From 8a624311393258aa9b4a374c9907e4353a4618af Mon Sep 17 00:00:00 2001
From: flashwave <me@flash.moe>
Date: Thu, 25 Oct 2018 03:35:53 +0200
Subject: [PATCH] Replaced inputs of type hidden, csrf and text with macros.

---
 misuzu.php                                  |  2 +-
 public/auth.php                             |  5 ++++
 templates/_layout/comments.twig             |  8 +++---
 templates/_layout/input.twig                | 24 +++++++++++++++++
 templates/auth/auth.twig                    | 30 +++++++--------------
 templates/auth/macros.twig                  | 14 +++++-----
 templates/auth/password.twig                | 26 ++++++++++--------
 templates/forum/macros.twig                 |  7 ++---
 templates/manage/changelog/action_edit.twig |  7 ++---
 templates/manage/changelog/change_edit.twig |  7 ++---
 templates/manage/changelog/tag_edit.twig    |  7 ++---
 templates/manage/forum/forum.twig           |  5 ++--
 templates/manage/general/quotes.twig        |  9 ++++---
 templates/manage/news/category.twig         |  7 ++---
 templates/manage/news/post.twig             |  7 ++---
 templates/manage/users/roles_create.twig    |  7 ++---
 templates/manage/users/view.twig            | 25 ++++++++---------
 templates/settings/account.twig             | 27 ++++++++++---------
 templates/settings/sessions.twig            |  7 ++---
 templates/user/profile.twig                 |  7 ++---
 20 files changed, 137 insertions(+), 101 deletions(-)
 create mode 100644 templates/_layout/input.twig

diff --git a/misuzu.php b/misuzu.php
index c100ed18..6531fc47 100644
--- a/misuzu.php
+++ b/misuzu.php
@@ -287,11 +287,11 @@ MIG;
     tpl_add_filter('vsprintf');
     tpl_add_filter('perms_check');
     tpl_add_filter('bg_settings', 'user_background_settings_strings');
-    tpl_add_filter('csrf', 'csrf_html');
 
     tpl_add_function('git_commit_hash');
     tpl_add_function('git_tag');
     tpl_add_function('csrf_token');
+    tpl_add_function('csrf_input', 'csrf_html');
     tpl_add_function('startup_time', function (float $time = MSZ_STARTUP) {
         return microtime(true) - $time;
     });
diff --git a/public/auth.php b/public/auth.php
index 59ed9480..691de59d 100644
--- a/public/auth.php
+++ b/public/auth.php
@@ -81,6 +81,11 @@ switch ($authMode) {
         tpl_var('auth_reset_message', "A verification code should've been sent to your e-mail address.");
 
         while ($isSubmission) {
+            if (!csrf_verify('passreset', $_POST['csrf'] ?? '')) {
+                tpl_var('auth_reset_error', 'Possible request forgery detected, refresh and try again.');
+                break;
+            }
+
             if (!user_recovery_token_validate($resetUser['user_id'], $authVerification)) {
                 tpl_var('auth_reset_error', 'Invalid verification code!');
                 break;
diff --git a/templates/_layout/comments.twig b/templates/_layout/comments.twig
index 6e872a77..c19dab40 100644
--- a/templates/_layout/comments.twig
+++ b/templates/_layout/comments.twig
@@ -1,14 +1,16 @@
 {% macro comments_input(category, user, perms, reply_to) %}
     {% set reply_mode = reply_to is not null %}
 
+    {% from '_layout/input.twig' import input_hidden, input_csrf %}
+
     <form class="comment comment--input{% if reply_mode %} comment--reply{% endif %}"
         method="post" action="/comments.php?m=create"
         id="comment-{{ reply_mode ? 'reply-' ~ reply_to.comment_id : 'create-' ~ category.category_id }}">
-        <input type="hidden" name="comment[category]" value="{{ category.category_id }}">
-        {{ 'comments'|csrf|raw }}
+        {{ input_hidden('comment[category]', category.category_id) }}
+        {{ input_csrf('comments') }}
 
         {% if reply_mode %}
-            <input type="hidden" name="comment[reply]" value="{{ reply_to.comment_id }}">
+            {{ input_hidden('comment[reply]', reply_to.comment_id) }}
         {% endif %}
 
