From d3621e459371e316297cf78e2c4c57a672c5b878 Mon Sep 17 00:00:00 2001
From: Regis Houssin <regis@dolibarr.fr>
Date: Fri, 15 May 2009 13:59:49 +0000
Subject: [PATCH] =?UTF-8?q?Fix:=20ajout=20d'un=20jeton=20al=E9atoire=20dan?=
 =?UTF-8?q?s=20les=20requetes=20POST?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 htdocs/adherents/card_subscriptions.php | 2 ++
 htdocs/adherents/fiche.php              | 3 +++
 htdocs/adherents/fiche_subscription.php | 2 ++
 htdocs/adherents/index.php              | 1 +
 htdocs/adherents/options.php            | 2 ++
 htdocs/adherents/type.php               | 1 +
 htdocs/admin/adherent.php               | 4 ++++
 htdocs/admin/agenda.php                 | 1 +
 htdocs/admin/agenda_xcal.php            | 1 +
 htdocs/admin/barcode.php                | 1 +
 htdocs/admin/bookmark.php               | 1 +
 htdocs/admin/boutique.php               | 1 +
 htdocs/admin/boxes.php                  | 2 ++
 htdocs/admin/cashdesk.php               | 1 +
 htdocs/admin/clicktodial.php            | 1 +
 htdocs/admin/commande.php               | 4 ++++
 htdocs/admin/company.php                | 2 ++
 htdocs/admin/compta.php                 | 2 ++
 htdocs/admin/comptaexpert.php           | 2 ++
 htdocs/admin/const.php                  | 5 ++---
 htdocs/admin/delais.php                 | 1 +
 htdocs/admin/dict.php                   | 2 ++
 htdocs/admin/droitpret.php              | 2 ++
 htdocs/admin/editeur.php                | 1 +
 htdocs/admin/energie.php                | 1 +
 htdocs/admin/events.php                 | 1 +
 htdocs/admin/external_rss.php           | 1 +
 htdocs/admin/facture.php                | 5 +++++
 htdocs/admin/ihm.php                    | 1 +
 htdocs/admin/ldap.php                   | 1 +
 htdocs/admin/ldap_contacts.php          | 1 +
 htdocs/admin/ldap_groups.php            | 1 +
 htdocs/admin/ldap_members.php           | 1 +
 htdocs/admin/ldap_users.php             | 1 +
 htdocs/admin/limits.php                 | 1 +
 htdocs/admin/livraison.php              | 1 +
 htdocs/admin/mailing.php                | 1 +
 htdocs/admin/mails.php                  | 1 +
 htdocs/admin/mantis.php                 | 1 +
 htdocs/admin/menus.php                  | 1 +
 htdocs/admin/menus/edit.php             | 4 ++++
 htdocs/admin/notification.php           | 1 +
 htdocs/admin/paybox.php                 | 1 +
 htdocs/admin/phenix.php                 | 1 +
 htdocs/admin/propale.php                | 2 ++
 htdocs/admin/security.php               | 1 +
 htdocs/admin/security_other.php         | 3 +++
 htdocs/admin/syslog.php                 | 2 ++
 htdocs/admin/taxes.php                  | 1 +
 htdocs/admin/tools/dolibarr_export.php  | 1 +
 htdocs/admin/tools/eaccelerator.php     | 1 +
 htdocs/admin/tools/purge.php            | 1 +
 htdocs/admin/webcalendar.php            | 1 +
 htdocs/admin/webservices.php            | 1 +
 htdocs/bookmarks/fiche.php              | 2 ++
 htdocs/cashdesk/index.php               | 4 ++--
 htdocs/html.form.class.php              | 8 ++++++++
 htdocs/html.formcompany.class.php       | 1 +
 htdocs/html.formfile.class.php          | 2 ++
 htdocs/main.inc.php                     | 1 +
 htdocs/soc.php                          | 3 +++
 htdocs/societe.php                      | 1 +
 62 files changed, 103 insertions(+), 5 deletions(-)

diff --git a/htdocs/adherents/card_subscriptions.php b/htdocs/adherents/card_subscriptions.php
index 64cd3ba0788..7e743d807d7 100644
--- a/htdocs/adherents/card_subscriptions.php
+++ b/htdocs/adherents/card_subscriptions.php
@@ -189,6 +189,7 @@ $head = member_prepare_head($adh);
 dol_fiche_head($head, 'subscription', $langs->trans("Member"));
 
 print '<form action="fiche.php" method="post">';
+print '<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">';
 print '<table class="border" width="100%">';
 
 // Ref
@@ -377,6 +378,7 @@ if ($action == 'addsubscription' && $user->rights->adherent->cotisation->creer)
 	print "\n\n<!-- Form add subscription -->\n";
 
 	print '<form name="cotisation" method="post" action="'.$_SERVER["PHP_SELF"].'">';
+	print '<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">';
 	print '<input type="hidden" name="action" value="cotisation">';
 	print '<input type="hidden" name="rowid" value="'.$rowid.'">';
 	print "<table class=\"border\" width=\"100%\">\n";
diff --git a/htdocs/adherents/fiche.php b/htdocs/adherents/fiche.php
index 052b23e5202..5e6a78826f7 100644
--- a/htdocs/adherents/fiche.php
+++ b/htdocs/adherents/fiche.php
@@ -596,6 +596,7 @@ if ($action == 'edit')
 	if ($conf->societe->enabled) $rowspan++;
 
 	print '<form name="update" action="'.$_SERVER["PHP_SELF"].'" method="post" enctype="multipart/form-data">';
+	print '<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">';
 	print "<input type=\"hidden\" name=\"action\" value=\"update\">";
 	print "<input type=\"hidden\" name=\"rowid\" value=\"$rowid\">";
 	print "<input type=\"hidden\" name=\"statut\" value=\"".$adh->statut."\">";
@@ -740,6 +741,7 @@ if ($action == 'create')
     print_fiche_titre($langs->trans("NewMember"));
 
 	print '<form name="add" action="'.$_SERVER["PHP_SELF"].'" method="post" enctype="multipart/form-data">';
+	print '<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">';
     print '<input type="hidden" name="action" value="add">';
 
     print '<table class="border" width="100%">';
@@ -980,6 +982,7 @@ if ($rowid && $action != 'edit')
     if ($conf->societe->enabled) $rowspan++;
 
     print '<form action="fiche.php" method="post" enctype="multipart/form-data">';
+    print '<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">';
     print '<table class="border" width="100%">';
 
     // Ref
diff --git a/htdocs/adherents/fiche_subscription.php b/htdocs/adherents/fiche_subscription.php
index 0d9dacc974a..0a4524141cf 100644
--- a/htdocs/adherents/fiche_subscription.php
+++ b/htdocs/adherents/fiche_subscription.php
@@ -191,6 +191,7 @@ if ($user->rights->adherent->cotisation->creer && $action == 'edit')
 
 	print "\n";
 	print '<form name="update" action="'.$_SERVER["PHP_SELF"].'" method="post">';
+	print '<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">';
 	print "<input type=\"hidden\" name=\"action\" value=\"update\">";
 	print "<input type=\"hidden\" name=\"rowid\" value=\"$rowid\">";
 	print "<input type=\"hidden\" name=\"fk_bank\" value=\"".$subscription->fk_bank."\">";
@@ -302,6 +303,7 @@ if ($rowid && $action != 'edit')
     }
 
     print '<form action="'.$_SERVER["PHP_SELF"].'" method="post">';
+    print '<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">';
     print '<table class="border" width="100%">';
 
