit' and type != constant('TICKER') %} disabled{% endif %}>Ticker</option>
-						<option value="{{ constant('ARTICLE') }}" {% if type is defined and type == constant('ARTICLE') %}selected="selected"{% endif %}{% if action == 'edit' and type != constant('ARTICLE') %} disabled{% endif %}>Article</option>
+						<option value="{{ constant('NEWS') }}" {% if type == constant('NEWS') %}selected="selected"{% endif %}{% if action == 'edit' and type != constant('NEWS') %} disabled{% endif %}>News</option>
+						<option value="{{ constant('TICKER') }}" {% if type == constant('TICKER') %}selected="selected"{% endif %}{% if action == 'edit' and type != constant('TICKER') %} disabled{% endif %}>Ticker</option>
+						<option value="{{ constant('ARTICLE') }}" {% if type == constant('ARTICLE') %}selected="selected"{% endif %}{% if action == 'edit' and type != constant('ARTICLE') %} disabled{% endif %}>Article</option>
 					</select>
 				</div>
 
@@ -85,7 +87,7 @@
 				</div>
 			</div>
 			<div class="card-footer">
-				<button type="submit" class="btn btn-info"><i class="fas fa-update"></i> Update</button>
+				<button type="submit" class="btn btn-info"><i class="fas fa-update"></i> {{ action == 'edit' ? 'Update' : 'Add' }}</button>
 				<button type="button" onclick="window.location = '{{ constant('ADMIN_URL') }}?p=news';" class="btn btn-danger float-right"><i class="fas fa-cancel"></i> Cancel</button>
 			</div>
 		</form>
diff --git a/system/templates/admin.news.html.twig b/system/templates/admin.news.html.twig
index 0eb16d3f07..c293139875 100644
--- a/system/templates/admin.news.html.twig
+++ b/system/templates/admin.news.html.twig
@@ -1,136 +1,6 @@
-<div class="card card-info card-outline">
-	<div class="card-header">
-		<h5 class="m-0">News:
-			<a href="?p=news&action=new&type=1" class="float-right"><span class="btn btn-sm btn-success">New</span></a>
-		</h5>
-	</div>
-
-	<div class="card-body">
-		<table class="tb_datatable table table-striped table-bordered table-responsive d-md-table">
-			<thead>
-			<tr>
-				<th width="5%">ID</th>
-				<th>Title</th>
-				<th>Date</th>
-				<th>Player</th>
-				<th style="width: 150px;">Options</th>
-			</tr>
-			</thead>
-			<tbody>
-			{% for news in newses[constant('NEWS')] %}
-				<tr>
-					<td>{{ news.id|raw }}</td>
-					<td><i><a href="?p=news&action=edit&id={{ news.id }}">{{ news.title }}</a></i></td>
-					<td>{{ news.date|date(setting('core.news_date_format')) }}</td>
-					<td><a target="_blank" rel="noopener noreferrer" href="{{ news.player_link }}">{{ news.player_name }}</a></td>
-					<td>
-						<div class="btn-group">
-							<a href="?p=news&action=edit&id={{ news.id }}" class="btn btn-success btn-sm" title="Edit">
-								<i class="fas fa-pencil-alt"></i>
-							</a>
-							<a href="?p=news&action=delete&id={{ news.id }}" class="btn btn-danger btn-sm" onclick="return confirm('Are you sure?');" title="Delete">
-								<i class="fas fa-trash"></i>
-							</a>
-							<a href="?p=news&action=hide&id={{ news.id }}" class="btn btn-{{ (news.hidden != 1) ? 'info' : 'default' }} btn-sm" title="{% if news.hidden != 1 %}Hide{% else %}Show{% endif %}">
-								<i class="fas fa-eye{{ (news.hidden != 1) ? '' : '-slash' }}"></i>
-							</a>
-						</div>
-					</td>
-				</tr>
-			{% endfor %}
-			</tbody>
-		</table>
-	</div>
-</div>
-
-<div class="card card-info card-outline">
-	<div class="card-header">
-		<h5 class="m-0">Tickers:
-			<a href="?p=news&action=new&type=2" class="float-right"><span class="btn btn-sm btn-success">New</span></a>
-		</h5>
-	</div>
-
-	<div class="card-body">
-		<table class="tb_datatable table table-striped table-bordered table-responsive d-md-table">
-			<thead>
-			<tr>
-				<th width="5%">ID</th>
-				<th>Title</th>
-				<th>Date</th>
-				<th>Player</th>
-				<th style="width: 150px;">Options</th>
-			</tr>
-			</thead>
-			<tbody>
-			{% for ticker in newses[constant('TICKER')] %}
-				<tr>
-					<td>{{ ticker.id|raw }}</td>
-					<td><i><a href="?p=news&action=edit&id={{ ticker.id }}">{{ ticker.title }}</a></i></td>
-					<td>{{ ticker.date|date(setting('core.news_date_format')) }}</td>
-					<td><a target="_blank" rel="noopener noreferrer" href="{{ ticker.player_link }}">{{ ticker.player_name }}</a></td>
-					<td>
-						<div class="btn-group">
-							<a href="?p=news&action=edit&id={{ ticker.id }}" class="btn btn-success btn-sm" title="Edit">
-								<i class="fas fa-pencil-alt"></i>
-							</a>
-							<a href="?p=news&action=delete&id={{ ticker.id }}" class="btn btn-danger btn-sm" onclick="return confirm('Are you sure?');" title="Delete">
-								<i class="fas fa-trash"></i>
-							</a>
-							<a href="?p=news&action=hide&id={{ ticker.id }}" class="btn btn-{{ (ticker.hidden != 1) ? 'info' : 'default' }} btn-sm" title="{% if ticker.hidden != 1 %}Hide{% else %}Show{% endif %}">
-								<i class="fas fa-eye{{ (ticker.hidden != 1) ? '' : '-slash' }}"></i>
-							</a>
-						</div>
-					</td>
-				</tr>
-			{% endfor %}
-			</tbody>
-		</table>
-	</div>
-</div>
-
-<div class="card card-info card-outline">
-	<div class="card-header">
-		<h5 class="m-0">Articles: <a href="?p=news&action=new&type=3" class="float-right"><span class="btn btn-sm btn-success">New</span></a>
-		</h5>
-	</div>
-
-	<div class="card-body">
-		<table class="tb_datatable table table-striped table-bordered table-responsive d-md-table">
-			<thead>
-			<tr>
-				<th width="5%">ID</th>
-				<th>Title</th>
-				<th>Date</th>
-				<th>Player</th>
-				<th style="width: 150px;">Options</th>
-			</tr>
-			</thead>
-			<tbody>
