Index: lams_central/conf/security/Owasp.CsrfGuard.properties
===================================================================
diff -u -re6dc4db4137cfd6b07a4aa79711b9d12b39fb78e -r21555f88fd0c63a4a9eb3ae288a2e1d48452aa4b
--- lams_central/conf/security/Owasp.CsrfGuard.properties	(.../Owasp.CsrfGuard.properties)	(revision e6dc4db4137cfd6b07a4aa79711b9d12b39fb78e)
+++ lams_central/conf/security/Owasp.CsrfGuard.properties	(.../Owasp.CsrfGuard.properties)	(revision 21555f88fd0c63a4a9eb3ae288a2e1d48452aa4b)
@@ -60,6 +60,22 @@
 org.owasp.csrfguard.protected.centralPortraitDelete=/lams/saveportrait/deletePortrait.do
 org.owasp.csrfguard.protected.centralPortraitSave=/lams/saveportrait.do
 
+#QB
+org.owasp.csrfguard.protected.centralSaveQuestion=/lams/qb/edit/saveOrUpdateQuestion.do
+org.owasp.csrfguard.protected.centralSaveQTI=/lams/imsqti/saveQTI.do
+org.owasp.csrfguard.protected.centralExportQuestionAsQTI=/lams/imsqti/exportQuestionAsQTI.do
+org.owasp.csrfguard.protected.centralExportCollectionAsQTI=/lams/imsqti/exportCollectionAsQTI.do
+org.owasp.csrfguard.protected.centralShareCollection=/lams/qb/collection/shareCollection.do
+org.owasp.csrfguard.protected.centralUnshareCollection=/lams/qb/collection/unshareCollection.do
+org.owasp.csrfguard.protected.centralRemoveCollection=/lams/qb/collection/removeCollection.do
+org.owasp.csrfguard.protected.centralChangeCollectionName=/lams/qb/collection/changeCollectionName.do
+org.owasp.csrfguard.protected.centralAddCollection=/lams/qb/collection/addCollection.do
+org.owasp.csrfguard.protected.centralAddCollectionQuestion=/lams/qb/collection/addCollectionQuestion.do
+org.owasp.csrfguard.protected.centralRemoveCollectionQuestion=/lams/qb/collection/removeCollectionQuestion.do
+org.owasp.csrfguard.protected.centralMergeQuestions=/lams/qb/stats/merge.do
+org.owasp.csrfguard.protected.centralExportQuestionsXml=/lams/xmlQuestions/exportQuestionsXml.do
+org.owasp.csrfguard.protected.centralImportQuestionsXml=/lams/xmlQuestions/importQuestionsXml.do
+
 #Author
 org.owasp.csrfguard.protected.centralAuthorSaveLearningDesign=/lams/authoring/saveLearningDesign.do
 org.owasp.csrfguard.protected.centralExportLearningDesign=/lams/authoring/exportToolContent/export.do
@@ -103,6 +119,7 @@
 
 org.owasp.csrfguard.protected.assessmentAuthoringSave=/lams/tool/laasse10/authoring/updateContent.do
 org.owasp.csrfguard.protected.assessmentAuthoringDefineLater=/lams/tool/laasse10/authoring/definelater.do
+org.owasp.csrfguard.protected.assessmentAuthoringQBSaveQuestion=/lams/tool/laasse10/authoring/saveOrUpdateReference.do
 org.owasp.csrfguard.protected.assessmentDiscloseCorrectAnswers=/lams/tool/laasse10/monitoring/discloseCorrectAnswers.do
 org.owasp.csrfguard.protected.assessmentDiscloseGroupsAnswers=/lams/tool/laasse10/monitoring/discloseGroupsAnswers.do
 org.owasp.csrfguard.protected.assessmentMonitoringSubmissionDeadline=/lams/tool/laasse10/monitoring/setSubmissionDeadline.do
@@ -151,6 +168,7 @@
 
 org.owasp.csrfguard.protected.laqaAuthoringSave=/lams/tool/laqa11/authoring/submitAllContent.do
 org.owasp.csrfguard.protected.laqaAuthoringDefineLater=/lams/tool/laqa11/authoring/definelater.do
+org.owasp.csrfguard.protected.laqaAuthoringSaveQuestion=/lams/tool/laqa11/authoring/saveQuestion.do
 org.owasp.csrfguard.protected.laqaAuthoringRemoveQ=/lams/tool/laqa11/authoring/removeQuestion.do
 org.owasp.csrfguard.protected.laqaAuthoringSaveOrUpdateCondition=/lams/tool/laqa11/authoringConditions/saveOrUpdateCondition.do
 org.owasp.csrfguard.protected.laqaAuthoringRemoveCondition=/lams/tool/laqa11/authoringConditions/removeCondition.do
Index: lams_central/src/java/org/lamsfoundation/lams/web/qb/EditQbQuestionController.java
===================================================================
diff -u -r9f4d4f19dc70ef350ebab8e6aa89cb05e1c78c04 -r21555f88fd0c63a4a9eb3ae288a2e1d48452aa4b
--- lams_central/src/java/org/lamsfoundation/lams/web/qb/EditQbQuestionController.java	(.../EditQbQuestionController.java)	(revision 9f4d4f19dc70ef350ebab8e6aa89cb05e1c78c04)
+++ lams_central/src/java/org/lamsfoundation/lams/web/qb/EditQbQuestionController.java	(.../EditQbQuestionController.java)	(revision 21555f88fd0c63a4a9eb3ae288a2e1d48452aa4b)
@@ -39,6 +39,7 @@
 import org.springframework.stereotype.Controller;
 import org.springframework.web.bind.annotation.ModelAttribute;
 import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RequestMethod;
 import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.bind.annotation.ResponseBody;
 import org.springframework.web.context.WebApplicationContext;
@@ -164,10 +165,9 @@
      * <code>HttpSession</code> temporarily. Only they will be persist when the entire authoring page is being
      * persisted.
      */
-    @RequestMapping("/saveOrUpdateQuestion")
+    @RequestMapping(path = "/saveOrUpdateQuestion", method = RequestMethod.POST)
     public String saveOrUpdateQuestion(@ModelAttribute("assessmentQuestionForm") QbQuestionForm form,
 	    HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException {
-
 	//find according question
 	QbQuestion qbQuestion = null;
 	Long oldQuestionUid = null;
Index: lams_central/src/java/org/lamsfoundation/lams/web/qb/ImsQtiController.java
===================================================================
diff -u -r15e26ff93a8345fa88a194d9344d97870247b63c -r21555f88fd0c63a4a9eb3ae288a2e1d48452aa4b
--- lams_central/src/java/org/lamsfoundation/lams/web/qb/ImsQtiController.java	(.../ImsQtiController.java)	(revision 15e26ff93a8345fa88a194d9344d97870247b63c)
+++ lams_central/src/java/org/lamsfoundation/lams/web/qb/ImsQtiController.java	(.../ImsQtiController.java)	(revision 21555f88fd0c63a4a9eb3ae288a2e1d48452aa4b)
@@ -27,10 +27,13 @@
 import org.lamsfoundation.lams.util.MessageService;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.beans.factory.annotation.Qualifier;
+import org.springframework.http.HttpStatus;
 import org.springframework.stereotype.Controller;
 import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RequestMethod;
 import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.bind.annotation.ResponseBody;
+import org.springframework.web.bind.annotation.ResponseStatus;
 
