The JHtmlForm is a utility class for form elements. It has two methods: token and csrf.

1. token()

It displays a hidden token field to reduce the risk of CSRF exploits. This method is used in conjunction with JSession::checkToken().

  • array $attribs - Input element attributes
  • return - string A hidden input field with a token
public static function token(array $attribs = array())
{
$attributes = '';

if ($attribs !== array())
{
$attributes .= ' ' . ArrayHelper::toString($attribs);
}

return '<input type="hidden" name="' . JSession::getFormToken() . '" value="1"' . $attributes . ' />';
}

2. csrf()

It adds CSRF form token to Joomla script options that developers can get it by Javascript.

  • string $name - The script option key name.
  • return - void
public static function csrf($name = 'csrf.token')
{
if (isset(static::$loaded[__METHOD__][$name]))
{
return;
}

/** @var JDocumentHtml $doc */
$doc = JFactory::getDocument();

if (!$doc instanceof JDocumentHtml || $doc->getType() !== 'html')
{
return;
}

$doc->addScriptOptions($name, JSession::getFormToken());

static::$loaded[__METHOD__][$name] = true;
}