-			{% for article in newses[constant('ARTICLE')] %}
-				<tr>
-					<td>{{ article.id|raw }}</td>
-					<td><i><a href="?p=news&action=edit&id={{ article.id }}">{{ article.title }}</a></i></td>
-					<td>{{ article.date|date(setting('core.news_date_format')) }}</td>
-					<td><a target="_blank" rel="noopener noreferrer" href="{{ article.player_link }}">{{ article.player_name }}</a></td>
-					<td>
-						<div class="btn-group">
-							<a href="?p=news&action=edit&id={{ article.id }}" class="btn btn-success btn-sm" title="Edit">
-								<i class="fas fa-pencil-alt"></i>
-							</a>
-							<a href="?p=news&action=delete&id={{ article.id }}" class="btn btn-danger btn-sm" onclick="return confirm('Are you sure?');" title="Delete">
-								<i class="fas fa-trash"></i>
-							</a>
-							<a href="?p=news&action=hide&id={{ article.id }}" class="btn btn-{{ (article.hidden != 1) ? 'info' : 'default' }} btn-sm" title="{% if article.hidden != 1 %}Hide{% else %}Show{% endif %}">
-								<i class="fas fa-eye{{ (article.hidden != 1) ? '' : '-slash' }}"></i>
-							</a>
-						</div>
-					</td>
-				</tr>
-			{% endfor %}
-			</tbody>
-		</table>
-	</div>
-</div>
+{{ include('admin.news.table.html.twig', {type: 1, title: 'News'}) }}
+{{ include('admin.news.table.html.twig', {type: 2, title: 'Tickers'}) }}
+{{ include('admin.news.table.html.twig', {type: 3, title: 'Articles'}) }}
 
 <script>
 	$(function () {
diff --git a/system/templates/admin.news.table.html.twig b/system/templates/admin.news.table.html.twig
new file mode 100644
index 0000000000..5e3633df12
--- /dev/null
+++ b/system/templates/admin.news.table.html.twig
@@ -0,0 +1,64 @@
+<div class="card card-info card-outline">
+	<div class="card-header">
+		<h5 class="m-0">{{ title }}:
+			<form method="post" class="float-right">
+				{{ csrf() }}
+				<input type="hidden" name="action" value="new" />
+				<input type="hidden" name="type" value="{{ type }}" />
+				<button type="submit" class="btn btn-sm btn-success">New</button>
+			</form>
+		</h5>
+	</div>
+
+	<div class="card-body">
+		<table class="tb_datatable table table-striped table-bordered table-responsive d-md-table">
+			<thead>
+			<tr>
+				<th width="5%">ID</th>
+				<th>Title</th>
+				<th>Date</th>
+				<th>Player</th>
+				<th style="width: 150px;">Options</th>
+			</tr>
+			</thead>
+			<tbody>
+			{% for news in newses[type] %}
+				<tr>
+					<td>{{ news.id|raw }}</td>
+					<td>
+						<i>
+							<a href="{{ getLink('news') }}/{{ news.id }}" target="_blank">{{ news.title }}</a>
+						</i>
+					</td>
+					<td>{{ news.date|date(setting('core.news_date_format')) }}</td>
+					<td><a target="_blank" href="{{ news.player_link }}">{{ news.player_name }}</a></td>
+					<td>
+						<div class="btn-group">
+							<form method="post">
+								{{ csrf() }}
+								<input type="hidden" name="action" value="edit" />
+								<input type="hidden" name="id" value="{{ news.id }}" />
+								<button type="submit" class="btn btn-success btn-sm" title="Edit"><i class="fas fa-pencil-alt"></i></button>
+							</form>
+
+							<form method="post">
+								{{ csrf() }}
+								<input type="hidden" name="action" value="delete" />
+								<input type="hidden" name="id" value="{{ news.id }}" />
+								<button type="submit" class="btn btn-danger btn-sm" onclick="return confirm('Are you sure?');" title="Delete"><i class="fas fa-trash"></i></button>
+							</form>
+
+							<form method="post">
+								{{ csrf() }}
+								<input type="hidden" name="action" value="hide" />
+								<input type="hidden" name="id" value="{{ news.id }}" />
+								<button type="submit" class="btn btn-{{ (news.hidden != 1) ? 'info' : 'default' }} btn-sm" title="{% if news.hidden != 1 %}Hide{% else %}Show{% endif %}"><i class="fas fa-eye{{ (news.hidden != 1) ? '' : '-slash' }}"></i></button>
+							</form>
+						</div>
+					</td>
+				</tr>
+			{% endfor %}
+			</tbody>
+		</table>
+	</div>
+</div>
diff --git a/system/templates/admin.notepad.html.twig b/system/templates/admin.notepad.html.twig
index d3dc5000f1..43bac7f4e3 100644
--- a/system/templates/admin.notepad.html.twig
+++ b/system/templates/admin.notepad.html.twig
@@ -3,6 +3,7 @@
 		<h5 class="m-0">Notepad</h5>
 	</div>
 	<form method="post">
+		{{ csrf() }}
 		<div class="card-body">
 			<div class="form-group">
 				<label>This is your personal notepad. Be sure to save it each time you modify something.</label>
diff --git a/system/templates/admin.pages.form.html.twig b/system/templates/admin.pages.form.html.twig
index ae6662946a..499af4ee05 100644
--- a/system/templates/admin.pages.form.html.twig
+++ b/system/templates/admin.pages.form.html.twig
@@ -3,7 +3,9 @@
 		<div class="card-header">
 			<h5 class="m-0">{% if action == 'edit' %}Edit{% else %}Add{% endif %} page</h5>
 		</div>
-		<form id="form" class="form-horizontal" method="post" action="?p=pages&action={% if action == 'edit' %}edit{% else %}new{% endif %}">
+		<form id="form" class="form-horizontal" method="post">
+			{{ csrf() }}
+			<input type="hidden" name="action" value="{{ action }}" />
 			{% if action == 'edit' %}
 				<input type="hidden" name="id" value="{{ id }}"/>
 			{% endif %}
diff --git a/system/templates/admin.pages.html.twig b/system/templates/admin.pages.html.twig
index ccf2e3ee84..5ee6e1dbb7 100644
--- a/system/templates/admin.pages.html.twig
+++ b/system/templates/admin.pages.html.twig
@@ -1,7 +1,12 @@
 <div class="card card-info card-outline">
 	<div class="card-header">
 		<h5 class="m-0">Pages