     // Ref
diff --git a/htdocs/adherents/index.php b/htdocs/adherents/index.php
index e79e992c3a2..56152b6b3f7 100644
--- a/htdocs/adherents/index.php
+++ b/htdocs/adherents/index.php
@@ -119,6 +119,7 @@ print '<tr><td width="30%" class="notopnoleft" valign="top">';
 
 // Formulaire recherche adherent
 print '<form action="liste.php" method="post">';
+print '<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">';
 print '<input type="hidden" name="action" value="search">';
 print '<table class="noborder" width="100%">';
 print '<tr class="liste_titre">';
diff --git a/htdocs/adherents/options.php b/htdocs/adherents/options.php
index 342fb5b911f..0ae2b94b391 100644
--- a/htdocs/adherents/options.php
+++ b/htdocs/adherents/options.php
@@ -165,6 +165,7 @@ if ($_GET["action"] == 'create')
 	print_titre($langs->trans('NewAttribute'));
 
 	print '<form action="options.php" method="post">';
+	print '<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">';
 	print '<table class="border" width="100%">';
 
 	print '<input type="hidden" name="action" value="add">';
@@ -200,6 +201,7 @@ if ($_GET["attrname"] && $_GET["action"] == 'edit')
 	 * formulaire d'edition
 	 */
 	print '<form method="post" action="options.php?attrname='.$_GET["attrname"].'">';
+	print '<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">';
 	print '<input type="hidden" name="attrname" value="'.$_GET["attrname"].'">';
 	print '<input type="hidden" name="action" value="update">';
 	print '<table class="border" width="100%">';
diff --git a/htdocs/adherents/type.php b/htdocs/adherents/type.php
index 60d3020b151..cf96f3ccbc7 100644
--- a/htdocs/adherents/type.php
+++ b/htdocs/adherents/type.php
@@ -332,6 +332,7 @@ if ($rowid > 0)
 
 
         print '<form method="post" action="'.$_SERVER["PHP_SELF"].'?rowid='.$rowid.'">';
+        print '<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">';
         print '<input type="hidden" name="rowid" value="'.$rowid.'">';
         print '<input type="hidden" name="action" value="update">';
         print '<table class="border" width="100%">';
diff --git a/htdocs/admin/adherent.php b/htdocs/admin/adherent.php
index c2ec209dec1..ecc1e3157ac 100644
--- a/htdocs/admin/adherent.php
+++ b/htdocs/admin/adherent.php
@@ -98,6 +98,7 @@ $form = new Form($db);
 // Mail required for members
 $var=!$var;
 print '<form action="adherent.php" method="POST">';
+print '<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">';
 print '<input type="hidden" name="action" value="update">';
 print '<input type="hidden" name="rowid" value="'.$rowid.'">';
 print '<input type="hidden" name="constname" value="ADHERENT_MAIL_REQUIRED">';
@@ -111,6 +112,7 @@ print '</form>';
 // Send mail information is on by default
 $var=!$var;
 print '<form action="adherent.php" method="POST">';
+print '<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">';
 print '<input type="hidden" name="action" value="update">';
 print '<input type="hidden" name="rowid" value="'.$rowid.'">';
 print '<input type="hidden" name="constname" value="ADHERENT_DEFAULT_SENDINFOBYMAIL">';
@@ -127,6 +129,7 @@ print '</form>';
 // Insertion cotisations dans compte financier
 $var=!$var;
 print '<form action="adherent.php" method="POST">';
+print '<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">';
 print '<input type="hidden" name="action" value="update">';
 print '<input type="hidden" name="rowid" value="'.$rowid.'">';
 print '<input type="hidden" name="constname" value="ADHERENT_BANK_USE">';
@@ -269,6 +272,7 @@ $constantes=array(
 					$obj = $db->fetch_object($result);
 					$var=!$var;
 					print '<form action="adherent.php" method="POST">';
+					print '<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">';
 					print '<input type="hidden" name="action" value="update">';
 					print '<input type="hidden" name="rowid" value="'.$rowid.'">';
 					print '<input type="hidden" name="constname" value="'.$obj->name.'">';
diff --git a/htdocs/admin/agenda.php b/htdocs/admin/agenda.php
index 2c935fd5d2b..4a4ba6e182a 100644
--- a/htdocs/admin/agenda.php
+++ b/htdocs/admin/agenda.php
@@ -102,6 +102,7 @@ dol_fiche_head($head, 'autoactions', $langs->trans("Agenda"));
 
 
 print '<form action="'.$_SERVER["PHP_SELF"].'" method="POST">';
+print '<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">';
 print '<input type="hidden" name="action" value="save">';
 
 $var=true;
diff --git a/htdocs/admin/agenda_xcal.php b/htdocs/admin/agenda_xcal.php
index ca225240798..b4c09a568f0 100644
--- a/htdocs/admin/agenda_xcal.php
+++ b/htdocs/admin/agenda_xcal.php
@@ -81,6 +81,7 @@ dol_fiche_head($head, 'xcal', $langs->trans("Agenda"));
 
 
 print '<form name="agendasetupform" action="'.$_SERVER["PHP_SELF"].'" method="post">';
+print '<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">';
 print "<table class=\"noborder\" width=\"100%\">";
 
 print "<tr class=\"liste_titre\">";
diff --git a/htdocs/admin/barcode.php b/htdocs/admin/barcode.php
index cb56c1bee68..913f2cfc182 100644
--- a/htdocs/admin/barcode.php
+++ b/htdocs/admin/barcode.php
@@ -230,6 +230,7 @@ if (!isset($_ENV['windir']) && !file_exists($_ENV['windir']))
 {
 	$var=!$var;
 	print '<form method="post" action="'.$_SERVER["PHP_SELF"].'">';
+	print '<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">';
 	print '<input type="hidden" name="action" value="setgenbarcodelocation">';
 	print '<tr '.$bc[$var].'>';
 	print '<td>'.$langs->trans("GenbarcodeLocation").'</td>';
diff --git a/htdocs/admin/bookmark.php b/htdocs/admin/bookmark.php
index b4ae3d904ac..c5198220a12 100644
--- a/htdocs/admin/bookmark.php
+++ b/htdocs/admin/bookmark.php
@@ -63,6 +63,7 @@ if ($mesg) print '<br>'.$mesg;
 
 print '<br>';
 print '<form method="post" action="'.$_SERVER["PHP_SELF"].'">';
+print '<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">';
 print '<input type="hidden" name="action" value="setvalue">';
 
 $var=true;
diff --git a/htdocs/admin/boutique.php b/htdocs/admin/boutique.php
index 13ed245f6b3..7e67d444dfc 100644
--- a/htdocs/admin/boutique.php
+++ b/htdocs/admin/boutique.php
@@ -139,6 +139,7 @@ print '<br>';
 
