Index: openacs-4/packages/acs-templating/acs-templating.info
===================================================================
RCS file: /usr/local/cvsroot/openacs-4/packages/acs-templating/acs-templating.info,v
diff -u -r1.56.2.13 -r1.56.2.14
--- openacs-4/packages/acs-templating/acs-templating.info	24 Feb 2016 12:24:45 -0000	1.56.2.13
+++ openacs-4/packages/acs-templating/acs-templating.info	22 May 2016 19:25:47 -0000	1.56.2.14
@@ -9,7 +9,7 @@
     <implements-subsite-p>f</implements-subsite-p>
     <inherit-templates-p>t</inherit-templates-p>
     
-    <version name="5.9.1d4" url="http://openacs.org/repository/download/apm/acs-templating-5.9.1d4.apm">
+    <version name="5.9.1d5" url="http://openacs.org/repository/download/apm/acs-templating-5.9.1d5.apm">
         <owner url="http://openacs.org">OpenACS</owner>
         <summary>Templating library.</summary>
         <release-date>2015-10-04</release-date>
@@ -27,7 +27,8 @@
         <license>GPL version 2</license>
         <maturity>3</maturity>
 
-        <provides url="acs-templating" version="5.9.1d4"/>
+        <provides url="acs-templating" version="5.9.1d5"/>
+	<requires url="acs-tcl" version="5.9.1d8"/>
         <requires url="acs-kernel" version="5.9.0"/>
 
         <callbacks>
Index: openacs-4/packages/acs-templating/tcl/list-procs.tcl
===================================================================
RCS file: /usr/local/cvsroot/openacs-4/packages/acs-templating/tcl/list-procs.tcl,v
diff -u -r1.60.2.9 -r1.60.2.10
--- openacs-4/packages/acs-templating/tcl/list-procs.tcl	18 Nov 2015 08:34:08 -0000	1.60.2.9
+++ openacs-4/packages/acs-templating/tcl/list-procs.tcl	22 May 2016 19:25:47 -0000	1.60.2.10
@@ -348,13 +348,18 @@
             error "You cannot have bulk_actions without providing a key for list '$name'"
         }
         # Create the checkbox element
+        set label {<input type="checkbox" name="_dummy" onclick="acs_ListCheckAll('$name', this.checked)"
+            onkeypress="acs_ListCheckAll('$name', this.checked)" title="[_ acs-templating.lt_Checkuncheck_all_rows]">}
+        if {[info exists ::__csrf_token]} {
+            append label \n [subst {<input type="hidden" name="__csrf_token" value="$::__csrf_token">}]
+        }
+        
         # We only ulevel 1 here, because we want the subst to be done in this namespace
         template::list::element::create \
             -list_name $name \
             -element_name $checkbox_name \
             -spec {
-                label {<input type="checkbox" name="_dummy" onclick="acs_ListCheckAll('$name', this.checked)"
-                    onkeypress="acs_ListCheckAll('$name', this.checked)" title="[_ acs-templating.lt_Checkuncheck_all_rows]">}
+                label $label
                 display_template {<input type="checkbox" name="$key" value="@$list_properties(multirow).$key@"
                     id="$name.@$list_properties(multirow).$key@" title="[_ acs-templating.lt_Checkuncheck_this_row]">}
                 sub_class {narrow}
@@ -507,10 +512,16 @@
         set list_properties(orderby_selected_name) $orderby_name
 
         if { $orderby_direction eq "" } {
-            template::list::orderby::get_reference \
-                -list_name $name \
-                -orderby_name $orderby_name
 
+            if {[catch {
+                template::list::orderby::get_reference \
+                    -list_name $name \
+                    -orderby_name $orderby_name
+            } errorMsg]} {
+                ad_page_contract_handle_datasource_error $errorMsg
+                ad_script_abort
+            }
+
             set orderby_direction $orderby_properties(default_direction)
         }
         set list_properties(orderby_selected_direction) $orderby_direction
@@ -1043,7 +1054,12 @@
     set result {}
     template::list::orderby::get_reference -list_name $name -orderby_name $list_properties(orderby_selected_name)
 
+    if {![info exists orderby_properties(orderby_$list_properties(orderby_selected_direction))]} {
+        ad_page_contract_handle_datasource_error "invalid value for orderby: $list_properties(orderby_selected_direction)"
+        ad_script_abort
+    }
     set result $orderby_properties(orderby_$list_properties(orderby_selected_direction))
+
     if { $orderby_p && $result ne "" } {
         set result "order by $result"
     }
Index: openacs-4/packages/acs-templating/www/doc/demo/contract-2.tcl
===================================================================
RCS file: /usr/local/cvsroot/openacs-4/packages/acs-templating/www/doc/demo/contract-2.tcl,v
diff -u -r1.3.12.1 -r1.3.12.2
--- openacs-4/packages/acs-templating/www/doc/demo/contract-2.tcl	10 Sep 2015 08:22:09 -0000	1.3.12.1
+++ openacs-4/packages/acs-templating/www/doc/demo/contract-2.tcl	22 May 2016 19:25:47 -0000	1.3.12.2
@@ -13,7 +13,9 @@
 } -errors {
   supersticion {This number brings you no luck.}
 } -properties {
-  phrase:onevalue
+    phrase:onevalue
+} -validate {
+    csrf { security::csrf::validate }   
 } -return_errors error_list
 
