I noticed the function add_csrf() in core/classes/form.php that creates a hidden field for a csrf token and also sets a validation rule. Maybe I'm missing how this is supposed to be used, but shouldn't the function also set the token value in the form field?
Yeah, you're right. It was a last-minute addition which I shouldn't have let through for RC3 as it wasn't ready yet. I use it with the javascript function to fill it which caused me not to notice it didn't have an initial value when testing. I'll fix this in the develop branch.
Donate