-			<a href="?p=pages&action=new" class="float-right"><span class="btn btn-sm btn-success">New</span></a></h5>
+			<form method="post" class="float-right">
+				{{ csrf() }}
+				<input type="hidden" name="action" value="new" />
+				<button type="submit" class="btn btn-sm btn-success">New</button>
+			</form>
+		</h5>
 	</div>
 	<div class="card-body">
 		<table class="table table-striped table-bordered table-responsive d-md-table" id="tb_pages">
@@ -21,15 +26,26 @@
 					<td>{% if page.php %}Yes{% else %}No{% endif %}</td>
 					<td>
 						<div class="btn-group">
-							<a href="?p=pages&action=edit&id={{ page.id }}" class="btn btn-success btn-sm" title="Edit">
-								<i class="fas fa-pencil-alt"></i>
-							</a>
-							<a href="?p=pages&action=delete&id={{ page.id }}" class="btn btn-danger btn-sm" onclick="return confirm('Are you sure?');" title="Delete">
-								<i class="fas fa-trash"></i>
-							</a>
-							<a href="?p=pages&action=hide&id={{ page.id }}" class="btn btn-{{ (page.hidden != 1) ? 'info' : 'default' }} btn-sm" title="{% if page.hidden != 1 %}Hide{% else %}Show{% endif %}">
-								<i class="fas fa-eye{{ (page.hidden != 1) ? '' : '-slash' }}"></i>
-							</a>
+							<form method="post">
+								{{ csrf() }}
+								<input type="hidden" name="action" value="edit" />
+								<input type="hidden" name="id" value="{{ page.id }}" />
+								<button type="submit" class="btn btn-success btn-sm" title="Edit"><i class="fas fa-pencil-alt"></i></button>
+							</form>
+
+							<form method="post">
+								{{ csrf() }}
+								<input type="hidden" name="action" value="delete" />
+								<input type="hidden" name="id" value="{{ page.id }}" />
+								<button type="submit" class="btn btn-danger btn-sm" title="Delete" onclick="return confirm('Are you sure?');"><i class="fas fa-pencil-alt"></i></button>
+							</form>
+
+							<form method="post">
+								{{ csrf() }}
+								<input type="hidden" name="action" value="hide" />
+								<input type="hidden" name="id" value="{{ page.id }}" />
+								<button type="submit" class="btn btn-{{ (page.hidden != 1) ? 'info' : 'default' }} btn-sm" title="{% if page.hidden != 1 %}Hide{% else %}Show{% endif %}"><i class="fas fa-eye{{ (log.hidden != 1) ? '' : '-slash' }}"></i></button>
+							</form>
 						</div>
 					</td>
 				</tr>
diff --git a/system/templates/admin.pages.links.html.twig b/system/templates/admin.pages.links.html.twig
deleted file mode 100644
index 459d06239d..0000000000
--- a/system/templates/admin.pages.links.html.twig
+++ /dev/null
@@ -1,14 +0,0 @@
-<div style="text-align: right;">
-	<a href="{{ constant('ADMIN_URL') }}?p=pages&action=edit&id={{ page.id }}" title="Edit in Admin Panel" target="_blank">
-		<img src="images/edit.png"/>Edit
-	</a>
-	<a id="delete" href="{{ constant('ADMIN_URL') }}?p=pages&action=delete&id={{ page.id }}" onclick="return confirm('Are you sure?');"
-	   title="Delete in Admin Panel" target="_blank">
-		<img src="images/del.png"/>Delete
-	</a>
-	<a href="{{ constant('ADMIN_URL') }}?p=pages&action=hide&id={{ page.id }}"
-	   title="{% if page.hidden != 1 %}Hide{% else %}Show{% endif %} in Admin Panel" target="_blank">
-		<img src="images/{% if page.hidden != 1 %}success{% else %}error{% endif %}.png"/>{% if page.hidden != 1 %}Hide{% else %}Show{% endif %}
-	</a>
-	<br/>
-</div>
diff --git a/system/templates/admin.plugins.form.html.twig b/system/templates/admin.plugins.form.html.twig
index 8f43b908b2..3a04918463 100644
--- a/system/templates/admin.plugins.form.html.twig
+++ b/system/templates/admin.plugins.form.html.twig
@@ -4,6 +4,7 @@
 			<h5 class="m-0">Install plugin</h5>
 		</div>
 		<form enctype="multipart/form-data" method="post" action="{{ constant('ADMIN_URL') }}?p=plugins">
+			{{ csrf() }}
 			<div class="card-body">
 				<input type="hidden" name="upload_plugin"/>
 
diff --git a/system/templates/admin.plugins.html.twig b/system/templates/admin.plugins.html.twig
index d6ffe7b2c7..aaecdcd9a3 100644
--- a/system/templates/admin.plugins.html.twig
+++ b/system/templates/admin.plugins.html.twig
@@ -19,13 +19,17 @@
 				<tr>
 					<td>
 						{% if plugin.enabled %}
-						<a href="?p=plugins&disable={{ plugin.file }}" class="btn btn-success" onclick="return confirm('Are you sure you want to disable plugin {{ plugin.name }}?');" title="Disable">
-							<i class="fas fa-check"></i> Enabled
-						</a>
+							<form method="post">
+								{{ csrf() }}
+								<input type="hidden" name="disable" value="{{ plugin.file }}" />
+								<button type="submit" class="btn btn-success" onclick="return confirm('Are you sure you want to disable plugin {{ plugin.name }}?');" title="Disable"><i class="fas fa-check"></i> Enabled</button>
+							</form>
 						{% else %}
-							<a href="?p=plugins&enable={{ plugin.file }}" class="btn btn-danger" onclick="return confirm('Are you sure you want to enable plugin {{ plugin.name }}?');" title="Enable">
-								<i class="fas fa-ban"></i> Disabled
-							</a>
+							<form method="post">
+								{{ csrf() }}
+								<input type="hidden" name="enable" value="{{ plugin.file }}" />
+								<button type="submit" class="btn btn-danger" onclick="return confirm('Are you sure you want to enable plugin {{ plugin.name }}?');" title="Enable"><i class="fas fa-ban"></i> Disabled</button>
+							</form>
 						{% endif %}
 					</td>
 					<td><b>{{ plugin.name }}</b><br>
@@ -38,9 +42,11 @@
 					<td>{{ plugin.file }}.json</td>
 					<td>
 						{% if plugin.uninstall %}
-							<a href="?p=plugins&uninstall={{ plugin.file }}" class="btn btn-danger btn-sm" onclick="return confirm('Are you sure you want to uninstall {{ plugin.name }}?');" title="Uninstall">