         <div class="comment__container">
diff --git a/templates/_layout/input.twig b/templates/_layout/input.twig
new file mode 100644
index 00000000..0b750b63
--- /dev/null
+++ b/templates/_layout/input.twig
@@ -0,0 +1,24 @@
+{% macro input_hidden(name, value) %}
+{% spaceless %}
+    <input type="hidden" name="{{ name }}" value="{{ value }}">
+{% endspaceless %}
+{% endmacro %}
+
+{% macro input_csrf(realm, name) %} {# so we don't have to specify |raw every time #}
+{% spaceless %}
+    {{ csrf_input(realm, name|default('csrf'))|raw }}
+{% endspaceless %}
+{% endmacro %}
+
+{% macro input_text(name, class, value, type, placeholder, required, attributes) %}
+{% spaceless %}
+    <input type="{{ type|default('text') }}" {% if name|length > 0 %}name="{{ name }}"{% else %}readonly{% endif %}
+        class="input__text{% if name|length < 1 %} input__text--readonly{% endif %}{{ class|length > 0 ? ' ' ~ class : '' }}"
+        {% if placeholder|length > 0 %}placeholder="{{ placeholder }}"{% endif %}
+        {% if value|length > 0 %}value="{{ value }}"{% endif %}
+        {% if required|default(false) %}required{% endif %}
+        {% for name, value in attributes|default([]) %}
+            {{ name }}{% if value|length > 0 %}="{{ value }}"{% endif %}
+        {% endfor %}>
+{% endspaceless %}
+{% endmacro %}
diff --git a/templates/auth/auth.twig b/templates/auth/auth.twig
index ea6a0d75..36416bfc 100644
--- a/templates/auth/auth.twig
+++ b/templates/auth/auth.twig
@@ -1,5 +1,6 @@
 {% extends 'auth/master.twig' %}
 {% from 'macros.twig' import container_title %}
+{% from '_layout/input.twig' import input_hidden, input_csrf, input_text %}
 {% from 'auth/macros.twig' import auth_login %}
 
 {% block content %}
@@ -11,8 +12,8 @@
 
     {% if can_create_account %}
         <form class="container auth" method="post" action="">
-            <input type="hidden" name="auth[mode]" value="register">
-            {{ 'register'|csrf|raw }}
+            {{ input_hidden('auth[mode]', 'register') }}
+            {{ input_csrf('register') }}
 
             {{ container_title('Register') }}
 
@@ -25,19 +26,10 @@
             {% endif %}
 
             <div class="auth__form">
-                <input class="input__text auth__input" type="text"
-                    name="auth[username]" placeholder="Username"
-                    value="{{ auth_username|default('') }}" required>
-
-                <input class="input__text auth__input" type="password"
-                    name="auth[password]" placeholder="Password" required>
-
-                <input class="input__text auth__input" type="text"
-                    name="auth[email]" placeholder="E-mail"
-                    value="{{ auth_email|default('') }}" required>
-
-                <input class="input__text auth__input" type="text"
-                    name="auth[meow]" placeholder="What is the outcome of nine plus ten?" required>
+                {{ input_text('auth[username]', 'auth__input', auth_username|default(''), 'text', 'Username', true) }}
+                {{ input_text('auth[password]', 'auth__input', '', 'password', 'Password', true) }}
+                {{ input_text('auth[email]', 'auth__input', auth_email|default(''), 'text', 'E-mail', true) }}
+                {{ input_text('auth[meow]', 'auth__input', '', 'text', 'What is the outcome of nine plus ten?', true) }}
 
                 <button class="input__button">Sign up</button>
             </div>
@@ -46,8 +38,8 @@
 
     {% if can_reset_password %}
         <form class="container auth" method="post" action="">
-            <input type="hidden" name="auth[mode]" value="forgot">
-            {{ 'passforgot'|csrf|raw }}
+            {{ input_hidden('auth[mode]', 'forgot') }}
+            {{ input_csrf('passforgot') }}
 
             {{ container_title('Forgot password') }}
 
@@ -60,9 +52,7 @@
             {% endif %}
 
             <div class="auth__form">
-                <input class="input__text auth__input" type="text"
-                    name="auth[email]" placeholder="E-mail"
-                    value="{{ auth_email|default('') }}" required>
+                {{ input_text('auth[email]', 'auth__input', auth_email|default(''), 'text', 'E-mail', true) }}
 
                 <button class="input__button">Send reminder</button>
             </div>
diff --git a/templates/auth/macros.twig b/templates/auth/macros.twig
index 74a00283..2818bbe3 100644
--- a/templates/auth/macros.twig
+++ b/templates/auth/macros.twig
@@ -1,9 +1,11 @@
 {% macro auth_login(username, message, is_welcome) %} {# please only use this once per page, it has script shit rn #}
     {% set is_welcome = is_welcome|default(false) %}
 