 /**
  * Exports and imports IMS QTI questions.
@@ -55,7 +58,7 @@
     /**
      * Parses questions extracted from IMS QTI file and adds them as new QB questions.
      */
-    @RequestMapping(path = "/saveQTI", produces = "text/plain")
+    @RequestMapping(path = "/saveQTI", produces = "text/plain", method = RequestMethod.POST)
     @ResponseBody
     public String saveQTI(HttpServletRequest request, @RequestParam long collectionUid,
 	    @RequestParam(defaultValue = "") String contentFolderID) throws UnsupportedEncodingException {
@@ -356,31 +359,31 @@
     /**
      * Exports QB question as IMS QTI package.
      */
-    @RequestMapping("/exportQuestionAsQTI")
-    public String exportQuestionAsQTI(HttpServletRequest request, HttpServletResponse response,
+    @RequestMapping(path = "/exportQuestionAsQTI", method = RequestMethod.POST)
+    @ResponseStatus(HttpStatus.OK)
+    public void exportQuestionAsQTI(HttpServletRequest request, HttpServletResponse response,
 	    @RequestParam long qbQuestionUid) {
 	QbQuestion qbQuestion = qbService.getQuestionByUid(qbQuestionUid);
 	List<QbQuestion> qbQuestions = new LinkedList<>();
 	qbQuestions.add(qbQuestion);
 
 	String fileTitle = qbQuestion.getName();
 	exportQTI(request, response, qbQuestions, fileTitle);
-	return null;
     }
 
     /**
      * Exports all questions from QB Collection as IMS QTI package.
      */
-    @RequestMapping("/exportCollectionAsQTI")
-    public String exportCollectionAsQTI(HttpServletRequest request, HttpServletResponse response,
+    @RequestMapping(path = "/exportCollectionAsQTI", method = RequestMethod.POST)
+    @ResponseStatus(HttpStatus.OK)
+    public void exportCollectionAsQTI(HttpServletRequest request, HttpServletResponse response,
 	    @RequestParam long collectionUid) {
 	List<QbQuestion> qbQuestions = qbService.getCollectionQuestions(collectionUid);
 
 	QbCollection collection = qbService.getCollectionByUid(collectionUid);
 	String fileTitle = collection.getName();
 
 	exportQTI(request, response, qbQuestions, fileTitle);
-	return null;
     }
 
     /**
Index: lams_central/src/java/org/lamsfoundation/lams/web/qb/QbCollectionController.java
===================================================================
diff -u -rfc07ada0cd5f3c0908d18243832dceb01efe2992 -r21555f88fd0c63a4a9eb3ae288a2e1d48452aa4b
--- lams_central/src/java/org/lamsfoundation/lams/web/qb/QbCollectionController.java	(.../QbCollectionController.java)	(revision fc07ada0cd5f3c0908d18243832dceb01efe2992)
+++ lams_central/src/java/org/lamsfoundation/lams/web/qb/QbCollectionController.java	(.../QbCollectionController.java)	(revision 21555f88fd0c63a4a9eb3ae288a2e1d48452aa4b)
@@ -49,6 +49,7 @@
 import org.springframework.stereotype.Controller;
 import org.springframework.ui.Model;
 import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RequestMethod;
 import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.bind.annotation.ResponseBody;
 import org.w3c.dom.Document;
@@ -190,13 +191,13 @@
 	return null;
     }
 
-    @RequestMapping("/removeCollectionQuestion")
+    @RequestMapping(path = "/removeCollectionQuestion", method = RequestMethod.POST)
     @ResponseBody
     public void removeCollectionQuestion(@RequestParam long collectionUid, @RequestParam int qbQuestionId) {
 	qbService.removeQuestionFromCollectionByQuestionId(collectionUid, qbQuestionId, true);
     }
 
-    @RequestMapping("/addCollectionQuestion")
+    @RequestMapping(path = "/addCollectionQuestion", method = RequestMethod.POST)
     @ResponseBody
     public void addCollectionQuestion(@RequestParam long targetCollectionUid, @RequestParam boolean copy,
 	    @RequestParam int qbQuestionId) {
@@ -206,7 +207,7 @@
 	qbService.addQuestionToCollection(targetCollectionUid, qbQuestionId, copy);
     }
 
-    @RequestMapping("/addCollection")
+    @RequestMapping(path = "/addCollection", method = RequestMethod.POST)
     @ResponseBody
     public void addCollection(@RequestParam String name) {
 	if (!Configuration.getAsBoolean(ConfigurationKeys.QB_COLLECTIONS_CREATE_ALLOW)) {
@@ -215,7 +216,7 @@
 	qbService.addCollection(getUserId(), name);
     }
 
-    @RequestMapping("/changeCollectionName")
+    @RequestMapping(path = "/changeCollectionName", method = RequestMethod.POST)
     @ResponseBody
     public String changeCollectionName(@RequestParam(name = "pk") long collectionUid,
 	    @RequestParam(name = "value") String name) {
@@ -236,19 +237,19 @@
 	return "true";
     }
 
-    @RequestMapping("/removeCollection")
+    @RequestMapping(path = "/removeCollection", method = RequestMethod.POST)
     @ResponseBody
     public void removeCollection(@RequestParam long collectionUid) {
 	qbService.removeCollection(collectionUid);
     }
 
-    @RequestMapping("/shareCollection")
+    @RequestMapping(path = "/shareCollection", method = RequestMethod.POST)
     @ResponseBody
     public void shareCollection(@RequestParam long collectionUid, @RequestParam int organisationId) {
 	qbService.shareCollection(collectionUid, organisationId);
     }
 
-    @RequestMapping("/unshareCollection")
+    @RequestMapping(path = "/unshareCollection", method = RequestMethod.POST)
     @ResponseBody
     public void unshareCollection(@RequestParam long collectionUid, @RequestParam int organisationId) {
 	qbService.unshareCollection(collectionUid, organisationId);
Index: lams_central/src/java/org/lamsfoundation/lams/web/qb/QbStatsController.java
===================================================================
diff -u -r5040f0c9ea761a4189272de822e5736f21b3bfe1 -r21555f88fd0c63a4a9eb3ae288a2e1d48452aa4b
--- lams_central/src/java/org/lamsfoundation/lams/web/qb/QbStatsController.java	(.../QbStatsController.java)	(revision 5040f0c9ea761a4189272de822e5736f21b3bfe1)
+++ lams_central/src/java/org/lamsfoundation/lams/web/qb/QbStatsController.java	(.../QbStatsController.java)	(revision 21555f88fd0c63a4a9eb3ae288a2e1d48452aa4b)
@@ -48,6 +48,7 @@
 import org.springframework.stereotype.Controller;
 import org.springframework.ui.Model;
 import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RequestMethod;
 import org.springframework.web.bind.annotation.RequestParam;
 