-								<i class="fas fa-trash"></i>
-							</a>
+							<form method="post">
+								{{ csrf() }}
+								<input type="hidden" name="uninstall" value="{{ plugin.file }}" />
+								<button type="submit" class="btn btn-danger btn-sm" onclick="return confirm('Are you sure you want to uninstall {{ plugin.name }}?');" title="Uninstall"><i class="fas fa-trash"></i></button>
+							</form>
 						{% endif %}
 					</td>
 				</tr>
diff --git a/system/templates/admin.settings.html.twig b/system/templates/admin.settings.html.twig
index e5d3ef9b5d..89a38a9516 100644
--- a/system/templates/admin.settings.html.twig
+++ b/system/templates/admin.settings.html.twig
@@ -74,6 +74,12 @@
 <link rel="stylesheet" type="text/css" href="{{ constant('BASE_URL') }}tools/css/toastify.min.css">
 <script type="text/javascript" src="{{ constant('BASE_URL') }}tools/js/toastify.min.js"></script>
 <script>
+	$.ajaxSetup({
+		headers: {
+			'X-CSRF-TOKEN': $('meta[name="csrf-token"]').attr('content')
+		}
+	});
+
 	$('#settings').submit(function(e) {
 		e.preventDefault();
 
diff --git a/system/templates/admin.tools.account.html.twig b/system/templates/admin.tools.account.html.twig
index ee32fc9946..7e79d38c46 100644
--- a/system/templates/admin.tools.account.html.twig
+++ b/system/templates/admin.tools.account.html.twig
@@ -6,6 +6,7 @@
 				<h5 class="m-0">Give Premium Points</h5>
 			</div>
 			<form method="post" action="{{ constant('ADMIN_URL') }}?p=mass_account">
+				{{ csrf() }}
 				<div class="card-body">
 					<div class="form-group">
 						<label>Premium Points</label>
@@ -28,6 +29,7 @@
 				<h5 class="m-0">Give Coins</h5>
 			</div>
 			<form method="post" action="{{ constant('ADMIN_URL') }}?p=mass_account">
+				{{ csrf() }}
 				<div class="card-body">
 					<div class="form-group">
 						<label>Coins</label>
@@ -50,6 +52,7 @@
 				<h5 class="m-0">Give Premium Days</h5>
 			</div>
 			<form method="post" action="{{ constant('ADMIN_URL') }}?p=mass_account">
+				{{ csrf() }}
 				<div class="card-body">
 					<div class="form-group">
 						<label>Premium Days</label>
diff --git a/system/templates/characters.html.twig b/system/templates/characters.html.twig
index 865c39ca3a..b4d8b359fd 100644
--- a/system/templates/characters.html.twig
+++ b/system/templates/characters.html.twig
@@ -106,6 +106,7 @@
 							<td>{{ house.name ~ house.town ~ house.add }}</td>
 							<td>
 								<form action="?subtopic=houses&page=view" method="post">
+									{{ csrf() }}
 									<input type="hidden" name="house" value="{{ house.name }}">
 									<input type="image" name="View" alt="View" src="{{ template_path }}/images/global/buttons/sbutton_view.gif" border="0" width="120">
 								</form>
@@ -402,7 +403,8 @@
 				<td>{% if player.isOnline() %}<b><span style="color: green">Online</span></b>{% endif %}</td>
 				<td>
 					<table border="0" cellspacing="0" cellpadding="0">
-						<form action="{{ getLink('characters') }}" method=post>
+						<form action="{{ getLink('characters') }}" method="post">
+							{{ csrf() }}
 							<tr>
 								<td>
 									<input type="hidden" name="name" value="{{ player.getName() }}"/>
diff --git a/system/templates/faq.form.html.twig b/system/templates/faq.form.html.twig
index 8a62d2bd75..7dbc4ad2da 100644
--- a/system/templates/faq.form.html.twig
+++ b/system/templates/faq.form.html.twig
@@ -1,7 +1,8 @@
 <form method="post" action="{{ link }}">
-    {% if action == 'edit' %}
-        <input type="hidden" name="id" value="{{ id }}" />
-    {% endif %}
+	{{ csrf() }}
+	{% if action == 'edit' %}
+		<input type="hidden" name="id" value="{{ id }}" />
+	{% endif %}
 	<table width="100%" border="0" cellspacing="1" cellpadding="4">
 		<tr>
 			<td bgcolor="{{ config.vdarkborder }}" class="white"><b>{% if action == 'edit' %}Edit{% else %}Add{% endif %} FAQ</b></td>
@@ -23,4 +24,4 @@
 			</td>
 		</tr>
 	</table>
-</form>
\ No newline at end of file
+</form>
diff --git a/system/templates/forum.add_board.html.twig b/system/templates/forum.add_board.html.twig
index f46d3a0667..2dbfe96351 100644
--- a/system/templates/forum.add_board.html.twig
+++ b/system/templates/forum.add_board.html.twig
@@ -1,4 +1,5 @@
 <form method="post" action="{{ link }}">
+	{{ csrf() }}
 	{% if action == 'edit_board' %}
 	<input type="hidden" name="id" value="{{ id }}" />
 	{% endif %}
@@ -44,4 +45,4 @@
 			</td>
 		</tr>
 	</table>
-</form>
\ No newline at end of file
+</form>
diff --git a/system/templates/forum.edit_post.html.twig b/system/templates/forum.edit_post.html.twig
index cd1e2a5122..188bbaf60b 100644
--- a/system/templates/forum.edit_post.html.twig
+++ b/system/templates/forum.edit_post.html.twig
@@ -1,5 +1,6 @@
 <br/>
 <form action="{{ getLink('forum') }}" method="post">
+	{{ csrf() }}
 	<input type="hidden" name="action" value="edit_post" />
 	<input type="hidden" name="id" value="{{ post_id }}" />
 	<input type="hidden" name="save" value="save" />
@@ -49,4 +50,4 @@
 	<div style="text-align:center">
 		<input type="submit" value="Save Post" />
 	</div>
-</form>
\ No newline at end of file
+</form>
diff --git a/system/templates/forum.move_thread.html.twig b/system/templates/forum.move_thread.html.twig
index 4188cb750a..4a5981b283 100644
--- a/system/templates/forum.move_thread.html.twig
+++ b/system/templates/forum.move_thread.html.twig
@@ -25,6 +25,7 @@
 							<input type="submit" value="Move Thread">
 						</form>
 						<form action="{{ section_link }}" method="post">
+							{{ csrf() }}