+    {% from '_layout/input.twig' import input_hidden, input_csrf, input_text %}
+
     <form class="container auth" method="post" action="/auth.php">
-        <input type="hidden" name="auth[mode]" value="login">
-        {{ 'login'|csrf|raw }}
+        {{ input_hidden('auth[mode]', 'login') }}
+        {{ input_csrf('login') }}
 
         <div class="auth__header">
             <div class="auth__header__wrapper">
@@ -21,12 +23,8 @@
         {% endif %}
 
         <div class="auth__form">
-            <input class="input__text auth__input" type="text"
-                name="auth[username]" placeholder="Username" id="login-username"
-                value="{{ username|default('') }}" required>
-
-            <input class="input__text auth__input" type="password"
-                name="auth[password]" placeholder="Password" required>
+            {{ input_text('auth[username]', 'auth__input', username|default(''), 'text', 'Username', true, {'id':'login-username'}) }}
+            {{ input_text('auth[password]', 'auth__input', '', 'password', 'Password', true) }}
 
             <button class="input__button">Login</button>
         </div>
diff --git a/templates/auth/password.twig b/templates/auth/password.twig
index 3ce320ed..26f89d95 100644
--- a/templates/auth/password.twig
+++ b/templates/auth/password.twig
@@ -1,10 +1,12 @@
 {% extends 'auth/master.twig' %}
 {% from 'macros.twig' import container_title %}
+{% from '_layout/input.twig' import input_hidden, input_csrf, input_text %}
 
 {% block content %}
     <form class="container auth" method="post" action="">
-        <input type="hidden" name="auth[mode]" value="reset">
-        <input type="hidden" name="auth[user]" value="{{ reset_user.user_id }}">
+        {{ input_hidden('auth[mode]', 'reset') }}
+        {{ input_hidden('auth[user]', reset_user.user_id) }}
+        {{ input_csrf('passreset') }}
 
         {{ container_title('Resetting password for ' ~ reset_user.username) }}
 
@@ -15,16 +17,18 @@
         </div>
 
         <div class="auth__form">
-            <input type="{{ reset_verify is defined ? 'hidden' : 'text' }}"
-                class="input__text input__text--monospace auth__input" type="text"
-                name="auth[verification]" placeholder="verification code" maxlength="12"
-                value="{{ reset_verify|default('') }}" required>
+            {{ input_text(
+                'auth[verification]',
+                'input__text--monospace auth__input',
+                reset_verify|default(''),
+                reset_verify is defined ? 'hidden' : 'text',
+                'verification code',
+                true,
+                {'maxlength':12}
+            ) }}
 
-            <input class="input__text auth__input" type="password"
-                name="auth[password][new]" placeholder="new password" required>
-
-            <input class="input__text auth__input" type="password"
-                name="auth[password][confirm]" placeholder="confirm password" required>
+            {{ input_text('auth[password][new]', 'auth__input', '', 'password', 'new password', true) }}
+            {{ input_text('auth[password][confirm]', 'auth__input', '', 'password', 'confirm password', true) }}
 
             <button class="input__button">Change password</button>
         </div>
diff --git a/templates/forum/macros.twig b/templates/forum/macros.twig
index 0b4f11ce..08d4c0c1 100644
--- a/templates/forum/macros.twig
+++ b/templates/forum/macros.twig
@@ -370,6 +370,7 @@
 
 {% macro forum_posting_form(title, target_id, is_reply, element_id) %}
     {% from 'macros.twig' import container_title %}
+    {% from '_layout/input.twig' import input_hidden, input_csrf, input_text %}
     {% set is_reply = is_reply ? true : false %}
 
     <form{% if element_id is defined %} id="{{ element_id }}"{% endif %}
@@ -379,8 +380,8 @@
         {{ container_title(title) }}
 
         <div class="forum__posting__content">
-            <input type="hidden" name="post[{{ is_reply ? 'topic' : 'forum' }}]" value="{{ target_id }}">
-            {{ 'forum_post'|csrf|raw }}
+            {{ input_hidden('post[' ~ (is_reply ? 'topic' : 'forum') ~ ']', target_id) }}
+            {{ input_csrf('forum_post') }}
 
             {#<div class="forum__posting__errors">
                 <p class="forum__posting__error">Error: Your post contained too much text, shorten it a bit or split it out in two posts.</p>
@@ -388,7 +389,7 @@
 
