It should be proper for all plugins over vb.org to be updated shortly to implement this new security check, but anyway, this won’t any time soon by all the wanna be coders out there. So let me help you.

The new anti-CSRF is triggered by a specific constant on top of your script, the vb team selected this way to not break a few hundreds mods.

So on top of your script and before the call of the global.php ( under the define of the THIS_SCRIPT is a good place) add this line.

define('CSRF_PROTECTION', true);

Next step is to edit all your forms in your custom plugin templates to add a specific hidden input. A cool way to do this, is to open your product.xml and do a search for <form and under each of finds to add this line of code.

<input type="hidden" name="securitytoken" value="$bbuserinfo[securitytoken]" />

And you are done! You can make a test after the first step to see this nice error during any Post Request that comes from the scripts you added the first line.

Your submission could not be processed because a security token was missing or mismatched.

If this occurred unexpectedly, please inform the administrator and describe the action you performed before you received this error.

After a little search and if you think as i do you will find out how the new check works in the file includes/init.php lines 399-420.

Note that only Post requests are checked not GET too.

If for some reason you want your script to have this extra check but you also want for some reason to bypass it you must specify on top of your script something like this:

define('CSRF_SKIP_LIST', 'save,update,dosex');

Where each of save, update and dosex are the actions specified by the $_REQUEST['do'] or $_POST['do'] if you prefer that.

Happy Coding as always….