 							<input type="submit" value="Cancel">
 						</form>
 					</td>
@@ -32,4 +33,4 @@
 			</table>
 		</td>
 	</tr>
-</table>
\ No newline at end of file
+</table>
diff --git a/system/templates/forum.new_post.html.twig b/system/templates/forum.new_post.html.twig
index 6220cddb9f..ac07c31153 100644
--- a/system/templates/forum.new_post.html.twig
+++ b/system/templates/forum.new_post.html.twig
@@ -1,4 +1,5 @@
 <form action="?" method="post">
+	{{ csrf() }}
 	<input type="hidden" name="action" value="new_post" />
 	<input type="hidden" name="thread_id" value=" {{ thread_id }}" />
 	<input type="hidden" name="subtopic" value="forum" />
diff --git a/system/templates/forum.new_thread.html.twig b/system/templates/forum.new_thread.html.twig
index 77efec37f7..3b5e080d5e 100644
--- a/system/templates/forum.new_thread.html.twig
+++ b/system/templates/forum.new_thread.html.twig
@@ -1,4 +1,5 @@
 <form action="?" method="post">
+	{{ csrf() }}
 	<input type="hidden" name="action" value="new_thread" />
 	<input type="hidden" name="section_id" value="{{ section_id }}" />
 	<input type="hidden" name="subtopic" value="forum" />
@@ -45,4 +46,4 @@
 	<div style="text-align:center">
 		<input type="submit" value="Post Thread" />
 	</div>
-</form>
\ No newline at end of file
+</form>
diff --git a/system/templates/gallery.form.html.twig b/system/templates/gallery.form.html.twig
index 8b5b21e79e..1c285ba2d8 100644
--- a/system/templates/gallery.form.html.twig
+++ b/system/templates/gallery.form.html.twig
@@ -1,4 +1,5 @@
 <form method="post" action="{{ link }}">
+	{{ csrf() }}
 	{% if action == 'edit' %}
 	<input type="hidden" name="id" value="{{ id }}" />
 	{% endif %}
@@ -29,4 +30,4 @@
 		</tr>
 	</table>
 </form>
-<br/><br/>
\ No newline at end of file
+<br/><br/>
diff --git a/system/templates/guilds.accept_invite.html.twig b/system/templates/guilds.accept_invite.html.twig
index 8d174473cb..c3fde96c63 100644
--- a/system/templates/guilds.accept_invite.html.twig
+++ b/system/templates/guilds.accept_invite.html.twig
@@ -8,6 +8,7 @@
 	<tr bgcolor="{{ config.darkborder }}">
 		<td>
 			<form action="?subtopic=guilds&action=accept_invite&guild={{ guild_name }}&todo=save" method="post">
+				{{ csrf() }}
 				{% set i = 0 %}
 				{% for player in invited_players %}
 				<input type="radio" name="name" id="name_{{ i }}" value="{{ player }}" /><label for="name_{{ i }}">{{ player }}</label>
@@ -24,9 +25,10 @@
 		<tr>
 			<td>
 				<form action="{{ getLink('guilds') ~ '/' ~ guild_name }}" method="post">
+					{{ csrf() }}
 					{{ include('buttons.back.html.twig') }}
 				</form>
 			</td>
 		</tr>
 	</table>
-</div>
\ No newline at end of file
+</div>
diff --git a/system/templates/guilds.back_button.html.twig b/system/templates/guilds.back_button.html.twig
index c1f009f8a3..d6ce0de458 100644
--- a/system/templates/guilds.back_button.html.twig
+++ b/system/templates/guilds.back_button.html.twig
@@ -3,6 +3,7 @@
 {% endif %}
 <div style="text-align:center">
 	<form action="{% if action is not defined %}{{ getLink('guilds') }}{% else %}{{ action }}{% endif %}" method="post">
+		{{ csrf() }}
 		{{ include('buttons.back.html.twig') }}
 	</form>
-</div>
\ No newline at end of file
+</div>
diff --git a/system/templates/guilds.change_description.html.twig b/system/templates/guilds.change_description.html.twig
index 97cb866c9b..c9abc5dcd1 100644
--- a/system/templates/guilds.change_description.html.twig
+++ b/system/templates/guilds.change_description.html.twig
@@ -1,12 +1,14 @@
 <div style="text-align:center"><h2>Change guild description</h2></div>
 Here you can change description of your guild.<br/>
 <form enctype="multipart/form-data" action="?subtopic=guilds&guild={{ guild.getName() }}&action=change_description" method="post">
+	{{ csrf() }}
 	<input type="hidden" name="todo" value="save"/>
 	<textarea name="description" cols="60" rows="{{ setting('core.guild_description_lines_limit') - 1 }}">{{ guild.getCustomField('description')|raw }}</textarea><br>
 	(max. {{ setting('core.guild_description_lines_limit') }} lines, max. {{ setting('core.guild_description_chars_limit') }} chars) <input type="submit" value="Save description"/></form><br/>
 <br/>
 <div style="text-align:center">
 	<form action="?subtopic=guilds&guild={{ guild.getName() }}&action=manager" method="post">
+		{{ csrf() }}
 		{{ include('buttons.back.html.twig') }}
 	</form>
 </div>
diff --git a/system/templates/guilds.change_logo.html.twig b/system/templates/guilds.change_logo.html.twig
index 3194858f02..9577b175ab 100644
--- a/system/templates/guilds.change_logo.html.twig
+++ b/system/templates/guilds.change_logo.html.twig
@@ -1,6 +1,7 @@
 <div style="text-align:center"><h2>Change guild logo</h2></div>
 Here you can change logo of your guild.<br/>Actuall logo: <img src="{{ constant('GUILD_IMAGES_DIR') }}{{ guild_logo }}" height="64" width="64"><br/><br/>
 <form enctype="multipart/form-data" action="?subtopic=guilds&guild={{ guild.getName() }}&action=change_logo" method="post" id="upload_form">
+	{{ csrf() }}
 	<input type="hidden" name="todo" value="save" />
 	<input type="hidden" name="MAX_FILE_SIZE" value="{{ max_image_size_b }}" />
 	Select new logo: <input name="newlogo" id="newlogo" type="file" />
@@ -10,6 +11,7 @@ Only <b>jpg, gif, png, bmp</b> pictures. Max. size: <b>{{ setting('core.guild_im
 <br/>
 <div style="text-align:center">
 	<form action="?subtopic=guilds&guild={{ guild.getName() }}&action=manager" method="post">
+		{{ csrf() }}
 		{{ include('buttons.back.html.twig') }}
 	</form>
 </div>
diff --git a/system/templates/guilds.change_motd.html.twig b/system/templates/guilds.change_motd.html.twig