 @Controller
@@ -103,7 +104,7 @@
 	return "qb/stats";
     }
 
-    @RequestMapping("/merge")
+    @RequestMapping(path = "/merge", method = RequestMethod.POST)
     public String mergeQuestions(@RequestParam long sourceQbQuestionUid, @RequestParam long targetQbQuestionUid,
 	    Model model) throws Exception {
 	if (!Configuration.getAsBoolean(ConfigurationKeys.QB_MERGE_ENABLE)) {
Index: lams_central/src/java/org/lamsfoundation/lams/web/qb/XmlQuestionsController.java
===================================================================
diff -u -r7dc409ffd76dcebc2d210a3a128cdcbba171ff33 -r21555f88fd0c63a4a9eb3ae288a2e1d48452aa4b
--- lams_central/src/java/org/lamsfoundation/lams/web/qb/XmlQuestionsController.java	(.../XmlQuestionsController.java)	(revision 7dc409ffd76dcebc2d210a3a128cdcbba171ff33)
+++ lams_central/src/java/org/lamsfoundation/lams/web/qb/XmlQuestionsController.java	(.../XmlQuestionsController.java)	(revision 21555f88fd0c63a4a9eb3ae288a2e1d48452aa4b)
@@ -22,6 +22,7 @@
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.stereotype.Controller;
 import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RequestMethod;
 import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.bind.annotation.ResponseBody;
 import org.springframework.web.multipart.MultipartFile;
@@ -58,7 +59,7 @@
      * Imports questions into question bank from uploaded xml file.
      */
     @SuppressWarnings("unchecked")
-    @RequestMapping("/importQuestionsXml")
+    @RequestMapping(path = "/importQuestionsXml", method = RequestMethod.POST)
     @ResponseBody
     public void importQuestionsXml(@RequestParam("UPLOAD_FILE") MultipartFile file, HttpServletRequest request,
 	    @RequestParam long collectionUid) throws ServletException {
@@ -110,7 +111,7 @@
     /**
      * Exports xml format questions from question collection.
      */
-    @RequestMapping("/exportQuestionsXml")
+    @RequestMapping(path = "/exportQuestionsXml", method = RequestMethod.POST)
     public void exportQuestionsXml(HttpServletRequest request, HttpServletResponse response,
 	    @RequestParam long collectionUid) {
 	List<QbQuestion> qbQuestions = qbService.getCollectionQuestions(collectionUid);
Index: lams_central/web/authoring/template/tbl/tbl.jsp
===================================================================
diff -u -r4c2d1f37b92435907ec4ce23cb635a7cd9e4161e -r21555f88fd0c63a4a9eb3ae288a2e1d48452aa4b
--- lams_central/web/authoring/template/tbl/tbl.jsp	(.../tbl.jsp)	(revision 4c2d1f37b92435907ec4ce23cb635a7cd9e4161e)
+++ lams_central/web/authoring/template/tbl/tbl.jsp	(.../tbl.jsp)	(revision 21555f88fd0c63a4a9eb3ae288a2e1d48452aa4b)
@@ -87,13 +87,13 @@
 	    	var form = $($.parseHTML(formHTML));
 
 	    	if ( callerID == 'mcq' ) {
-		    	var nextNum  = +$('#numQuestions').val()+1,
-						url=getSubmissionURL()+'/importQTI.do?contentFolderID=${contentFolderID}&templatePage=mcquestionQTI&questionNumber='
+		    	var nextNum = +$('#numQuestions').val()+1,
+						url = getSubmissionURL()+'/importQTI.do?contentFolderID=${contentFolderID}&templatePage=mcquestionQTI&questionNumber='
 								+nextNum+'&numQuestionsFieldname=numQuestions';
 				$.ajaxSetup({ cache: true });
 				$.ajax({
-					type: "POST",
 					url: url,
+					type: "POST",
 					data: form.serializeArray(),
 					success: function(response, status, xhr) {
 						if ( status == "error" ) {
@@ -106,15 +106,15 @@
 				});
 	    	} else {
 	    		var	appexIndex = +(callerID.substring(5)),
-	    				numQuestionsFieldname = 'numAssessments'+appexIndex,
-	    				containingDivName = 'divass'+appexIndex,
-		    			nextNum  = +$('#'+numQuestionsFieldname).val()+1,
-		    			url=getSubmissionURL()+'/importQTI.do?contentFolderID=${contentFolderID}&templatePage=assessmentQTI&questionNumber='
+	    			numQuestionsFieldname = 'numAssessments'+appexIndex,
+	    			containingDivName = 'divass'+appexIndex,
+		    		nextNum = +$('#'+numQuestionsFieldname).val()+1,
+		    		url = getSubmissionURL()+'/importQTI.do?contentFolderID=${contentFolderID}&templatePage=assessmentQTI&questionNumber='
 		    					+nextNum+'&containingDivName='+containingDivName+'&numQuestionsFieldname='+numQuestionsFieldname;
 				$.ajaxSetup({ cache: true });
 				$.ajax({
-					type: "POST",
 					url: url,
+					type: "POST",
 					data: form.serializeArray(),
 					success: function(response, status, xhr) {
 						if ( status == "error" ) {
@@ -128,13 +128,10 @@
 	    	}
 	    }
 
-	</script>
-    <script>
         $(document).ready(function(){
-        $('[data-toggle="tooltip"]').tooltip();
+        	$('[data-toggle="tooltip"]').tooltip();
         });
     </script>
-	
 </lams:head>
 	
 <body class="stripes">
Index: lams_central/web/qb/authoring/addVsa.jsp
===================================================================
diff -u -re8a7110708b15579af2c6b31ac52a6da427fef6d -r21555f88fd0c63a4a9eb3ae288a2e1d48452aa4b
--- lams_central/web/qb/authoring/addVsa.jsp	(.../addVsa.jsp)	(revision e8a7110708b15579af2c6b31ac52a6da427fef6d)
+++ lams_central/web/qb/authoring/addVsa.jsp	(.../addVsa.jsp)	(revision 21555f88fd0c63a4a9eb3ae288a2e1d48452aa4b)
@@ -100,6 +100,7 @@
 				<form:hidden path="questionId" />
 				<input type="hidden" name="questionType" id="questionType" value="${questionType}" />
 				<input type="hidden" name="optionList" id="optionList" />
+				<input type="hidden" name="<csrf:tokenname/>" value="<csrf:tokenvalue/>"/>
 				<form:hidden path="oldCollectionUid" id="old-collection-uid"/>
 				<form:hidden path="newCollectionUid" id="new-collection-uid"/>
 				<form:hidden path="contentFolderID" id="contentFolderID"/>
Index: lams_central/web/qb/authoring/addessay.jsp
===================================================================
diff -u -r9ebb0762842cde9a358626a248132bc7ca650f3c -r21555f88fd0c63a4a9eb3ae288a2e1d48452aa4b
--- lams_central/web/qb/authoring/addessay.jsp	(.../addessay.jsp)	(revision 9ebb0762842cde9a358626a248132bc7ca650f3c)
+++ lams_central/web/qb/authoring/addessay.jsp	(.../addessay.jsp)	(revision 21555f88fd0c63a4a9eb3ae288a2e1d48452aa4b)
@@ -124,6 +124,7 @@
 				<form:hidden path="questionType" value="6"/>
 				<form:hidden path="oldCollectionUid" id="old-collection-uid"/>
 				<form:hidden path="newCollectionUid" id="new-collection-uid"/>
+				<input type="hidden" name="<csrf:tokenname/>" value="<csrf:tokenvalue/>"/>
 