 $var=true;
 print '<form name="oscommerceconfig" action="'.$_SERVER["PHP_SELF"].'" method="post">';
+print '<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">';
 print "<table class=\"noborder\" width=\"100%\">";
 print "<tr class=\"liste_titre\">";
 print "<td width=\"40%\">".$langs->trans("Parameter")."</td>";
diff --git a/htdocs/admin/boxes.php b/htdocs/admin/boxes.php
index a04c4c92904..a16ce4d8138 100644
--- a/htdocs/admin/boxes.php
+++ b/htdocs/admin/boxes.php
@@ -276,6 +276,7 @@ if ($resql)
 			$var = ! $var;
 	
 			print '<form action="'.$_SERVER["PHP_SELF"].'" method="POST">';
+			print '<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">';
 			$logo=eregi_replace("^object_","",$box->boximg);
 			print '<tr '.$bc[$var].'>';
 			print '<td>'.img_object("",$logo).' '.$box->boxlabel.'</td>';
@@ -388,6 +389,7 @@ print '<table class="noborder" width="100%">';
 
 $var=false;
 print '<form action="'.$_SERVER["PHP_SELF"].'" method="POST">';
+print '<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">';
 print '<input type="hidden" name="action" value="addconst">';
 print "<tr $bc[$var] class=value><td>";
 print $langs->trans("MaxNbOfLinesForBoxes")."</td>\n";
diff --git a/htdocs/admin/cashdesk.php b/htdocs/admin/cashdesk.php
index 95d5c3f0929..40021595071 100644
--- a/htdocs/admin/cashdesk.php
+++ b/htdocs/admin/cashdesk.php
@@ -69,6 +69,7 @@ print '<br>';
 // Mode
 $var=true;
 print '<form action="'.$_SERVER["PHP_SELF"].'" method="post">';
+print '<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">';
 print '<input type="hidden" name="action" value="set">';
 
 print '<table class="noborder" width="100%">';
diff --git a/htdocs/admin/clicktodial.php b/htdocs/admin/clicktodial.php
index a3af735a1b7..a9d82aa30e4 100644
--- a/htdocs/admin/clicktodial.php
+++ b/htdocs/admin/clicktodial.php
@@ -63,6 +63,7 @@ if ($mesg) print '<br>'.$mesg;
 
 print '<br>';
 print '<form method="post" action="clicktodial.php">';
+print '<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">';
 print '<input type="hidden" name="action" value="setvalue">';
 
 $var=true;
diff --git a/htdocs/admin/commande.php b/htdocs/admin/commande.php
index ce87464e740..405ee2af1d8 100644
--- a/htdocs/admin/commande.php
+++ b/htdocs/admin/commande.php
@@ -422,6 +422,7 @@ $var=true;
 /*
 $var=! $var;
 print '<form action="'.$_SERVER["PHP_SELF"].'" method="post">';
+print '<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">';
 print '<input type="hidden" name="action" value="setvalidorder">';
 print '<tr '.$bc[$var].'>';
 print '<td>'.$langs->trans("ValidOrderAfterPropalClosed").'</td>';
@@ -435,6 +436,7 @@ print '</form>';
 /*
 $var=! $var;
 print '<form action="'.$_SERVER["PHP_SELF"].'" method="post">';
+print '<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">';
 print '<input type="hidden" name="action" value="deliverycostline">';
 print '<tr '.$bc[$var].'>';
 print '<td>'.$langs->trans("AddDeliveryCostLine").'</td>';
@@ -447,6 +449,7 @@ print '</form>';
 // Utiliser le contact de la commande dans le document
 $var=! $var;
 print '<form action="'.$_SERVER["PHP_SELF"].'" method="post">';
+print '<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">';
 print '<input type="hidden" name="action" value="set_use_customer_contact_as_recipient">';
 print '<tr '.$bc[$var].'>';
 print '<td>'.$langs->trans("UseCustomerContactAsOrderRecipientIfExist").'</td>';
@@ -457,6 +460,7 @@ print '</form>';
 
 $var=! $var;
 print '<form action="'.$_SERVER["PHP_SELF"].'" method="post">';
+print '<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">';
 print '<input type="hidden" name="action" value="set_COMMANDE_FREE_TEXT">';
 print '<tr '.$bc[$var].'><td colspan="2">';
 print $langs->trans("FreeLegalTextOnOrders").'<br>';
diff --git a/htdocs/admin/company.php b/htdocs/admin/company.php
index dc629a92257..da1c5795333 100644
--- a/htdocs/admin/company.php
+++ b/htdocs/admin/company.php
@@ -211,6 +211,7 @@ if ((isset($_GET["action"]) && $_GET["action"] == 'edit')
 	 */
 
 	print '<form enctype="multipart/form-data" method="post" action="'.$_SERVER["PHP_SELF"].'" name="form_index">';
+	print '<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">';
 	print '<input type="hidden" name="action" value="update">';
 	$var=true;
 
@@ -576,6 +577,7 @@ else
 
 	// Identifiants de la soci�t� (propre au pays)
 	print '<form name="formsoc" method="post">';
+	print '<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">';
 	print '<table class="noborder" width="100%">';
 	print '<tr class="liste_titre"><td>'.$langs->trans("CompanyIds").'</td><td>'.$langs->trans("Value").'</td></tr>';
 	$var=true;
diff --git a/htdocs/admin/compta.php b/htdocs/admin/compta.php
index 3b84fa61265..4a1f56cf298 100644
--- a/htdocs/admin/compta.php
+++ b/htdocs/admin/compta.php
@@ -86,6 +86,7 @@ print '<table class="noborder" width="100%">';
 
 // Cas du parametre COMPTA_MODE
 print '<form action="'.$_SERVER["PHP_SELF"].'" method="post">';
+print '<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">';
 print '<input type="hidden" name="action" value="setcomptamode">';
 print '<tr class="liste_titre">';
 print '<td>'.$langs->trans('OptionMode').'</td><td>'.$langs->trans('Description').'</td>';
@@ -141,6 +142,7 @@ if ($result)
 		$var=!$var;
 
 		print '<form action="compta.php" method="POST">';
+		print '<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">';
 		print '<input type="hidden" name="action" value="update">';
 		print '<input type="hidden" name="rowid" value="'.$rowid.'">';
 		print '<input type="hidden" name="constname" value="'.$obj->name.'">';
diff --git a/htdocs/admin/comptaexpert.php b/htdocs/admin/comptaexpert.php
index 4dc5a0cf9c9..08d37978563 100644
--- a/htdocs/admin/comptaexpert.php
+++ b/htdocs/admin/comptaexpert.php
@@ -87,6 +87,7 @@ print '<table class="noborder" width="100%">';
 