index eae3fe67e6..ab91f67d03 100644
--- a/system/templates/guilds.change_motd.html.twig
+++ b/system/templates/guilds.change_motd.html.twig
@@ -1,12 +1,14 @@
 <div style="text-align:center"><h2>Change guild MOTD</h2></div>
 Here you can change MOTD (Message of the Day, showed in game!) of your guild.<br/>
 <form enctype="multipart/form-data" action="?subtopic=guilds&guild={{ guild.getName() }}&action=change_motd" method="post">
+	{{ csrf() }}
 	<input type="hidden" name="todo" value="save"/>
 	<textarea name="motd" cols="60" rows="3">{{ guild.getCustomField('motd')|raw }}</textarea><br/>
 	(max. {{ setting('core.guild_motd_chars_limit') }} chars) <input type="submit" value="Save MOTD" /></form><br/>
 <br/>
 <div style="text-align:center">
 	<form action="?subtopic=guilds&guild={{ guild.getName() }}&action=manager" method="post">
+		{{ csrf() }}
 		{{ include('buttons.back.html.twig') }}
 	</form>
 </div>
diff --git a/system/templates/guilds.change_rank.html.twig b/system/templates/guilds.change_rank.html.twig
index a30112542d..ee28bf3f92 100644
--- a/system/templates/guilds.change_rank.html.twig
+++ b/system/templates/guilds.change_rank.html.twig
@@ -1,4 +1,5 @@
 <form action="?subtopic=guilds&action=change_rank&guild={{ guild_name }}&todo=save" method="post">
+	{{ csrf() }}
 	<table border="0" cellspacing="1" cellpadding="4" width="100%">
 		<tr bgcolor="{{ config.vdarkborder }}"><td class="white"><b>Change Rank</b></td></tr>
 		<tr bgcolor="{{ config.darkborder }}">
@@ -29,9 +30,10 @@
 		<td>
 			<div style="text-align:center">
 				<form action="?subtopic=guilds&action=show&guild={{ guild_name }}" method="post">
+					{{ csrf() }}
 					{{ include('buttons.back.html.twig') }}
 				</form>
 			</div>
 		</td>
 	</tr>
-</table>
\ No newline at end of file
+</table>
diff --git a/system/templates/guilds.create.html.twig b/system/templates/guilds.create.html.twig
index eb09ec2a43..5def076bbb 100644
--- a/system/templates/guilds.create.html.twig
+++ b/system/templates/guilds.create.html.twig
@@ -1,4 +1,5 @@
 <form action="?subtopic=guilds&action=create&todo=save" method="post">
+	{{ csrf() }}
 	<table width="100%" border="0" cellspacing="1" cellpadding="4">
 		<tr>
 			<td bgcolor="{{ config.vdarkborder }}" class="white"><B>Create a {{ config.lua.serverName }} Guild</b></td>
@@ -47,6 +48,7 @@
 			</td>
 			<td align="center">
 				<form  action="?subtopic=guilds" method="post">
+					{{ csrf() }}
 					{{ include('buttons.back.html.twig') }}
 				</form>
 			</td>
@@ -54,4 +56,4 @@
 				<img src="{{ template_path }}/images/general/blank.gif" width="120" height="1" border="0"><br>
 			</td>
 		</tr>
-	</table>
\ No newline at end of file
+	</table>
diff --git a/system/templates/guilds.create.success.html.twig b/system/templates/guilds.create.success.html.twig
index 354a0300f2..c3f8900e99 100644
--- a/system/templates/guilds.create.success.html.twig
+++ b/system/templates/guilds.create.success.html.twig
@@ -14,9 +14,10 @@
 		<td>
 			<div style="text-align:center">
 				<form action="{{ getLink('guilds') ~ '/' ~ guild_name }}" method="post">
+				{{ csrf() }}
 				{{ include('buttons.submit.html.twig') }}
 				</form>
 			</div>
 		</td>
 	</tr>
-</table>
\ No newline at end of file
+</table>
diff --git a/system/templates/guilds.delete_guild.html.twig b/system/templates/guilds.delete_guild.html.twig
index 063e3fdce5..bd40f1e131 100644
--- a/system/templates/guilds.delete_guild.html.twig
+++ b/system/templates/guilds.delete_guild.html.twig
@@ -20,6 +20,7 @@
 						<tr>
 							<td>Are you sure you want delete guild <b>{{ guild.getName() }}</b>?<br/>
 								<form action="?subtopic=guilds&guild={{ guild.getName() }}&action=delete_guild" method="post">
+									{{ csrf() }}
 									<input type="hidden" name="todo" value="save"/>
 									<input type="submit" value="Yes, delete"/>
 								</form>
@@ -34,6 +35,7 @@
 <br/>
 <div style="text-align:center">
 	<form action="?subtopic=guilds&guild={{ guild.getName() }}&action=manager" method="post">
+		{{ csrf() }}
 		{{ include('buttons.back.html.twig') }}
 	</form>
-</div>
\ No newline at end of file
+</div>
diff --git a/system/templates/guilds.delete_invite.html.twig b/system/templates/guilds.delete_invite.html.twig
index 771617e9a2..833086dba2 100644
--- a/system/templates/guilds.delete_invite.html.twig
+++ b/system/templates/guilds.delete_invite.html.twig
@@ -8,15 +8,17 @@
 		<tr>
 			<td align="right" width="50%">
 				<form action="?subtopic=guilds&action=delete_invite&guild={{ guild_name }}&name={{ player_name }}&todo=save" method="post">
+				{{ csrf() }}
 				{{ include('buttons.submit.html.twig') }}
 				</form>
 			</td>
 			<td style="width: 10px; "></td>
 			<td>
 				<form action="?subtopic=guilds&action=show&guild={{ guild_name }}" method="post">
+					{{ csrf() }}
 					{{ include('buttons.back.html.twig') }}
 				</form>
 			</td>
 		</tr>
 	</table>
-</div>
\ No newline at end of file
+</div>
diff --git a/system/templates/guilds.invite.html.twig b/system/templates/guilds.invite.html.twig
index df822e5998..9b10bf4eb9 100644
--- a/system/templates/guilds.invite.html.twig
+++ b/system/templates/guilds.invite.html.twig
@@ -1,4 +1,5 @@
 <form action="?subtopic=guilds&action=invite&guild={{ guild_name }}&todo=save" method="post">
+	{{ csrf() }}
 	Invite player with name:&nbsp;&nbsp;<input type="text" name="name">&nbsp;&nbsp;&nbsp;&nbsp;
 	{{ include('buttons.submit.html.twig') }}
-</form>
\ No newline at end of file
+</form>