 				<button type="button" id="question-settings-link" class="btn btn-default btn-sm">
 					<fmt:message key="label.settings" />
Index: lams_central/web/qb/authoring/addmarkhedging.jsp
===================================================================
diff -u -rd8bb9e0996a5490f2ab4b047baadf4aa4da9db8a -r21555f88fd0c63a4a9eb3ae288a2e1d48452aa4b
--- lams_central/web/qb/authoring/addmarkhedging.jsp	(.../addmarkhedging.jsp)	(revision d8bb9e0996a5490f2ab4b047baadf4aa4da9db8a)
+++ lams_central/web/qb/authoring/addmarkhedging.jsp	(.../addmarkhedging.jsp)	(revision 21555f88fd0c63a4a9eb3ae288a2e1d48452aa4b)
@@ -85,6 +85,7 @@
 				<form:hidden path="questionId" />
 				<input type="hidden" name="questionType" id="questionType" value="${questionType}" />
 				<input type="hidden" name="optionList" id="optionList" />
+				<input type="hidden" name="<csrf:tokenname/>" value="<csrf:tokenvalue/>"/>
 				<form:hidden path="oldCollectionUid" id="old-collection-uid"/>
 				<form:hidden path="newCollectionUid" id="new-collection-uid"/>
 				<form:hidden path="contentFolderID" id="contentFolderID"/>
Index: lams_central/web/qb/authoring/addmatchingpairs.jsp
===================================================================
diff -u -r9ebb0762842cde9a358626a248132bc7ca650f3c -r21555f88fd0c63a4a9eb3ae288a2e1d48452aa4b
--- lams_central/web/qb/authoring/addmatchingpairs.jsp	(.../addmatchingpairs.jsp)	(revision 9ebb0762842cde9a358626a248132bc7ca650f3c)
+++ lams_central/web/qb/authoring/addmatchingpairs.jsp	(.../addmatchingpairs.jsp)	(revision 21555f88fd0c63a4a9eb3ae288a2e1d48452aa4b)
@@ -77,6 +77,7 @@
 				<form:hidden path="questionId" />
 				<input type="hidden" name="questionType" id="questionType" value="${questionType}" />
 				<input type="hidden" name="optionList" id="optionList" />
+				<input type="hidden" name="<csrf:tokenname/>" value="<csrf:tokenvalue/>"/>
 				<form:hidden path="oldCollectionUid" id="old-collection-uid"/>
 				<form:hidden path="newCollectionUid" id="new-collection-uid"/>
 				<form:hidden path="contentFolderID" id="contentFolderID"/>				
Index: lams_central/web/qb/authoring/addmultiplechoice.jsp
===================================================================
diff -u -r9ebb0762842cde9a358626a248132bc7ca650f3c -r21555f88fd0c63a4a9eb3ae288a2e1d48452aa4b
--- lams_central/web/qb/authoring/addmultiplechoice.jsp	(.../addmultiplechoice.jsp)	(revision 9ebb0762842cde9a358626a248132bc7ca650f3c)
+++ lams_central/web/qb/authoring/addmultiplechoice.jsp	(.../addmultiplechoice.jsp)	(revision 21555f88fd0c63a4a9eb3ae288a2e1d48452aa4b)
@@ -126,6 +126,7 @@
 				<form:hidden path="questionId" />
 				<input type="hidden" name="questionType" id="questionType" value="${questionType}" />
 				<input type="hidden" name="optionList" id="optionList" />
+				<input type="hidden" name="<csrf:tokenname/>" value="<csrf:tokenvalue/>"/>
 				<form:hidden path="oldCollectionUid" id="old-collection-uid"/>
 				<form:hidden path="newCollectionUid" id="new-collection-uid"/>
 				<form:hidden path="contentFolderID" id="contentFolderID"/>
Index: lams_central/web/qb/authoring/addnumerical.jsp
===================================================================
diff -u -r9ebb0762842cde9a358626a248132bc7ca650f3c -r21555f88fd0c63a4a9eb3ae288a2e1d48452aa4b
--- lams_central/web/qb/authoring/addnumerical.jsp	(.../addnumerical.jsp)	(revision 9ebb0762842cde9a358626a248132bc7ca650f3c)
+++ lams_central/web/qb/authoring/addnumerical.jsp	(.../addnumerical.jsp)	(revision 21555f88fd0c63a4a9eb3ae288a2e1d48452aa4b)
@@ -138,6 +138,7 @@
 				<input type="hidden" name="questionType" id="questionType" value="${questionType}" />
 				<input type="hidden" name="optionList" id="optionList" />
 				<input type="hidden" name="unitList" id="unitList" />
+				<input type="hidden" name="<csrf:tokenname/>" value="<csrf:tokenvalue/>"/>
 				<form:hidden path="oldCollectionUid" id="old-collection-uid"/>
 				<form:hidden path="newCollectionUid" id="new-collection-uid"/>
 				<form:hidden path="contentFolderID" id="contentFolderID"/>
Index: lams_central/web/qb/authoring/addordering.jsp
===================================================================
diff -u -r9ebb0762842cde9a358626a248132bc7ca650f3c -r21555f88fd0c63a4a9eb3ae288a2e1d48452aa4b
--- lams_central/web/qb/authoring/addordering.jsp	(.../addordering.jsp)	(revision 9ebb0762842cde9a358626a248132bc7ca650f3c)
+++ lams_central/web/qb/authoring/addordering.jsp	(.../addordering.jsp)	(revision 21555f88fd0c63a4a9eb3ae288a2e1d48452aa4b)
@@ -80,6 +80,7 @@
 				<form:hidden path="questionId" />
 				<input type="hidden" name="questionType" id="questionType" value="${questionType}" />
 				<input type="hidden" name="optionList" id="optionList" />
+				<input type="hidden" name="<csrf:tokenname/>" value="<csrf:tokenvalue/>"/>
 				<form:hidden path="oldCollectionUid" id="old-collection-uid"/>
 				<form:hidden path="newCollectionUid" id="new-collection-uid"/>
 				<form:hidden path="contentFolderID" id="contentFolderID"/>
Index: lams_central/web/qb/authoring/addtruefalse.jsp
===================================================================
diff -u -r9ebb0762842cde9a358626a248132bc7ca650f3c -r21555f88fd0c63a4a9eb3ae288a2e1d48452aa4b
--- lams_central/web/qb/authoring/addtruefalse.jsp	(.../addtruefalse.jsp)	(revision 9ebb0762842cde9a358626a248132bc7ca650f3c)
+++ lams_central/web/qb/authoring/addtruefalse.jsp	(.../addtruefalse.jsp)	(revision 21555f88fd0c63a4a9eb3ae288a2e1d48452aa4b)
@@ -85,6 +85,7 @@
 				<form:hidden path="uid" />
 				<form:hidden path="questionId" />
 				<input type="hidden" name="questionType" id="questionType" value="${questionType}" />
+				<input type="hidden" name="<csrf:tokenname/>" value="<csrf:tokenvalue/>"/>
 				<form:hidden path="oldCollectionUid" id="old-collection-uid"/>
 				<form:hidden path="newCollectionUid" id="new-collection-uid"/>
 