 // Cas du param�tre COMPTA_MODE
 print '<form action="compta.php" method="post">';
+print '<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">';
 print '<input type="hidden" name="action" value="setcomptamode">';
 print '<tr class="liste_titre">';
 print '<td>'.$langs->trans('OptionMode').'</td><td>'.$langs->trans('Description').'</td>';
@@ -128,6 +129,7 @@ if ($result)
 		$var=!$var;
 
 		print '<form action="compta.php" method="POST">';
+		print '<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">';
 		print '<input type="hidden" name="action" value="update">';
 		print '<input type="hidden" name="rowid" value="'.$rowid.'">';
 		print '<input type="hidden" name="constname" value="'.$obj->name.'">';
diff --git a/htdocs/admin/const.php b/htdocs/admin/const.php
index f8b5c41738c..83f9bf5e16b 100644
--- a/htdocs/admin/const.php
+++ b/htdocs/admin/const.php
@@ -77,6 +77,7 @@ $form = new Form($db);
 # Affiche ligne d'ajout
 $var=false;
 print '<form action="const.php" method="POST">';
+print '<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">';
 print '<input type="hidden" name="action" value="add">';
 
 print "<tr $bc[$var] class=value><td><input type=\"text\" class=\"flat\" size=\"24\" name=\"constname\" value=\"\"></td>\n";
@@ -134,12 +135,10 @@ if ($result)
 
 		print "\n";
 		print '<form action="'.DOL_URL_ROOT.'/admin/const.php" method="POST">';
+		print '<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">';
 		print '<input type="hidden" name="action" value="update">';
 		print '<input type="hidden" name="rowid" value="'.$obj->rowid.'">';
 		print '<input type="hidden" name="constname" value="'.$obj->name.'">';
-		
-		// Ajout du nouveau jeton dans les requetes POST
-		print '<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">';
 
 		print "<tr $bc[$var] class=value><td>$obj->name</td>\n";
 
diff --git a/htdocs/admin/delais.php b/htdocs/admin/delais.php
index 4d050701b97..c9e1f2d9a34 100644
--- a/htdocs/admin/delais.php
+++ b/htdocs/admin/delais.php
@@ -74,6 +74,7 @@ $countrynotdefined='<font class="error">'.$langs->trans("ErrorSetACountryFirst")
 if ((isset($_GET["action"]) && $_GET["action"] == 'edit'))
 {
     print '<form method="post" action="delais.php" name="form_index">';
+    print '<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">';
     print '<input type="hidden" name="action" value="update">';
     $var=true;
 
diff --git a/htdocs/admin/dict.php b/htdocs/admin/dict.php
index 707402fbfd0..5438d565bad 100644
--- a/htdocs/admin/dict.php
+++ b/htdocs/admin/dict.php
@@ -485,6 +485,7 @@ if ($_GET["id"])
 	$fieldlist=split(',',$tabfield[$_GET["id"]]);
 
 	print '<form action="dict.php" method="post">';
+	print '<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">';
 	print '<table class="noborder" width="100%">';
 
 	// Ligne d'ajout
@@ -606,6 +607,7 @@ if ($_GET["id"])
 				if ($_GET["action"] == 'modify' && ($_GET["rowid"] == ($obj->rowid?$obj->rowid:$obj->code)))
 				{
 					print '<form action="dict.php" method="post">';
+					print '<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">';
 					print '<input type="hidden" name="id" value="'.$_GET["id"].'">';
 					print '<input type="hidden" name="rowid" value="'.$_GET["rowid"].'">';
 					fieldList($fieldlist,$obj);
diff --git a/htdocs/admin/droitpret.php b/htdocs/admin/droitpret.php
index cf6e2be5df6..9a0b6a50e7f 100644
--- a/htdocs/admin/droitpret.php
+++ b/htdocs/admin/droitpret.php
@@ -83,6 +83,7 @@ $form = new Form($db);
 // Categorie
 $var=!$var;
 print '<form action="droitpret.php" method="POST">';
+print '<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">';
 print '<input type="hidden" name="action" value="update">';
 print '<input type="hidden" name="rowid" value="'.$rowid.'">';
 print '<input type="hidden" name="constname" value="DROITPRET_CAT">';
@@ -99,6 +100,7 @@ print '</form>';
 // Adresse destination
 $var=!$var;
 print '<form action="droitpret.php" method="POST">';
+print '<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">';
 print '<input type="hidden" name="action" value="update">';
 print '<input type="hidden" name="rowid" value="'.$rowid.'">';
 print '<input type="hidden" name="constname" value="DROITPRET_MAIL">';
diff --git a/htdocs/admin/editeur.php b/htdocs/admin/editeur.php
index a23e2c80c4d..0d70bcb620a 100644
--- a/htdocs/admin/editeur.php
+++ b/htdocs/admin/editeur.php
@@ -68,6 +68,7 @@ print_fiche_titre($langs->trans("Configuration du module Editeur"),$linkback,'se
 print '<br>';
 
 print '<form action="editeur.php" method="POST">';
+print '<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">';
 print '<table class="noborder" width="100%">';
 
 print '<input type="hidden" name="action" value="set">';
diff --git a/htdocs/admin/energie.php b/htdocs/admin/energie.php
index a35e314fc21..b0757c9a20a 100644
--- a/htdocs/admin/energie.php
+++ b/htdocs/admin/energie.php
@@ -50,6 +50,7 @@ print_fiche_titre($langs->trans("Energy"),$linkback,'setup');
 
 print '<br>';
 print '<form method="post" action="energie.php">';
+print '<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">';
 print '<input type="hidden" name="action" value="setvalue">';
 print '<table class="border">';
 print '<tr class="liste_titre">';
diff --git a/htdocs/admin/events.php b/htdocs/admin/events.php
index c06d1a33200..f643c0e061f 100644
--- a/htdocs/admin/events.php
+++ b/htdocs/admin/events.php
@@ -116,6 +116,7 @@ dol_fiche_head($head, 'audit', $langs->trans("Security"));
 
 
 print '<form action="'.$_SERVER["PHP_SELF"].'" method="POST">';
+print '<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">';
 print '<input type="hidden" name="action" value="save">';
 
 $var=true;
diff --git a/htdocs/admin/external_rss.php b/htdocs/admin/external_rss.php
index f08f78b99a9..45c078965c6 100644
--- a/htdocs/admin/external_rss.php
+++ b/htdocs/admin/external_rss.php
@@ -189,6 +189,7 @@ print '<br>';
 
 // Formulaire ajout
 print '<form name="externalrssconfig" action="external_rss.php" method="post">';
+print '<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">';
 
 print '<table class="noborder" width="100%">';
 print '<tr class="liste_titre">';
diff --git a/htdocs/admin/facture.php b/htdocs/admin/facture.php
index 69e47850a2c..2fbaa290a4a 100644
--- a/htdocs/admin/facture.php
+++ b/htdocs/admin/facture.php
@@ -470,6 +470,7 @@ print '<br>';
 print_titre($langs->trans("SuggestedPaymentModesIfNotDefinedInInvoice"));
 
 print '<form action="'.$_SERVER["PHP_SELF"].'" method="post">';
+print '<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">';
 
 print '<table class="noborder" width="100%">';
 $var=True;
@@ -571,6 +572,7 @@ $var=true;
 // Force date validation
 $var=! $var;
 print '<form action="'.$_SERVER["PHP_SELF"].'" method="post">';
+print '<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">';
 print '<input type="hidden" name="action" value="setforcedate">';
 print '<tr '.$bc[$var].'><td>';
 print $langs->trans("ForceInvoiceDate");
@@ -584,6 +586,7 @@ print '</form>';
 // Active la possibilite d'editer/supprimer une facture validee sans paiement
 $var=! $var;
 print '<form action="'.$_SERVER["PHP_SELF"].'" method="post">';
+print '<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">';
 print '<input type="hidden" name="action" value="set_enable_editdelete">';
 print '<tr '.$bc[$var].'><td>';
 print $langs->trans("EnableEditDeleteValidInvoice");
@@ -596,6 +599,7 @@ print '</form>';
 