diff --git a/system/templates/guilds.kick_player.html.twig b/system/templates/guilds.kick_player.html.twig
index 881195bebb..00c02b2522 100644
--- a/system/templates/guilds.kick_player.html.twig
+++ b/system/templates/guilds.kick_player.html.twig
@@ -8,15 +8,17 @@
 		<tr>
 			<td align="right" width="50%">
 				<form action="?subtopic=guilds&action=kick_player&guild={{ guild_name }}&name={{ player_name }}&todo=save" method="post">
+					{{ csrf() }}
 					{{ include('buttons.submit.html.twig') }}
 				</form>
 			</td>
 			<td style="width: 10px;"></td>
 			<td>
 				<form action="{{ getLink('guilds') ~ '/' ~ guild_name }}" method="post">
+					{{ csrf() }}
 					{{ include('buttons.back.html.twig') }}
 				</form>
 			</td>
 		</tr>
 	</table>
-</div>
\ No newline at end of file
+</div>
diff --git a/system/templates/guilds.leave_guild.html.twig b/system/templates/guilds.leave_guild.html.twig
index 989e113412..7acfa253b3 100644
--- a/system/templates/guilds.leave_guild.html.twig
+++ b/system/templates/guilds.leave_guild.html.twig
@@ -1,4 +1,5 @@
 <form action="?subtopic=guilds&action=leave_guild&guild={{ guild_name }}&todo=save" METHOD="post">
+	{{ csrf() }}
 <table border="0" cellspacing="1" cellpadding="4" width="100%">
 	<tr bgcolor="{{ config.vdarkborder }}">
 		<td class="white"><b>Leave guild</b></td></tr>
@@ -27,8 +28,9 @@
 </form>
 		<td>
 			<form action="?subtopic=guilds&action=show&guild={{ guild_name }}" method="post">
+				{{ csrf() }}
 				{{ include('buttons.back.html.twig') }}
 			</form>
 		</td>
 	</tr>
-</table>
\ No newline at end of file
+</table>
diff --git a/system/templates/guilds.list.html.twig b/system/templates/guilds.list.html.twig
index 1f7903a64d..a95a2750b3 100644
--- a/system/templates/guilds.list.html.twig
+++ b/system/templates/guilds.list.html.twig
@@ -61,6 +61,7 @@
 																			<tr>
 																				<td style="border:0;">
 																					<form action="{{ guild.link }}" method="post">
+																						{{ csrf() }}
 																						{{ include('buttons.view.html.twig') }}
 																					</form>
 																				</td>
@@ -82,11 +83,10 @@
 															<td>
 																<table border="0" cellpadding="0" cellspacing="0" width="100%">
 																	<form action="?subtopic=guilds&action=create" method="post">
-																		<form action="?subtopic=guilds&action=create" method="post">
-																			{% set button_name = 'Found Guild' %}
-																			{% set button_image = '_sbutton_foundguild' %}
-																			{% include('buttons.base.html.twig') %}
-																		</form>
+																		{{ csrf() }}
+																		{% set button_name = 'Found Guild' %}
+																		{% set button_image = '_sbutton_foundguild' %}
+																		{% include('buttons.base.html.twig') %}
 																	</form>
 																</table>
 															</td>
@@ -128,6 +128,7 @@
 						{% if logged %}
 						No guild found that suits your needs?
 						<form action="?subtopic=guilds&action=create" method="post">
+							{{ csrf() }}
 							{% set button_name = 'Found Guild' %}
 							{% set button_image = '_sbutton_foundguild' %}
 							{% include('buttons.base.html.twig') %}
@@ -136,6 +137,7 @@
 						<b>Before you can create a guild you must login.</b>
 						<br/>
 						<form action="?subtopic=accountmanagement&redirect={{ getLink('guilds') }}" method="post">
+							{{ csrf() }}
 							{% include('buttons.login.html.twig') %}
 						</form>
 						{% endif %}
diff --git a/system/templates/guilds.manager.html.twig b/system/templates/guilds.manager.html.twig
index ff733be027..16dc6082f3 100644
--- a/system/templates/guilds.manager.html.twig
+++ b/system/templates/guilds.manager.html.twig
@@ -76,6 +76,7 @@ Here you can change names of ranks, delete and add ranks, pass leadership to oth
 							<td width="120" valign="top">New rank name:</td>
 							<td>
 								<form action="?subtopic=guilds&guild={{ guild.getName() }}&action=add_rank" method="post">
+									{{ csrf() }}
 									<input type="text" name="rank_name" size="20"/>
 									<input type="submit" value="Add"/>
 								</form>
@@ -89,6 +90,7 @@ Here you can change names of ranks, delete and add ranks, pass leadership to oth
 </div>
 <div style="text-align:center"><h3>Change rank names and levels</h3></div>
 <form action="?subtopic=guilds&action=save_ranks&guild={{ guild.getName() }}" method="post">
+	{{ csrf() }}
 	<table style="clear:both" border="0" cellpadding="0" cellspacing="0" width="100%">
 		<tr bgcolor="{{ config.vdarkborder }}">
 			<td rowspan="2" width="120" align="center">
@@ -163,6 +165,7 @@ Here you can change names of ranks, delete and add ranks, pass leadership to oth
 <br/>
 <div style="text-align:center">
 	<form action="?subtopic=guilds&action=show&guild={{ guild.getName() }}" method="post">
+		{{ csrf() }}
 		{{ include('buttons.back.html.twig') }}
 	</form>
-</div>
\ No newline at end of file
+</div>
diff --git a/system/templates/guilds.pass_leadership.html.twig b/system/templates/guilds.pass_leadership.html.twig
index 04d7d211c3..0524835d27 100644
--- a/system/templates/guilds.pass_leadership.html.twig
+++ b/system/templates/guilds.pass_leadership.html.twig
@@ -20,6 +20,7 @@
 						<tr>
 							<td>Pass leadership to: </b><br>
 								<form action="?subtopic=guilds&guild={{ guild.getName() }}&action=pass_leadership" method="post">
+									{{ csrf() }}
 									<input type="hidden" name="todo" value="save"/>
 									<input type="text" size="40" name="player"/>
 									<input type="submit" value="Save">
@@ -35,6 +36,7 @@
 <br/>