Index: lams_central/web/qb/authoring/matchingpairoption.jsp
===================================================================
diff -u -r6cbd849584c40532c6be292f9f009c88cde9439c -r21555f88fd0c63a4a9eb3ae288a2e1d48452aa4b
--- lams_central/web/qb/authoring/matchingpairoption.jsp	(.../matchingpairoption.jsp)	(revision 6cbd849584c40532c6be292f9f009c88cde9439c)
+++ lams_central/web/qb/authoring/matchingpairoption.jsp	(.../matchingpairoption.jsp)	(revision 21555f88fd0c63a4a9eb3ae288a2e1d48452aa4b)
@@ -1,3 +1,5 @@
+<%@ include file="/common/taglibs.jsp"%>
+
 <input type="hidden" name="optionDisplayOrder${status.index}" value="${option.displayOrder}">
 <input type="hidden" name="optionUid${status.index}" value="${option.uid}">
 
Index: lams_central/web/qb/authoring/numericaloption.jsp
===================================================================
diff -u -r6cbd849584c40532c6be292f9f009c88cde9439c -r21555f88fd0c63a4a9eb3ae288a2e1d48452aa4b
--- lams_central/web/qb/authoring/numericaloption.jsp	(.../numericaloption.jsp)	(revision 6cbd849584c40532c6be292f9f009c88cde9439c)
+++ lams_central/web/qb/authoring/numericaloption.jsp	(.../numericaloption.jsp)	(revision 21555f88fd0c63a4a9eb3ae288a2e1d48452aa4b)
@@ -1,3 +1,5 @@
+<%@ include file="/common/taglibs.jsp"%>
+
 <input type="hidden" name="optionDisplayOrder${status.index}" value="${option.displayOrder}">
 <input type="hidden" name="optionUid${status.index}" value="${option.uid}">
 
Index: lams_central/web/qb/authoring/option.jsp
===================================================================
diff -u -r6cbd849584c40532c6be292f9f009c88cde9439c -r21555f88fd0c63a4a9eb3ae288a2e1d48452aa4b
--- lams_central/web/qb/authoring/option.jsp	(.../option.jsp)	(revision 6cbd849584c40532c6be292f9f009c88cde9439c)
+++ lams_central/web/qb/authoring/option.jsp	(.../option.jsp)	(revision 21555f88fd0c63a4a9eb3ae288a2e1d48452aa4b)
@@ -1,3 +1,5 @@
+<%@ include file="/common/taglibs.jsp"%>
+
 <input type="hidden" name="optionDisplayOrder${status.index}" value="${option.displayOrder}">
 <input type="hidden" name="optionUid${status.index}" value="${option.uid}">
 
Index: lams_central/web/qb/authoring/optionhedgingmark.jsp
===================================================================
diff -u -r6cbd849584c40532c6be292f9f009c88cde9439c -r21555f88fd0c63a4a9eb3ae288a2e1d48452aa4b
--- lams_central/web/qb/authoring/optionhedgingmark.jsp	(.../optionhedgingmark.jsp)	(revision 6cbd849584c40532c6be292f9f009c88cde9439c)
+++ lams_central/web/qb/authoring/optionhedgingmark.jsp	(.../optionhedgingmark.jsp)	(revision 21555f88fd0c63a4a9eb3ae288a2e1d48452aa4b)
@@ -1,3 +1,5 @@
+<%@ include file="/common/taglibs.jsp"%>
+
 <input type="hidden" name="optionDisplayOrder${status.index}" value="${option.displayOrder}">
 <input type="hidden" name="optionUid${status.index}" value="${option.uid}">
 
Index: lams_central/web/qb/authoring/orderingoption.jsp
===================================================================
diff -u -r6cbd849584c40532c6be292f9f009c88cde9439c -r21555f88fd0c63a4a9eb3ae288a2e1d48452aa4b
--- lams_central/web/qb/authoring/orderingoption.jsp	(.../orderingoption.jsp)	(revision 6cbd849584c40532c6be292f9f009c88cde9439c)
+++ lams_central/web/qb/authoring/orderingoption.jsp	(.../orderingoption.jsp)	(revision 21555f88fd0c63a4a9eb3ae288a2e1d48452aa4b)
@@ -1,3 +1,5 @@
+<%@ include file="/common/taglibs.jsp"%>
+
 <input type="hidden" name="optionDisplayOrder${status.index}" value="${option.displayOrder}">
 <input type="hidden" name="optionUid${status.index}" value="${option.uid}">
 
Index: lams_central/web/qb/authoring/vsaOption.jsp
===================================================================
diff -u -re8a7110708b15579af2c6b31ac52a6da427fef6d -r21555f88fd0c63a4a9eb3ae288a2e1d48452aa4b
--- lams_central/web/qb/authoring/vsaOption.jsp	(.../vsaOption.jsp)	(revision e8a7110708b15579af2c6b31ac52a6da427fef6d)
+++ lams_central/web/qb/authoring/vsaOption.jsp	(.../vsaOption.jsp)	(revision 21555f88fd0c63a4a9eb3ae288a2e1d48452aa4b)
@@ -1,3 +1,5 @@
+<%@ include file="/common/taglibs.jsp"%>
+
 <input type="hidden" name="optionDisplayOrder${status.index}" value="${option.displayOrder}">
 <input type="hidden" name="optionUid${status.index}" value="${option.uid}">
 
Index: lams_central/web/qb/collection.jsp
===================================================================
diff -u -r9846a1d61f34b45ba6db0e6a7daf2a620e607c83 -r21555f88fd0c63a4a9eb3ae288a2e1d48452aa4b
--- lams_central/web/qb/collection.jsp	(.../collection.jsp)	(revision 9846a1d61f34b45ba6db0e6a7daf2a620e607c83)
+++ lams_central/web/qb/collection.jsp	(.../collection.jsp)	(revision 21555f88fd0c63a4a9eb3ae288a2e1d48452aa4b)
@@ -1,10 +1,7 @@
-<%@ page contentType="text/html; charset=utf-8" language="java"%>
-<%@ taglib uri="tags-lams" prefix="lams"%>
-<%@ taglib uri="tags-fmt" prefix="fmt"%>
-<%@ taglib uri="tags-core" prefix="c"%>
+<!DOCTYPE html>
+<%@ include file="/common/taglibs.jsp"%>
 <c:set var="hasQuestions" value="${questionCount > 0}" />
 