             {% if not is_reply %}
                 <div class="forum__posting__title">
-                    <input class="input__text forum__posting__title__input" type="text" name="post[title]" placeholder="Topic title">
+                    {{ input_text('post[title]', 'forum__posting__title__input', '', 'text', 'Topic title') }}
                 </div>
             {% endif %}
 
diff --git a/templates/manage/changelog/action_edit.twig b/templates/manage/changelog/action_edit.twig
index 7ee0ecf3..a24f30f4 100644
--- a/templates/manage/changelog/action_edit.twig
+++ b/templates/manage/changelog/action_edit.twig
@@ -1,24 +1,25 @@
 {% extends 'manage/changelog/master.twig' %}
 {% from 'macros.twig' import container_title %}
+{% from '_layout/input.twig' import input_csrf, input_text %}
 
 {% block manage_content %}
     <div class="container">
         <form action="?v=action{{ edit_action is defined ? '&a=' ~ edit_action.action_id : '' }}" method="post">
-            {{ 'changelog_action'|csrf|raw }}
+            {{ input_csrf('changelog_action') }}
 
             {{ container_title(edit_action is defined ? 'Editing ' ~ edit_action.action_name ~ ' (' ~ edit_action.action_id ~ ')' : 'Adding a new action') }}
 
             <label class="form__label">
                 <div class="form__label__text">Name</div>
                 <div class="form__label__input">
-                    <input class="input__text" type="text" value="{{ edit_action is defined ? edit_action.action_name : '' }}" name="action[name]" maxlength="50">
+                    {{ input_text('action[name]', '', edit_action is defined ? edit_action.action_name : '', 'text', '', true, {'maxlength':50}) }}
                 </div>
             </label>
 
             <label class="form__label">
                 <div class="form__label__text">Class</div>
                 <div class="form__label__input">
-                    <input class="input__text" type="text" value="{{ edit_action is defined ? edit_action.action_class : '' }}" name="action[class]" maxlength="20">
+                    {{ input_text('action[class]', '', edit_action is defined ? edit_action.action_class : '', 'text', '', true, {'maxlength':20}) }}
                 </div>
             </label>
 
diff --git a/templates/manage/changelog/change_edit.twig b/templates/manage/changelog/change_edit.twig
index 21920906..b8975afb 100644
--- a/templates/manage/changelog/change_edit.twig
+++ b/templates/manage/changelog/change_edit.twig
@@ -1,5 +1,6 @@
 {% extends 'manage/changelog/master.twig' %}
 {% from 'macros.twig' import container_title %}
+{% from '_layout/input.twig' import input_csrf, input_text %}
 
 {% if edit_change is defined %}
     {% set site_link = '/changelog.php?c=' ~ edit_change.change_id %}
@@ -8,14 +9,14 @@
 {% block manage_content %}
     <div class="container">
         <form action="?v=change{{ edit_change is defined ? '&c=' ~ edit_change.change_id : '' }}" method="post">
-            {{ 'changelog_add'|csrf|raw }}
+            {{ input_csrf('changelog_add') }}
 
             {{ container_title(edit_change is defined ? 'Editing #' ~ edit_change.change_id : 'Adding a new change') }}
 
             <label class="form__label" style="width:100%">
                 <div class="form__label__text">Log</div>
                 <div class="form__label__input">
-                    <input class="input__text" type="text" value="{{ edit_change is defined ? edit_change.change_log : '' }}" name="change[log]" maxlength="255">
+                    {{ input_text('change[log]', '', edit_change is defined ? edit_change.change_log : '', 'text', '', true, {'maxlength':255}) }}
                 </div>
             </label>
 
@@ -49,7 +50,7 @@
             <label class="form__label">
                 <div class="form__label__text">Created</div>
                 <div class="form__label__input">
-                    <input class="input__text" type="text" value="{{ edit_change is defined ? edit_change.change_created : ''|date('Y-m-d H:i:s') }}" name="change[created]">
+                    {{ input_text('change[created]', '', (edit_change is defined ? edit_change.change_created : ''|date('Y-m-d H:i:s')), 'text', '', true) }}
                 </div>
             </label>
 
diff --git a/templates/manage/changelog/tag_edit.twig b/templates/manage/changelog/tag_edit.twig
index c92a226c..05284dfc 100644
--- a/templates/manage/changelog/tag_edit.twig
+++ b/templates/manage/changelog/tag_edit.twig
@@ -1,17 +1,18 @@
 {% extends 'manage/changelog/master.twig' %}
 {% from 'macros.twig' import container_title %}
+{% from '_layout/input.twig' import input_csrf, input_text %}
 