 $var=! $var;
 print '<form action="'.$_SERVER["PHP_SELF"].'" method="post">';
+print '<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">';
 print '<input type="hidden" name="action" value="set_use_bill_contact_as_recipient">';
 print '<tr '.$bc[$var].'><td>';
 print $langs->trans("UsBillingContactAsIncoiveRecipientIfExist");
@@ -608,6 +612,7 @@ print '</form>';
 
 $var=! $var;
 print '<form action="'.$_SERVER["PHP_SELF"].'" method="post">';
+print '<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">';
 print '<input type="hidden" name="action" value="set_FACTURE_FREE_TEXT">';
 print '<tr '.$bc[$var].'><td colspan="2">';
 print $langs->trans("FreeLegalTextOnInvoices").'<br>';
diff --git a/htdocs/admin/ihm.php b/htdocs/admin/ihm.php
index 802b5bec9d7..b4d0418227a 100644
--- a/htdocs/admin/ihm.php
+++ b/htdocs/admin/ihm.php
@@ -103,6 +103,7 @@ print "<br>\n";
 if (isset($_GET["action"]) && $_GET["action"] == 'edit')
 {
     print '<form method="post" action="'.$_SERVER["PHP_SELF"].'">';
+    print '<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">';
     print '<input type="hidden" name="action" value="update">';
 
     clearstatcache();
diff --git a/htdocs/admin/ldap.php b/htdocs/admin/ldap.php
index 8637afd6a54..93a8b361fc3 100644
--- a/htdocs/admin/ldap.php
+++ b/htdocs/admin/ldap.php
@@ -96,6 +96,7 @@ $html=new Form($db);
 
 
 print '<form method="post" action="'.$_SERVER["PHP_SELF"].'?action=setvalue">';
+print '<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">';
 
 print '<table class="noborder" width="100%">';
 
diff --git a/htdocs/admin/ldap_contacts.php b/htdocs/admin/ldap_contacts.php
index 8eae8905918..86a48c095b4 100644
--- a/htdocs/admin/ldap_contacts.php
+++ b/htdocs/admin/ldap_contacts.php
@@ -97,6 +97,7 @@ print $langs->trans("LDAPDescContact").'<br>';
 print '<br>';
 
 print '<form method="post" action="'.$_SERVER["PHP_SELF"].'?action=setvalue">';
+print '<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">';
 
 $html=new Form($db);
 
diff --git a/htdocs/admin/ldap_groups.php b/htdocs/admin/ldap_groups.php
index 4b1c8a38047..b1dde21cf08 100644
--- a/htdocs/admin/ldap_groups.php
+++ b/htdocs/admin/ldap_groups.php
@@ -89,6 +89,7 @@ print '<br>';
 
 
 print '<form method="post" action="'.$_SERVER["PHP_SELF"].'?action=setvalue">';
+print '<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">';
 
 $html=new Form($db);
 
diff --git a/htdocs/admin/ldap_members.php b/htdocs/admin/ldap_members.php
index afd3ac7bc58..162cf5a3873 100644
--- a/htdocs/admin/ldap_members.php
+++ b/htdocs/admin/ldap_members.php
@@ -112,6 +112,7 @@ print '<br>';
 
 
 print '<form method="post" action="'.$_SERVER["PHP_SELF"].'?action=setvalue">';
+print '<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">';
 
 $html=new Form($db);
 
diff --git a/htdocs/admin/ldap_users.php b/htdocs/admin/ldap_users.php
index 35e308a2845..584f3ddb73f 100644
--- a/htdocs/admin/ldap_users.php
+++ b/htdocs/admin/ldap_users.php
@@ -100,6 +100,7 @@ print '<br>';
 
 
 print '<form method="post" action="'.$_SERVER["PHP_SELF"].'?action=setvalue">';
+print '<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">';
 
    
 $html=new Form($db);
diff --git a/htdocs/admin/limits.php b/htdocs/admin/limits.php
index bec24430847..a7cefb6faab 100644
--- a/htdocs/admin/limits.php
+++ b/htdocs/admin/limits.php
@@ -71,6 +71,7 @@ if ($mesg) print $mesg.'<br>';
 if (isset($_GET["action"]) && $_GET["action"] == 'edit')
 {
     print '<form method="post" action="'.$_SERVER["PHP_SELF"].'">';
+    print '<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">';
     print '<input type="hidden" name="action" value="update">';
 
     clearstatcache();
diff --git a/htdocs/admin/livraison.php b/htdocs/admin/livraison.php
index a327c43c55a..8f71d13d8f6 100644
--- a/htdocs/admin/livraison.php
+++ b/htdocs/admin/livraison.php
@@ -420,6 +420,7 @@ $var=true;
 
 $var=! $var;
 print '<form action="'.$_SERVER["PHP_SELF"].'" method="post">';
+print '<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">';
 print '<input type="hidden" name="action" value="set_DELIVERY_FREE_TEXT">';
 print '<tr '.$bc[$var].'><td colspan="2">';
 print $langs->trans("FreeLegalTextOnDeliveryReceipts").'<br>';
diff --git a/htdocs/admin/mailing.php b/htdocs/admin/mailing.php
index caf9111f828..bc1c1d0f728 100644
--- a/htdocs/admin/mailing.php
+++ b/htdocs/admin/mailing.php
@@ -63,6 +63,7 @@ if ($mesg) print '<br>'.$mesg;
 
 print '<br>';
 print '<form method="post" action="'.$_SERVER["PHP_SELF"].'">';
+print '<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">';
 print '<input type="hidden" name="action" value="setvalue">';
 
 $var=true;
diff --git a/htdocs/admin/mails.php b/htdocs/admin/mails.php
index c596e8e9504..7d77bf486e1 100644
--- a/htdocs/admin/mails.php
+++ b/htdocs/admin/mails.php
@@ -205,6 +205,7 @@ if (isset($_GET["action"]) && $_GET["action"] == 'edit')
 	$html=new Form($db);
 
 	print '<form method="post" action="'.$_SERVER["PHP_SELF"].'">';
+	print '<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">';
 	print '<input type="hidden" name="action" value="update">';
 
 	clearstatcache();
diff --git a/htdocs/admin/mantis.php b/htdocs/admin/mantis.php
index 2846fb0f1af..ab587561133 100644
--- a/htdocs/admin/mantis.php
+++ b/htdocs/admin/mantis.php
@@ -137,6 +137,7 @@ print '<br>';
 
 
 print '<form name="phpmantisconfig" action="'.$_SERVER["PHP_SELF"].'" method="post">';
+print '<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">';
 print "<table class=\"noborder\" width=\"100%\">";
 