-<!DOCTYPE html>
 <lams:html>
 <lams:head>
 	<title><fmt:message key="label.qb.collection" /></title>
@@ -199,7 +196,7 @@
 				$('#collection-name').editable({
 				    type: 'text',
 				    pk: ${collection.uid},
-				    url: "<lams:LAMSURL />qb/collection/changeCollectionName.do",
+				    url: "<lams:LAMSURL />qb/collection/changeCollectionName.do?<csrf:token/>",
 				    validate: function(value) {
 					    //close editing area on validation failure
 			            if (!value.trim()) {
@@ -322,7 +319,8 @@
 					'type' : 'POST',
 					'dataType' : 'text',
 					'data' : {
-						'collectionUid' : ${collection.uid}
+						'collectionUid' : ${collection.uid},
+						"<csrf:tokenname/>" : "<csrf:tokenvalue/>"
 					},
 					'cache' : false
 				}).done(function(){
@@ -341,7 +339,8 @@
 				'dataType' : 'text',
 				'data' : {
 					'collectionUid' : ${collection.uid},
-					'organisationId': organisationId
+					'organisationId' : organisationId,
+					"<csrf:tokenname/>" : "<csrf:tokenvalue/>"
 				},
 				'cache' : false
 			}).done(function(){
@@ -359,7 +358,8 @@
 				'dataType' : 'text',
 				'data' : {
 					'collectionUid' : ${collection.uid},
-					'organisationId': organisationId
+					'organisationId' : organisationId,
+					"<csrf:tokenname/>" : "<csrf:tokenvalue/>"
 				},
 				'cache' : false
 			}).done(function(){
@@ -375,23 +375,29 @@
 	    function saveQTI(formHTML, formName) {
 	    	var form = $($.parseHTML(formHTML));
 			$.ajax({
-				type: "POST",
-				url: '<c:url value="/imsqti/saveQTI.do" />?collectionUid=${collection.uid}',
+				url: '<c:url value="/imsqti/saveQTI.do" />?<csrf:token/>&collectionUid=${collection.uid}',
 				data: form.serializeArray(),
+				type: "POST",
 				success: function() {
 					location.reload();
 				}
 			});
 	    }
 
 	    function exportQTI(){
-	    	var frame = document.getElementById("downloadFileDummyIframe");
-	    	frame.src = '<c:url value="/imsqti/exportCollectionAsQTI.do" />?collectionUid=${collection.uid}';
+			//dynamically create a form and submit it
+			var exportExcelUrl = '<c:url value="/imsqti/exportCollectionAsQTI.do" />?<csrf:token/>&collectionUid=${collection.uid}';
+			var form = $('<form method="post" action="' + exportExcelUrl + '"></form>');
+		    $(document.body).append(form);
+		    form.submit();
 	    }
 		
-		function exportQuestionsXml(){   
-		    var reqIDVar = new Date();
-			location.href="<c:url value='/xmlQuestions/exportQuestionsXml.do'/>?collectionUid=${collection.uid}&reqID="+reqIDVar.getTime();
+		function exportQuestionsXml(){
+			//dynamically create a form and submit it
+			var exportExcelUrl = "<c:url value='/xmlQuestions/exportQuestionsXml.do'/>?<csrf:token/>&collectionUid=${collection.uid}&reqID="+(new Date()).getTime();
+			var form = $('<form method="post" action="' + exportExcelUrl + '"></form>');
+		    $(document.body).append(form);
+		    form.submit();
 		}
 		
 		//create proper href for "Create question" button
@@ -560,12 +566,9 @@
 			</div>
 		</div>
 	</c:if>
-
 	
 	<!-- Dummy div for question save to work properly -->
 	<div id="itemArea" class="hidden"></div>
-	<!-- Dummy iframe for exporting QTI packages -->
-	<iframe id="downloadFileDummyIframe" style="display: none;"></iframe>
 </lams:Page>
 </body>
 </lams:html>
\ No newline at end of file
Index: lams_central/web/qb/collectionList.jsp
===================================================================
diff -u -r0b3c5ce0f18b9e4a4195dc8144dc02784c6e3997 -r21555f88fd0c63a4a9eb3ae288a2e1d48452aa4b
--- lams_central/web/qb/collectionList.jsp	(.../collectionList.jsp)	(revision 0b3c5ce0f18b9e4a4195dc8144dc02784c6e3997)
+++ lams_central/web/qb/collectionList.jsp	(.../collectionList.jsp)	(revision 21555f88fd0c63a4a9eb3ae288a2e1d48452aa4b)
@@ -1,9 +1,6 @@
-<%@ page contentType="text/html; charset=utf-8" language="java"%>
-<%@ taglib uri="tags-lams" prefix="lams"%>
-<%@ taglib uri="tags-fmt" prefix="fmt"%>
-<%@ taglib uri="tags-core" prefix="c"%>
-
 <!DOCTYPE html>
+<%@ include file="/common/taglibs.jsp"%>
+
 <lams:html>
 <lams:head>
 	<title><fmt:message key="label.qb.collection.management" /></title>
@@ -136,7 +133,8 @@
 					'type' : 'POST',
 					'dataType' : 'text',
 					'data' : {
-						'name' : name
+						'name' : name,
+						"<csrf:tokenname/>" : "<csrf:tokenvalue/>"
 					},
 					'cache' : false
 				}).done(function(){
Index: lams_central/web/qb/importQuestionsXml.jsp
===================================================================
diff -u -r1b530a88ae6d3a1e553081b3d56117ec5ad3622a -r21555f88fd0c63a4a9eb3ae288a2e1d48452aa4b
--- lams_central/web/qb/importQuestionsXml.jsp	(.../importQuestionsXml.jsp)	(revision 1b530a88ae6d3a1e553081b3d56117ec5ad3622a)
+++ lams_central/web/qb/importQuestionsXml.jsp	(.../importQuestionsXml.jsp)	(revision 21555f88fd0c63a4a9eb3ae288a2e1d48452aa4b)
@@ -1,8 +1,5 @@
 <!DOCTYPE html>
-<%@ page contentType="text/html; charset=utf-8" language="java"%>
-<%@ taglib uri="tags-lams" prefix="lams"%>
-<%@ taglib uri="tags-fmt" prefix="fmt"%>
-<%@ taglib uri="tags-core" prefix="c"%>
+<%@ include file="/common/taglibs.jsp"%>
 
 <%@ page import="org.lamsfoundation.lams.util.Configuration" %>
 <%@ page import="org.lamsfoundation.lams.util.ConfigurationKeys" %>
@@ -77,8 +74,8 @@
 		</div>
 			