 {% block manage_content %}
     <div class="container">
         <form action="?v=tag{{ edit_tag is defined ? '&t=' ~ edit_tag.tag_id : '' }}" method="post">
-            {{ 'changelog_tag'|csrf|raw }}
+            {{ input_csrf('changelog_tag') }}
 
             {{ container_title(edit_tag is defined ? 'Editing ' ~ edit_tag.tag_name ~ ' (' ~ edit_tag.tag_id ~ ')' : 'Adding a new tag') }}
 
             <label class="form__label" style="width:100%">
                 <div class="form__label__text">Name</div>
                 <div class="form__label__input">
-                    <input class="input__text" type="text" value="{{ edit_tag is defined ? edit_tag.tag_name : '' }}" name="tag[name]" maxlength="255">
+                    {{ input_text('tag[name]', '', edit_tag is defined ? edit_tag.tag_name : '', 'text', '', true, {'maxlength':255}) }}
                 </div>
             </label>
 
@@ -33,7 +34,7 @@
                 <label class="form__label">
                     <div class="form__label__text">Created</div>
                     <div class="form__label__input">
-                        <input class="input__text" type="text" value="{{ edit_tag.tag_created }}" readonly>
+                        {{ input_text('', '', edit_tag.tag_created) }}
                     </div>
                 </label>
             {% endif %}
diff --git a/templates/manage/forum/forum.twig b/templates/manage/forum/forum.twig
index 7a3dab39..4cf9beb7 100644
--- a/templates/manage/forum/forum.twig
+++ b/templates/manage/forum/forum.twig
@@ -1,6 +1,7 @@
 {% extends 'manage/users/master.twig' %}
 {% from 'macros.twig' import container_title %}
 {% from 'manage/macros.twig' import permissions_table %}
+{% from '_layout/input.twig' import input_hidden, input_csrf %}
 
 {% block manage_content %}
     <div class="container">
@@ -8,8 +9,8 @@
 
         <div class="container__content">
             <form action="" method="get">
-                <input type="hidden" name="v" value="forumperms">
-                <input type="hidden" name="f" value="{{ forum.forum_id }}">
+                {{ input_hidden('v', 'forumperms') }}
+                {{ input_hidden('f', forum.forum_id) }}
                 <select name="r" class="input__select">
                     {% for role in roles %}
                         <option value="{{ role.role_id }}">{{ role.role_name }}</option>
diff --git a/templates/manage/general/quotes.twig b/templates/manage/general/quotes.twig
index 7e2a42d2..2ef24b87 100644
--- a/templates/manage/general/quotes.twig
+++ b/templates/manage/general/quotes.twig
@@ -1,6 +1,7 @@
 {% extends 'manage/general/master.twig' %}
 {% from 'home/macros.twig' import chat_quote_display %}
 {% from 'macros.twig' import pagination, container_title %}
+{% from '_layout/input.twig' import input_hidden, input_csrf, input_text %}
 
 {% block manage_content %}
     <div class="container">
@@ -8,8 +9,8 @@
 
         {% if current_quote is defined %}
             <form method="post" action="">
-                {{ 'add_quote'|csrf|raw }}
-                <input type="hidden" name="quote[id]" value="{{ current_quote.quote_id|default(0) }}">
+                {{ input_csrf('add_quote') }}
+                {{ input_hidden('quote[id]', current_quote.quote_id|default(0)) }}
 
                 * = optional
 
@@ -26,12 +27,12 @@
 
                     <tr>
                         <td>Date/time*</td>
-                        <td><input type="text" name="quote[time]" class="input__text" value="{{ current_quote.quote_timestamp|default(0)|date('Y-m-d H:i:s') }}"></td>
+                        <td>{{ input_text('quote[time]', '', (current_quote.quote_timestamp|default('')|date('Y-m-d H:i:s'))) }}</td>
                     </tr>
 
                     <tr>
                         <td>Username</td>
-                        <td><input type="text" required name="quote[user][name]" class="input__text" value="{{ current_quote.quote_username|default() }}"></td>
+                        <td>{{ input_text('quote[user][name]', '', current_quote.quote_username|default(), 'text', '', true) }}</td>
                     </tr>
 