 print "<tr class=\"liste_titre\">";
diff --git a/htdocs/admin/menus.php b/htdocs/admin/menus.php
index 71c02abf4f1..08d47aa3b32 100644
--- a/htdocs/admin/menus.php
+++ b/htdocs/admin/menus.php
@@ -113,6 +113,7 @@ dol_fiche_head($head, 'handler', $langs->trans("Menus"));
 if (isset($_GET["action"]) && $_GET["action"] == 'edit')
 {
     print '<form method="post" action="'.$_SERVER["PHP_SELF"].'">';
+    print '<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">';
     print '<input type="hidden" name="action" value="update">';
 
     clearstatcache();
diff --git a/htdocs/admin/menus/edit.php b/htdocs/admin/menus/edit.php
index d1938afa857..fb7d0e672b0 100644
--- a/htdocs/admin/menus/edit.php
+++ b/htdocs/admin/menus/edit.php
@@ -294,6 +294,7 @@ if (isset($_GET["action"]) && $_GET["action"] == 'create')
 	else print '<br>';
 	
 	print '<form action="./edit.php?action=add&menuId='.$_GET['menuId'].'" method="post" name="formmenucreate">';
+	print '<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">';
 
 	print '<table class="border" width="100%">';
 	
@@ -398,6 +399,7 @@ elseif (isset($_GET["action"]) && $_GET["action"] == 'edit')
 	print '<br>';
 	
 	print '<form action="./edit.php?action=update" method="POST" name="formmenuedit">';
+	print '<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">';
 	print '<input type="hidden" name="handler_origine" value="'.$menu_handler.'">';
 	
 	print '<table class="border" width="100%">';
@@ -515,6 +517,7 @@ elseif (isset($_GET["action"]) && $_GET["action"] == 'edit')
 		
 		// Ajout de contraintes personalisees
 		print '<form action="edit.php?action=add_const" method="post">';
+		print '<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">';
 		print '<input type="hidden" name="menuId" value="'.$_GET['menuId'].'">';
 		print '<input type="hidden" name="type" value="perso">';
 
@@ -528,6 +531,7 @@ elseif (isset($_GET["action"]) && $_GET["action"] == 'edit')
 		
 		// Ajout de contraintes predefinis
 		print '<form action="edit.php?action=add_const" method="post">';
+		print '<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">';
 		print '<input type="hidden" name="menuId" value="'.$_GET['menuId'].'">';
 		print '<input type="hidden" name="type" value="prede">';
 
diff --git a/htdocs/admin/notification.php b/htdocs/admin/notification.php
index 63bf14150ac..01942db469e 100644
--- a/htdocs/admin/notification.php
+++ b/htdocs/admin/notification.php
@@ -65,6 +65,7 @@ if ($mesg) print '<br>'.$mesg;
 
 print '<br>';
 print '<form method="post" action="'.$_SERVER["PHP_SELF"].'">';
+print '<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">';
 print '<input type="hidden" name="action" value="setvalue">';
 
 $var=true;
diff --git a/htdocs/admin/paybox.php b/htdocs/admin/paybox.php
index be8087c2e73..7848b5f9786 100644
--- a/htdocs/admin/paybox.php
+++ b/htdocs/admin/paybox.php
@@ -80,6 +80,7 @@ if ($mesg) print '<br>'.$mesg;
 
 print '<br>';
 print '<form method="post" action="'.$_SERVER["PHP_SELF"].'">';
+print '<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">';
 print '<input type="hidden" name="action" value="setvalue">';
 
 $var=true;
diff --git a/htdocs/admin/phenix.php b/htdocs/admin/phenix.php
index 5eed93f0009..45a4db865da 100644
--- a/htdocs/admin/phenix.php
+++ b/htdocs/admin/phenix.php
@@ -159,6 +159,7 @@ print '<br>';
 
 
 print '<form name="phpphenixconfig" action="'.$_SERVER["PHP_SELF"].'" method="post">';
+print '<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">';
 print "<table class=\"noborder\" width=\"100%\">";
 
 print "<tr class=\"liste_titre\">";
diff --git a/htdocs/admin/propale.php b/htdocs/admin/propale.php
index a3300d7965d..e11c1ff81a1 100644
--- a/htdocs/admin/propale.php
+++ b/htdocs/admin/propale.php
@@ -436,6 +436,7 @@ print '</form>';
 
 $var=! $var;
 print '<form action="'.$_SERVER["PHP_SELF"].'" method="post">';
+print '<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">';
 print '<input type="hidden" name="action" value="setusecustomercontactasrecipient">';
 print '<tr '.$bc[$var].'><td>';
 print $langs->trans("UseCustomerContactAsPropalRecipientIfExist");
@@ -463,6 +464,7 @@ if ($conf->commande->enabled)
 
 $var=! $var;
 print '<form action="'.$_SERVER["PHP_SELF"].'" method="post">';
+print '<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">';
 print '<input type="hidden" name="action" value="set_PROPALE_FREE_TEXT">';
 print '<tr '.$bc[$var].'><td colspan="2">';
 print $langs->trans("FreeLegalTextOnProposal").'<br>';
diff --git a/htdocs/admin/security.php b/htdocs/admin/security.php
index ed9b99793a9..a3f95a87d5a 100644
--- a/htdocs/admin/security.php
+++ b/htdocs/admin/security.php
@@ -178,6 +178,7 @@ $html = new Form($db);
 
 // Choix du gestionnaire du g�n�rateur de mot de passe
 print '<form action="'.$_SERVER["PHP_SELF"].'" method="POST">';
+print '<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">';
 print '<input type="hidden" name="action" value="update">';
 print '<input type="hidden" name="constname" value="USER_PASSWORD_GENERATED">';
 print '<input type="hidden" name="consttype" value="yesno">';
diff --git a/htdocs/admin/security_other.php b/htdocs/admin/security_other.php
index e33de19220a..5dcf5b056c4 100644
--- a/htdocs/admin/security_other.php
+++ b/htdocs/admin/security_other.php
@@ -120,6 +120,7 @@ print "</tr>\n";
 
 
 print '<form action="'.$_SERVER["PHP_SELF"].'?action=set_main_upload_doc" method="POST">';
+print '<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">';
 print '<tr '.$bc[$var].'>';
 print '<td colspan="2">'.$langs->trans("MaxSizeForUploadedFiles").'.';
 $max=@ini_get('upload_max_filesize');
@@ -136,6 +137,7 @@ print '</tr></form>';
 
 $var=!$var;
 print '<form action="'.$_SERVER["PHP_SELF"].'?action=MAIN_UMASK" method="POST">';
+print '<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">';
 print '<tr '.$bc[$var].'>';
 print '<td>'.$langs->trans("UMask").'</td><td align="right">';
 print $form->textwithpicto('',$langs->trans("UMaskExplanation"));
@@ -151,6 +153,7 @@ print '</tr></form>';
 $var=!$var;
 if (empty($conf->global->MAIN_SESSION_TIMEOUT)) $conf->global->MAIN_SESSION_TIMEOUT=ini_get("session.gc_maxlifetime");
 print '<form action="'.$_SERVER["PHP_SELF"].'?action=MAIN_SESSION_TIMEOUT" method="POST">';
+print '<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">';
 print '<tr '.$bc[$var].'>';
 print '<td>'.$langs->trans("SessionTimeOut").'</td><td align="right">';
 print $form->textwithpicto('',$langs->trans("SessionExplanation",ini_get("session.gc_probability"),ini_get("session.gc_divisor")));
diff --git a/htdocs/admin/syslog.php b/htdocs/admin/syslog.php
index ca75dc49d16..38fff5d961f 100644
--- a/htdocs/admin/syslog.php
+++ b/htdocs/admin/syslog.php
@@ -115,6 +115,7 @@ print_titre($langs->trans("SyslogOutput"));
 