 		<div class="panel-body">
-				
-			<form action="<c:url value="/xmlQuestions/importQuestionsXml.do"/>?collectionUid=${param.collectionUid}" method="post" 
+			<c:set var="csrfToken"><csrf:token/></c:set>
+			<form action="<c:url value="/xmlQuestions/importQuestionsXml.do"/>?${csrfToken}&collectionUid=${param.collectionUid}" method="post" 
 				enctype="multipart/form-data" id="importForm">	
 				
 				<lams:FileUpload fileFieldname="UPLOAD_FILE" fileInputMessageKey="label.file" 
Index: lams_central/web/qb/qbQuestionDetails.jsp
===================================================================
diff -u -re8a7110708b15579af2c6b31ac52a6da427fef6d -r21555f88fd0c63a4a9eb3ae288a2e1d48452aa4b
--- lams_central/web/qb/qbQuestionDetails.jsp	(.../qbQuestionDetails.jsp)	(revision e8a7110708b15579af2c6b31ac52a6da427fef6d)
+++ lams_central/web/qb/qbQuestionDetails.jsp	(.../qbQuestionDetails.jsp)	(revision 21555f88fd0c63a4a9eb3ae288a2e1d48452aa4b)
@@ -1,10 +1,5 @@
 <!DOCTYPE html>
-<%@ page language="java" pageEncoding="UTF-8" contentType="text/html;charset=utf-8" %>
-<%@ taglib uri="tags-lams" prefix="lams" %>
-<%@ taglib uri="tags-function" prefix="fn" %>
-<%@ taglib uri="tags-fmt" prefix="fmt" %>
-<%@ taglib uri="tags-core" prefix="c" %>
-<%@ taglib uri="http://www.springframework.org/tags/form" prefix="form" %> 
+<%@ include file="/common/taglibs.jsp"%>
 
 <div class="panel panel-default" style="background-color: #f9f8f8aa;">
 <div class="panel-body">
Index: lams_central/web/qb/search.jsp
===================================================================
diff -u -r9091ed8c9bae9a48f88622c0c5031af2a39772dc -r21555f88fd0c63a4a9eb3ae288a2e1d48452aa4b
--- lams_central/web/qb/search.jsp	(.../search.jsp)	(revision 9091ed8c9bae9a48f88622c0c5031af2a39772dc)
+++ lams_central/web/qb/search.jsp	(.../search.jsp)	(revision 21555f88fd0c63a4a9eb3ae288a2e1d48452aa4b)
@@ -3,9 +3,7 @@
 
 <link type="text/css" href="<lams:LAMSURL/>css/free.ui.jqgrid.min.css" rel="stylesheet">
 <link type="text/css" href="<lams:LAMSURL />gradebook/includes/css/gradebook.css" rel="stylesheet" />
-
 <link rel="stylesheet" href="<lams:LAMSURL/>css/bootstrap-select.css" type="text/css"/>
-	
 <style>
 	#grid-holder {
 	    padding-top: 15px;
Index: lams_central/web/qb/stats.jsp
===================================================================
diff -u -r9091ed8c9bae9a48f88622c0c5031af2a39772dc -r21555f88fd0c63a4a9eb3ae288a2e1d48452aa4b
--- lams_central/web/qb/stats.jsp	(.../stats.jsp)	(revision 9091ed8c9bae9a48f88622c0c5031af2a39772dc)
+++ lams_central/web/qb/stats.jsp	(.../stats.jsp)	(revision 21555f88fd0c63a4a9eb3ae288a2e1d48452aa4b)
@@ -1,12 +1,8 @@
-<%@ page contentType="text/html; charset=utf-8" language="java"%>
-<%@ taglib uri="tags-lams" prefix="lams"%>
-<%@ taglib uri="tags-fmt" prefix="fmt"%>
-<%@ taglib uri="tags-core" prefix="c"%>
-<%@ taglib uri="tags-function" prefix="fn" %>
+<!DOCTYPE html>
+<%@ include file="/common/taglibs.jsp"%>
 <c:set var="question" value="${stats.question}" />
 <% pageContext.setAttribute("newLineChar", "\r\n"); %>
 
-<!DOCTYPE html>
 <lams:html>
 <lams:head>
 	<title><fmt:message key="label.qb.stats.title" /></title>
@@ -91,7 +87,8 @@
 				'data' : {
 					'targetCollectionUid' : targetCollectionUid,
 					'copy'				  : copy,
-					'qbQuestionId'	      : ${question.questionId}
+					'qbQuestionId'	      : ${question.questionId},
+					"<csrf:tokenname/>"   : "<csrf:tokenvalue/>"
 				},
 				'cache' : false
 			}).done(function(){
@@ -115,7 +112,8 @@
 				'dataType' : 'text',
 				'data' : {
 					'collectionUid' : collectionUid,
-					'qbQuestionId'	: ${question.questionId}
+					'qbQuestionId'	: ${question.questionId},
+				  	"<csrf:tokenname/>": "<csrf:tokenvalue/>"
 				},
 				'cache' : false
 			}).done(function(){
@@ -128,8 +126,11 @@
 		}
 	    
 		function exportQTI(){
-	    	var frame = document.getElementById("downloadFileDummyIframe");
-	    	frame.src = '<c:url value="/imsqti/exportQuestionAsQTI.do" />?qbQuestionUid=${question.uid}';
+			//dynamically create a form and submit it
+			var exportExcelUrl = '<c:url value="/imsqti/exportQuestionAsQTI.do" />?<csrf:token/>&qbQuestionUid=${question.uid}';
+			var form = $('<form method="post" action="' + exportExcelUrl + '"></form>');
+		    $(document.body).append(form);
+		    form.submit();
 	    }
 
 	    //this method gets invoked after question has been edited and saved
@@ -560,6 +561,7 @@
 				<div class="row">
 					<form action="merge.do" method="post">
 						<input type="hidden" name="sourceQbQuestionUid" value="${question.uid}" />
+						<input type="hidden" name="<csrf:tokenname/>" value="<csrf:tokenvalue/>"/>
 						<div class="col-xs-0 col-md-2">
 							Question UID
 						</div>
@@ -585,8 +587,6 @@
 	</c:if>
 </lams:Page>
 