 <div style="text-align:center">
 	<form action="?subtopic=guilds&guild={{ guild.getName() }}&action=manager" method="post">
+		{{ csrf() }}
 		{{ include('buttons.back.html.twig') }}
 	</form>
-</div>
\ No newline at end of file
+</div>
diff --git a/system/templates/guilds.view.html.twig b/system/templates/guilds.view.html.twig
index f3da843e09..a815379bb6 100644
--- a/system/templates/guilds.view.html.twig
+++ b/system/templates/guilds.view.html.twig
@@ -142,6 +142,7 @@
 																	<td>
 																		{% set playerName = player.getName() %}
 																		<form action="?subtopic=guilds&action=change_nick&name={{ playerName }}&guild={{ guild_name }}" method="post">
+																			{{ csrf() }}
 																			{{ getPlayerLink(playerName, true)|raw }}
 
 																			{% set showGuildNick = false %}
@@ -290,6 +291,7 @@
 													<tr>
 														{% if not logged %}
 															<form action="?subtopic=accountmanagement&redirect={{ getGuildLink(guild_name|url_encode, false) }}" method="post">
+																{{ csrf() }}
 																<td>
 																	{{ include('buttons.login.html.twig') }}
 																</td>
@@ -297,6 +299,7 @@
 														{% else %}
 															{% if show_accept_invite > 0 %}
 																<form action="?subtopic=guilds&action=accept_invite&guild={{ guild_name|url_encode }}" method="post">
+																	{{ csrf() }}
 																	<td>
 																		<input type="image" name="Accept Invite" alt="Accept Invite" src="{{ template_path }}/images/global/buttons/sbutton_acceptinvite.png" style="width: 120px; height: 20px;">
 																	</td>
@@ -305,6 +308,7 @@
 
 															{% if isVice %}
 																<form action="?subtopic=guilds&action=invite&guild={{ guild_name|url_encode }}" method="post">
+																	{{ csrf() }}
 																	<td>
 																		{% set button_name = 'Invite Character' %}
 																		{% set button_image = '_sbutton_invitecharacter' %}
@@ -313,6 +317,7 @@
 																</form>
 
 																<form action="?subtopic=guilds&action=change_rank&guild={{ guild_name|url_encode }}" method="post">
+																	{{ csrf() }}
 																	<td>
 																		{% set button_name = 'Edit Ranks' %}
 																		{% set button_image = '_sbutton_editranks' %}
@@ -323,6 +328,7 @@
 
 															{% if players_from_account_in_guild|length > 0 %}
 																<form action="?subtopic=guilds&action=leave_guild&guild={{ guild_name|url_encode }}" method="post">
+																	{{ csrf() }}
 																	<td>
 																		{% set button_name = 'Leave Guild' %}
 																		{% set button_image = '_sbutton_leaveguild' %}
@@ -333,6 +339,7 @@
 														{% endif %}
 
 														<form action="{{ getLink('guilds') }}" method="post">
+															{{ csrf() }}
 															<td style="float: right">
 																{{ include('buttons.back.html.twig') }}
 															</td>
diff --git a/system/templates/templates.header.html.twig b/system/templates/templates.header.html.twig
index fa9665f5c9..cded84dec3 100644
--- a/system/templates/templates.header.html.twig
+++ b/system/templates/templates.header.html.twig
@@ -1,6 +1,8 @@
 <meta charset="{{ charset }}">
 <meta http-equiv="content-language" content="{{ config.language }}" />
 <meta http-equiv="content-type" content="text/html; charset={{ charset }}" />
+<!-- CSRF Token -->
+<meta name="csrf-token" content="{{ csrfToken() }}">
 {% if not is_admin %}
 <base href="{{ constant('BASE_URL') }}" />
 <title>{{ title }}</title>
diff --git a/system/twig.php b/system/twig.php
index 49c0cce6ee..0222353a03 100644
--- a/system/twig.php
+++ b/system/twig.php
@@ -9,6 +9,7 @@
  */
 defined('MYAAC') or die('Direct access not allowed!');
 
+use MyAAC\CsrfToken;
 use Twig\Environment as Twig_Environment;
 use Twig\Extension\DebugExtension as Twig_DebugExtension;
 use Twig\Loader\FilesystemLoader as Twig_FilesystemLoader;
@@ -118,6 +119,16 @@
 });
 $twig->addFunction($function);
 
+$function = new TwigFunction('csrf', function () {
+	csrf();
+});
+$twig->addFunction($function);
+
+$function = new TwigFunction('csrfToken', function () {
+	return csrfToken();
+});
+$twig->addFunction($function);
+
 $filter = new TwigFilter('urlencode', function ($s) {
 	return urlencode($s);
 });
diff --git a/templates/tibiacom/news.featured_article.html.twig b/templates/tibiacom/news.featured_article.html.twig
index fa704814fc..58b69a9352 100644
--- a/templates/tibiacom/news.featured_article.html.twig
+++ b/templates/tibiacom/news.featured_article.html.twig
@@ -20,16 +20,7 @@
 						<b>
 							<p>{{ article.title|raw }}
 								{% if canEdit %}
-									<a href="{{ constant('ADMIN_URL') }}?p=news&action=edit&id={{ article.id }}" title="Edit">
-										<img src="images/edit.png"/>Edit
-									</a>
-									<a id="delete" href="{{ constant('ADMIN_URL') }}?p=news&action=delete&id={{ article.id }}" onclick="return confirm('Are you sure?');" title="Delete">
-										<img src="images/del.png"/>Delete
-									</a>
-									<a href="{{ constant('ADMIN_URL') }}?p=news&action=hide&id={{ article.id }}" title="{% if article.hidden != 1 %}Hide{% else %}Show{% endif %}">
-										<img src="images/{% if article.hidden != 1 %}success{% else %}error{% endif %}.png"/>
-										{% if article.hidden != 1 %}Hide{% else %}Show{% endif %}
-									</a>
+									{{ include('admin.links.html.twig', {page: 'news', id: article.id, hidden: article.hidden }) }}
 								{% endif %}
 							</p>
 						</b>