Converting 4.6.x themes to 4.6.10
Drupal 4.6.10 saw the addition of a new form field; token, to protect against cross site request forgeries. The token ensures that forms submitted to the site are actually requested first.
This token will be added to all forms generated via the form function.
There is a potential issue surrounding the form_token for forms that are not defined via the form() function.
Raw HTML forms
If your theme outputs an HTML form, it will (nearly) always fail validation. To solve this you need to add the hidden form_token field to the form.
Example phptemplate:
<!-- Fails validation -->
<form action="<?php print $search_url ?>" method="post">
<div id="search">
<input class="form-text" type="text" size="15" value="" name="edit[keys]" /><input class="form-submit" type="submit" value="<?php print $search_button_text ?>" />
</div>
</form>Adding a form token just before the closing form-tag solves the issue.
<!-- Corrected example -->
<form action="<?php print $search_url ?>" method="post">
<div id="search">
<input class="form-text" type="text" size="15" value="" name="edit[keys]" /><input class="form-submit" type="submit" value="<?php print $search_button_text ?>" />
</div>
<?php print form_token() ?>
</form>If you want your theme to keep functioning on earlier Drupal 4.6 versions, check whether form_token() exists with function_exists('form_token'):
<!-- Corrected example -->
<form action="<?php print $search_url ?>" method="post">
<div id="search">
<input class="form-text" type="text" size="15" value="" name="edit[keys]" /><input class="form-submit" type="submit" value="<?php print $search_button_text ?>" />
</div>
<?php if (function_exists('form_token')) { print form_token(); } ?>
</form>