-<!-- For exporting QTI packages -->
-<iframe id="downloadFileDummyIframe" style="display: none;"></iframe>
 <!-- For receiving question's uid after question has been saved -->
 <div id="itemArea" class="hidden"></div>
 </body>
Index: lams_tool_assessment/web/pages/authoring/basic.jsp
===================================================================
diff -u -rdfe56d4e96817b6c39d064b4056799b8334409e2 -r21555f88fd0c63a4a9eb3ae288a2e1d48452aa4b
--- lams_tool_assessment/web/pages/authoring/basic.jsp	(.../basic.jsp)	(revision dfe56d4e96817b6c39d064b4056799b8334409e2)
+++ lams_tool_assessment/web/pages/authoring/basic.jsp	(.../basic.jsp)	(revision 21555f88fd0c63a4a9eb3ae288a2e1d48452aa4b)
@@ -130,9 +130,9 @@
     	var form = $($.parseHTML(formHTML));
     	// first, save questions in the QB
 		$.ajax({
-			type: "POST",
-			url: '<lams:LAMSURL />imsqti/saveQTI.do',
+			url: '<lams:LAMSURL />imsqti/saveQTI.do?<csrf:token/>',
 			data: form.serializeArray(),
+			type: "POST",
 			dataType: 'text',
 			// the response is a comma-delimited list of QB question UIDs, for example 4,5,65 
 			success: function(qbQuestionUids) {
Index: lams_tool_lamc/web/authoring/BasicContent.jsp
===================================================================
diff -u -rbb0f9854016a8e3380c17cbfed58cd6d02a8f54c -r21555f88fd0c63a4a9eb3ae288a2e1d48452aa4b
--- lams_tool_lamc/web/authoring/BasicContent.jsp	(.../BasicContent.jsp)	(revision bb0f9854016a8e3380c17cbfed58cd6d02a8f54c)
+++ lams_tool_lamc/web/authoring/BasicContent.jsp	(.../BasicContent.jsp)	(revision 21555f88fd0c63a4a9eb3ae288a2e1d48452aa4b)
@@ -63,9 +63,9 @@
     	var form = $($.parseHTML(formHTML));
     	// first, save questions in the QB
 		$.ajax({
-			type: "POST",
-			url: '<lams:LAMSURL />imsqti/saveQTI.do',
+			url: '<lams:LAMSURL />imsqti/saveQTI.do?<csrf:token/>',
 			data: form.serializeArray(),
+			type: "POST",
 			dataType: 'text',
 			// the response is a comma-delimited list of QB question UIDs, for example 4,5,65 
 			success: function(qbQuestionUids) {
Index: lams_tool_laqa/src/java/org/lamsfoundation/lams/tool/qa/web/controller/QaAuthoringController.java
===================================================================
diff -u -re6dc4db4137cfd6b07a4aa79711b9d12b39fb78e -r21555f88fd0c63a4a9eb3ae288a2e1d48452aa4b
--- lams_tool_laqa/src/java/org/lamsfoundation/lams/tool/qa/web/controller/QaAuthoringController.java	(.../QaAuthoringController.java)	(revision e6dc4db4137cfd6b07a4aa79711b9d12b39fb78e)
+++ lams_tool_laqa/src/java/org/lamsfoundation/lams/tool/qa/web/controller/QaAuthoringController.java	(.../QaAuthoringController.java)	(revision 21555f88fd0c63a4a9eb3ae288a2e1d48452aa4b)
@@ -358,7 +358,7 @@
     /**
      * saveQuestion
      */
-    @RequestMapping("/saveQuestion")
+    @RequestMapping(value = "/saveQuestion", method = RequestMethod.POST)
     public String saveQuestion(@ModelAttribute("newQuestionForm") QbQuestionForm form, HttpServletRequest request)
 	    throws IOException, ServletException {
 	SessionMap<String, Object> sessionMap = getSessionMap(form, request);
Index: lams_tool_scratchie/web/pages/authoring/basic.jsp
===================================================================
diff -u -re6dc4db4137cfd6b07a4aa79711b9d12b39fb78e -r21555f88fd0c63a4a9eb3ae288a2e1d48452aa4b
--- lams_tool_scratchie/web/pages/authoring/basic.jsp	(.../basic.jsp)	(revision e6dc4db4137cfd6b07a4aa79711b9d12b39fb78e)
+++ lams_tool_scratchie/web/pages/authoring/basic.jsp	(.../basic.jsp)	(revision 21555f88fd0c63a4a9eb3ae288a2e1d48452aa4b)
@@ -92,9 +92,9 @@
     	var form = $($.parseHTML(formHTML));
     	// first, save questions in the QB
 		$.ajax({
-			type: "POST",
-			url: '<lams:LAMSURL />imsqti/saveQTI.do',
+			url: '<lams:LAMSURL />imsqti/saveQTI.do?<csrf:token/>',
 			data: form.serializeArray(),
+			type: "POST",
 			dataType: 'text',
 			// the response is a comma-delimited list of QB question UIDs, for example 4,5,65 
 			success: function(qbQuestionUids) {
Index: lams_tool_scratchie/web/pages/authoring/parts/addMcq.jsp
===================================================================
diff -u -re6dc4db4137cfd6b07a4aa79711b9d12b39fb78e -r21555f88fd0c63a4a9eb3ae288a2e1d48452aa4b
--- lams_tool_scratchie/web/pages/authoring/parts/addMcq.jsp	(.../addMcq.jsp)	(revision e6dc4db4137cfd6b07a4aa79711b9d12b39fb78e)
+++ lams_tool_scratchie/web/pages/authoring/parts/addMcq.jsp	(.../addMcq.jsp)	(revision 21555f88fd0c63a4a9eb3ae288a2e1d48452aa4b)
@@ -220,9 +220,9 @@
 			<lams:errors/>
 			
 			<form:form action="/lams/tool/lascrt11/authoring/saveItem.do" method="post" modelAttribute="scratchieItemForm" id="scratchieItemForm">
-				<input type="hidden" name="<csrf:tokenname/>" value="<csrf:tokenvalue/>"/>
 				<form:hidden path="sessionMapID" />
 				<input type="hidden" name="optionList" id="optionList" />
+				<input type="hidden" name="<csrf:tokenname/>" value="<csrf:tokenvalue/>"/>
 				<form:hidden path="itemIndex" />
 				<form:hidden path="questionType"/>
 				<form:hidden path="contentFolderID" id="contentFolderID"/>
Index: lams_tool_scratchie/web/pages/authoring/parts/addVsa.jsp
===================================================================
diff -u -r269c13324c6bb998631af858dc8091ad3102ef78 -r21555f88fd0c63a4a9eb3ae288a2e1d48452aa4b
--- lams_tool_scratchie/web/pages/authoring/parts/addVsa.jsp	(.../addVsa.jsp)	(revision 269c13324c6bb998631af858dc8091ad3102ef78)
+++ lams_tool_scratchie/web/pages/authoring/parts/addVsa.jsp	(.../addVsa.jsp)	(revision 21555f88fd0c63a4a9eb3ae288a2e1d48452aa4b)
@@ -89,6 +89,7 @@
 			<form:form action="/lams/tool/lascrt11/authoring/saveItem.do" method="post" modelAttribute="scratchieItemForm" id="scratchieItemForm">
 				<form:hidden path="sessionMapID" />
 				<input type="hidden" name="optionList" id="optionList" />
+				<input type="hidden" name="<csrf:tokenname/>" value="<csrf:tokenvalue/>"/>
 				<form:hidden path="itemIndex" />
 				<form:hidden path="questionType"/>
 				<form:hidden path="contentFolderID" id="contentFolderID"/>