 if {[info exists error_list]} {
Index: openacs-4/packages/acs-templating/www/doc/demo/contract.adp
===================================================================
RCS file: /usr/local/cvsroot/openacs-4/packages/acs-templating/www/doc/demo/contract.adp,v
diff -u -r1.4 -r1.4.2.1
--- openacs-4/packages/acs-templating/www/doc/demo/contract.adp	23 Jun 2015 14:23:07 -0000	1.4
+++ openacs-4/packages/acs-templating/www/doc/demo/contract.adp	22 May 2016 19:25:47 -0000	1.4.2.1
@@ -1,7 +1,7 @@
 <master>
 <property name="doc(title)">User Input Form</property>
 
-<form action=contract-2>
+<form action="contract-2">
   <table>
     <tr><th>How many?</th><td><input name="count" value="2"></td>
         <td>(not 13)</td></tr>
@@ -12,7 +12,9 @@
       <td>(optional)</td>
     </tr>
     <tr>
-      <th colspan="2"><input type="submit" value="Go"></th>
+      <th colspan="2"><input type="submit" value="Go">
+      <if @::__csrf_token@ defined><input type="hidden" name="__csrf_token" value="@::__csrf_token;literal@"></if>
+      </th>
     </tr>
   </table>
 </form>
Index: openacs-4/packages/acs-templating/www/doc/demo/form.tcl
===================================================================
RCS file: /usr/local/cvsroot/openacs-4/packages/acs-templating/www/doc/demo/form.tcl,v
diff -u -r1.4.28.1 -r1.4.28.2
--- openacs-4/packages/acs-templating/www/doc/demo/form.tcl	10 Sep 2015 08:22:10 -0000	1.4.28.1
+++ openacs-4/packages/acs-templating/www/doc/demo/form.tcl	22 May 2016 19:25:48 -0000	1.4.28.2
@@ -1,3 +1,10 @@
+ad_page_contract {
+    Demo page
+} {
+    {user_id:integer,notnull ""}
+    {state:word ""}
+}
+
 form create add_user -elements {
     user_id -label "User ID" -datatype integer -widget hidden
     first_name -html { size 30 } -label "First Name" -datatype text
@@ -23,12 +30,10 @@
 
 if { [form is_valid add_user] } {
 
-    db_dml insert_sample "
-    insert into 
-      ad_template_sample_users 
-    values (
-      :user_id, :first_name, :last_name, :address1, :address2, :city, :state
-    )" -bind [ns_getform]
+    db_dml insert_sample {
+        insert into  ad_template_sample_users 
+        values ( :user_id, :first_name, :last_name, :address1, :address2, :city, :state)
+    } -bind [ns_getform]
 
     template::forward index.html
 }
Index: openacs-4/packages/acs-templating/www/doc/demo/list5/add-edit.tcl
===================================================================
RCS file: /usr/local/cvsroot/openacs-4/packages/acs-templating/www/doc/demo/list5/add-edit.tcl,v
diff -u -r1.3.2.1 -r1.3.2.2
--- openacs-4/packages/acs-templating/www/doc/demo/list5/add-edit.tcl	10 Sep 2015 08:22:14 -0000	1.3.2.1
+++ openacs-4/packages/acs-templating/www/doc/demo/list5/add-edit.tcl	22 May 2016 19:25:48 -0000	1.3.2.2
@@ -26,7 +26,7 @@
 
     # The "note" object type's key
 
-    note_id:key
+    id:key
 
     # "title" is of type text and will use a "text" widget.
 
@@ -42,6 +42,25 @@
         {html {rows 10 cols 40}}
     }
 
+    {vitamins:text(checkbox) 
+        {label "Vitamins"}
+        {options {
+            {Lettuce lettuce}
+            {"&nbsp;Tomato" tomato}
+            {"&nbsp;&nbsp;Pickle" pickle}
+            {"&nbsp;&nbsp;&nbsp;Sprouts" sprouts}
+        }}
+    }
+
+    {action:text(select)
+        {label Action}
+        {options {
+            { "&nbsp;&nbsp;&nbsp;&nbsp;aaa" a }
+            { "&nbsp;&nbsp;bbb" b }
+            { "<c>" c }
+        }}
+    }
+
 } -new_request {
 
     # By convention packages only allow a user to create new objects if the user has
Index: openacs-4/packages/acs-templating/www/doc/demo/list9/delete.tcl
===================================================================
RCS file: /usr/local/cvsroot/openacs-4/packages/acs-templating/www/doc/demo/list9/delete.tcl,v
diff -u -r1.2.2.1 -r1.2.2.2
--- openacs-4/packages/acs-templating/www/doc/demo/list9/delete.tcl	10 Sep 2015 08:22:15 -0000	1.2.2.1
+++ openacs-4/packages/acs-templating/www/doc/demo/list9/delete.tcl	22 May 2016 19:25:48 -0000	1.2.2.2
@@ -7,6 +7,8 @@
   @cvs-id $Id$
 } {
   template_demo_note_id:naturalnum,notnull,multiple
+} -validate {
+    csrf { security::csrf::validate }
 }
 
 foreach template_demo_note_id $template_demo_note_id {