 // Mode
 print '<form action="'.$_SERVER["PHP_SELF"].'" method="post">';
+print '<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">';
 print '<input type="hidden" name="action" value="set">';
 print '<table class="noborder" width="100%">';
 print '<tr class="liste_titre">';
@@ -140,6 +141,7 @@ print "</form>\n";
 
 // Level
 print '<form action="syslog.php" method="post">';
+print '<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">';
 print '<input type="hidden" name="action" value="setlevel">';
 print '<table class="noborder" width="100%">';
 print '<tr class="liste_titre">';
diff --git a/htdocs/admin/taxes.php b/htdocs/admin/taxes.php
index aeb4027c9ce..14b4d799cc9 100644
--- a/htdocs/admin/taxes.php
+++ b/htdocs/admin/taxes.php
@@ -84,6 +84,7 @@ print '<table class="noborder" width="100%">';
 
 // Cas du parametre TAX_MODE
 print '<form action="'.$_SERVER["PHP_SELF"].'" method="post">';
+print '<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">';
 print '<input type="hidden" name="action" value="settaxmode">';
 print '<tr class="liste_titre">';
 print '<td>'.$langs->trans('OptionVatMode').'</td><td>'.$langs->trans('Description').'</td>';
diff --git a/htdocs/admin/tools/dolibarr_export.php b/htdocs/admin/tools/dolibarr_export.php
index 2e84eb642ab..0ddef8e323e 100644
--- a/htdocs/admin/tools/dolibarr_export.php
+++ b/htdocs/admin/tools/dolibarr_export.php
@@ -66,6 +66,7 @@ if ($_GET["msg"])
 
 <!-- Dump of a server -->
 <form method="post" action="export.php" name="dump">
+<input type="hidden" name="token" value="<?php echo $_SESSION['newtoken'] ?>" />
 
 <input type="hidden" name="export_type" value="server" />
 
diff --git a/htdocs/admin/tools/eaccelerator.php b/htdocs/admin/tools/eaccelerator.php
index 802e66721b5..aa7fc0fc954 100644
--- a/htdocs/admin/tools/eaccelerator.php
+++ b/htdocs/admin/tools/eaccelerator.php
@@ -254,6 +254,7 @@ if (is_array($resCached) || is_array($resRemoved))
 {
 	print "<br>";
 	print '<form name="ea_control" method="post">';
+	print '<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">';
 	print '<table class="noborder">';
 	print '<tr class="liste_titre"><td colspan="2">Actions</td></tr>';
 	
diff --git a/htdocs/admin/tools/purge.php b/htdocs/admin/tools/purge.php
index e10b84bb5d0..691b7e495da 100644
--- a/htdocs/admin/tools/purge.php
+++ b/htdocs/admin/tools/purge.php
@@ -105,6 +105,7 @@ if ($message)
 }
 
 print '<form action="'.$_SERVER["PHP_SELF"].'" method="POST">';
+print '<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">';
 
 print '<input type="hidden" name="action" value="purge">';
 
diff --git a/htdocs/admin/webcalendar.php b/htdocs/admin/webcalendar.php
index 7d7ac139259..11a1d96458b 100644
--- a/htdocs/admin/webcalendar.php
+++ b/htdocs/admin/webcalendar.php
@@ -157,6 +157,7 @@ print '<br>';
 
 
 print '<form name="phpwebcalendarconfig" action="'.$_SERVER["PHP_SELF"].'" method="post">';
+print '<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">';
 print "<table class=\"noborder\" width=\"100%\">";
 
 print "<tr class=\"liste_titre\">";
diff --git a/htdocs/admin/webservices.php b/htdocs/admin/webservices.php
index da07de4708c..1beffb9dd64 100644
--- a/htdocs/admin/webservices.php
+++ b/htdocs/admin/webservices.php
@@ -64,6 +64,7 @@ if ($mesg) print '<br>'.$mesg;
 /*
 print '<br>';
 print '<form method="post" action="'.$_SERVER["PHP_SELF"].'">';
+print '<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">';
 print '<input type="hidden" name="action" value="setvalue">';
 
 $var=true;
diff --git a/htdocs/bookmarks/fiche.php b/htdocs/bookmarks/fiche.php
index 9e8eb60e9ed..02a84ef9f4b 100644
--- a/htdocs/bookmarks/fiche.php
+++ b/htdocs/bookmarks/fiche.php
@@ -134,6 +134,7 @@ if ($action == 'create')
      */
 
     print '<form action="fiche.php" method="post">'."\n";
+    print '<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">';
     print '<input type="hidden" name="action" value="add">';
 
     print_fiche_titre($langs->trans("NewBookmark"));
@@ -180,6 +181,7 @@ if ($_GET["id"] > 0 && ! eregi('^add',$_GET["action"]))
     if ($_GET["action"] == 'edit')
     {
     	print '<form name="edit" method="POST" action="'.$_SERVER["PHP_SELF"].'">';
+    	print '<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">';
     	print '<input type="hidden" name="action" value="update">';
     	print '<input type="hidden" name="id" value="'.$bookmark->id.'">';
     	print '<input type="hidden" name="urlsource" value="'.urlencode(DOL_URL_ROOT.'/bookmarks/fiche.php?id='.$bookmark->id).'">';
diff --git a/htdocs/cashdesk/index.php b/htdocs/cashdesk/index.php
index 6a99ee8bac8..93d8c23c05c 100644
--- a/htdocs/cashdesk/index.php
+++ b/htdocs/cashdesk/index.php
@@ -62,8 +62,8 @@ if ( $_SESSION['uid'] > 0 ) {
 <div class="contenu">
 <div class="principal_login">
 <fieldset class="cadre_facturation"><legend class="titre1">Identification</legend>
-<form class="formulaire_login" id="frmLogin" method="post"
-	action="index_verif.php">
+<form class="formulaire_login" id="frmLogin" method="post" action="index_verif.php">
+	<input type="hidden" name="token" value="<?php echo $_SESSION['newtoken'] ?>" />
 
 <table>
 
diff --git a/htdocs/html.form.class.php b/htdocs/html.form.class.php
index 6f5bcf4f8d1..61c869a5256 100644
--- a/htdocs/html.form.class.php
+++ b/htdocs/html.form.class.php
@@ -1619,6 +1619,7 @@ class Form
 		{
 			print '<form method="post" action="'.$page.'" class="notoptoleftroright">';
 			print '<input type="hidden" name="action" value="'.$action.'">';
+			print '<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">';
 
 			print '<table width="100%" class="valid">';
 
@@ -1675,6 +1676,7 @@ class Form
 		{
 			print '<form method="post" action="'.$page.'">';
 			print '<input type="hidden" name="action" value="classin">';
+			print '<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">';
 			print '<table class="noborder" cellpadding="0" cellspacing="0">';
 			print '<tr><td>';
 			select_projects($socid,$selected,$htmlname);
@@ -1709,6 +1711,7 @@ class Form
 		{
 			print '<form method="post" action="'.$page.'">';
 			print '<input type="hidden" name="action" value="setconditions">';
+			print '<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">';
 			print '<table class="noborder" cellpadding="0" cellspacing="0">';
 			print '<tr><td>';
 			$this->select_conditions_paiements($selected,$htmlname,-1,$addempty);
@@ -1743,6 +1746,7 @@ class Form
 		{
 			print '<form method="post" action="'.$page.'" name="form'.$htmlname.'">';
 			print '<input type="hidden" name="action" value="set'.$htmlname.'">';
+			print '<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">';
 			print '<table class="noborder" cellpadding="0" cellspacing="0">';
 			print '<tr><td>';
 			print $this->select_date($selected,$htmlname,0,0,1,'form'.$htmlname);
@@ -1776,6 +1780,7 @@ class Form
 		{
 			print '<form method="post" action="'.$page.'">';
 			print '<input type="hidden" name="action" value="setmode">';
+			print '<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">';
 			print '<table class="noborder" cellpadding="0" cellspacing="0">';
 			print '<tr><td>';
 			$this->select_types_paiements($selected,$htmlname);
@@ -1813,6 +1818,7 @@ class Form
 		{
 			print '<form method="post" action="'.$page.'">';
 			print '<input type="hidden" name="action" value="setabsolutediscount">';
+			print '<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">';
 			print '<table class="nobordernopadding" cellpadding="0" cellspacing="0">';
 			print '<tr><td>';
 			if (! $filter || $filter=='fk_facture_source IS NULL') print $langs->trans("CompanyHasAbsoluteDiscount",price($amount),$langs->transnoentities("Currency".$conf->monnaie)).': ';
@@ -1860,6 +1866,7 @@ class Form
 		{
 			print '<form method="post" action="'.$page.'">';
 			print '<input type="hidden" name="action" value="set_contact">';
+			print '<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">';
 			print '<table class="noborder" cellpadding="0" cellspacing="0">';
 			print '<tr><td>';
 			$num=$this->select_contacts($societe->id, $selected, $htmlname);
@@ -1903,6 +1910,7 @@ class Form
 		{
 			print '<form method="post" action="'.$page.'">';
 			print '<input type="hidden" name="action" value="setdeliveryadress">';
+			print '<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">';
 			print '<table class="noborder" cellpadding="0" cellspacing="0">';
 			print '<tr><td>';
 			$this->select_adresse_livraison($selected, $socid, $htmlname, 1);
diff --git a/htdocs/html.formcompany.class.php b/htdocs/html.formcompany.class.php
index 4ccc8b6b6d1..6a5035b126a 100644
--- a/htdocs/html.formcompany.class.php
+++ b/htdocs/html.formcompany.class.php
@@ -135,6 +135,7 @@ class FormCompany
 
 		print '<form method="post" action="'.$page.'">';
 		print '<input type="hidden" name="action" value="setprospectlevel">';
+		print '<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">';
 		print '<table class="noborder" cellpadding="0" cellspacing="0">';
 		print '<tr><td>';
 
diff --git a/htdocs/html.formfile.class.php b/htdocs/html.formfile.class.php
index 05f10d3fdf1..d1f89a7ddde 100644
--- a/htdocs/html.formfile.class.php
+++ b/htdocs/html.formfile.class.php
@@ -65,6 +65,7 @@ class FormFile
 
 		print '<form name="userfile" action="'.$url.'" enctype="multipart/form-data" method="POST">';
 		print '<input type="hidden" name="section" value="'.$sectionid.'">';
+		print '<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">';
 
 		print '<table width="100%" class="noborder">';
 		print '<tr><td width="50%" valign="top">';
@@ -294,6 +295,7 @@ class FormFile
 
 			if (empty($noform)) print '<form action="'.$urlsource.'#builddoc" method="post">';
 			print '<input type="hidden" name="action" value="builddoc">';
+			print '<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">';
 
 			print_titre($langs->trans("BuildDocuments"));
 			print '<table class="border" width="100%">';
diff --git a/htdocs/main.inc.php b/htdocs/main.inc.php
index 8c37fd649ca..99fd1e0e998 100644
--- a/htdocs/main.inc.php
+++ b/htdocs/main.inc.php
@@ -1097,6 +1097,7 @@ function printSearchForm($urlaction,$urlobject,$title,$htmlmodesearch='search',$
 	$ret.='<a class="vsmenu" href="'.$urlobject.'">';
 	$ret.=$title.'</a><br>';
 	$ret.='</div>';
+	$ret.='<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">';
 	$ret.='<input type="hidden" name="mode" value="search">';
 	$ret.='<input type="hidden" name="mode-search" value="'.$htmlmodesearch.'">';
 	$ret.='<input type="text" class="flat" name="'.$htmlinputname.'" size="10">&nbsp;';
diff --git a/htdocs/soc.php b/htdocs/soc.php
index cb4fed84cbc..8b9ef64168c 100644
--- a/htdocs/soc.php
+++ b/htdocs/soc.php
@@ -379,6 +379,7 @@ $_GET["action"] == 'create' || $_POST["action"] == 'create')
 		print '<form action="soc.php" method="post" name="formsoc">';
 
 		print '<input type="hidden" name="action" value="add">';
+		print '<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">';
 		print '<input type="hidden" name="cleartype" value="0">';
 		print '<input type="hidden" name="private" value='.$soc->particulier.'>';
 		if ($modCodeClient->code_auto || $modCodeFournisseur->code_auto) print '<input type="hidden" name="code_auto" value="1">';
@@ -711,6 +712,7 @@ elseif ($_GET["action"] == 'edit' || $_POST["action"] == 'edit')
 
 		print '<form action="soc.php?socid='.$soc->id.'" method="post" name="formsoc">';
 		print '<input type="hidden" name="action" value="update">';
+		print '<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">';
 		print '<input type="hidden" name="socid" value="'.$soc->id.'">';
 		if ($modCodeClient->code_auto || $modCodeFournisseur->code_auto) print '<input type="hidden" name="code_auto" value="1">';
 
@@ -974,6 +976,7 @@ else
 	}
 
 	print '<form name="formsoc" method="post">';
+	print '<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">';
 	print '<table class="border" width="100%">';
 
 	// Name
diff --git a/htdocs/societe.php b/htdocs/societe.php
index 4d1a61d073b..0a176306278 100644
--- a/htdocs/societe.php
+++ b/htdocs/societe.php
@@ -238,6 +238,7 @@ if ($resql)
 	}
 
 	print '<form method="post" action="societe.php" name="formfilter">';
+	print '<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">';
 
 	// Lignes des titres
 	print '<table class="liste" width="100%">';
-- 
GitLab