                     <tr>
diff --git a/templates/manage/news/category.twig b/templates/manage/news/category.twig
index d50f805f..3870b1ae 100644
--- a/templates/manage/news/category.twig
+++ b/templates/manage/news/category.twig
@@ -1,5 +1,6 @@
 {% extends 'manage/news/master.twig' %}
 {% from 'macros.twig' import container_title %}
+{% from '_layout/input.twig' import input_hidden, input_csrf, input_text %}
 
 {% set is_new = category|length < 1 %}
 
@@ -7,13 +8,13 @@
     <form method="post" action="" class="container">
         {{ container_title(is_new ? 'New Category' : 'Editing ' ~ category.category_name) }}
 
-        {{ 'news_category'|csrf|raw }}
-        <input type="hidden" name="category[id]" value="{{ category.category_id|default(0) }}">
+        {{ input_csrf('news_category') }}
+        {{ input_hidden('category[id]', category.category_id|default(0)) }}
 
         <table style="color:inherit">
             <tr>
                 <td>Name</td>
-                <td><input type="text" required name="category[name]" class="input__text" value="{{ category.category_name|default() }}"></td>
+                <td>{{ input_text('category[name]', '', category.category_name|default(), 'text', '', true) }}</td>
             </tr>
 
             <tr>
diff --git a/templates/manage/news/post.twig b/templates/manage/news/post.twig
index 63d35595..b764ccf5 100644
--- a/templates/manage/news/post.twig
+++ b/templates/manage/news/post.twig
@@ -1,5 +1,6 @@
 {% extends 'manage/news/master.twig' %}
 {% from 'macros.twig' import container_title %}
+{% from '_layout/input.twig' import input_hidden, input_csrf, input_text %}
 
 {% set is_new = post|length < 1 %}
 
@@ -7,13 +8,13 @@
     <form method="post" action="" class="container">
         {{ container_title(is_new ? 'New Post' : 'Editing ' ~ post.post_title) }}
 
-        {{ 'news_post'|csrf|raw }}
-        <input type="hidden" name="post[id]" value="{{ post.post_id|default(0) }}">
+        {{ input_csrf('news_post') }}
+        {{ input_hidden('post[id]', post.post_id|default(0)) }}
 
         <table style="color:inherit">
             <tr>
                 <td>Name</td>
-                <td><input type="text" required name="post[title]" class="input__text" value="{{ post.post_title|default() }}"></td>
+                <td>{{ input_text('post[title]', '', post.post_title|default(), 'text', '', true) }}</td>
             </tr>
 
             <tr>
diff --git a/templates/manage/users/roles_create.twig b/templates/manage/users/roles_create.twig
index 1508ee79..22d4e792 100644
--- a/templates/manage/users/roles_create.twig
+++ b/templates/manage/users/roles_create.twig
@@ -1,10 +1,11 @@
 {% extends 'manage/users/master.twig' %}
 {% from 'macros.twig' import container_title %}
 {% from 'manage/macros.twig' import permissions_table %}
+{% from '_layout/input.twig' import input_csrf, input_text %}
 
 {% block manage_content %}
     <form action="?v=role{{ edit_role is defined ? '&r=' ~ edit_role.role_id : '' }}" method="post"{% if edit_role is defined %} style="{{ edit_role.role_colour|html_colour('--accent-colour') }}"{% endif %}>
-        {{ 'users_role'|csrf|raw }}
+        {{ input_csrf('users_role') }}
 
         <div class="container">
             {{ container_title(edit_role is defined ? 'Editing ' ~ edit_role.role_name ~ ' (' ~ edit_role.role_id ~ ')' : 'Creating a new role') }}
@@ -12,7 +13,7 @@
             <label class="form__label">
                 <div class="form__label__text">Role Name</div>
                 <div class="form__label__input">
-                    <input class="input__text" type="text" value="{{ edit_role is defined ? edit_role.role_name : '' }}" name="role[name]" maxlength="255">
+                    {{ input_text('role[name]', '', edit_role.role_name|default(''), 'text', '', true, {'maxlength':255}) }}
                 </div>
             </label>
 
@@ -33,7 +34,7 @@
             <label class="form__label">
                 <div class="form__label__text">Title</div>
                 <div class="form__label__input">
-                    <input class="input__text" type="text" value="{{ edit_role is defined ? edit_role.role_title : '' }}" name="role[title]" maxlength="64">
+                    {{ input_text('role[title]', '', edit_role.role_title|default(''), 'text', '', false, {'maxlength':64}) }}
                 </div>
             </label>
 
diff --git a/templates/manage/users/view.twig b/templates/manage/users/view.twig
index a47999e8..d297e74b 100644
--- a/templates/manage/users/view.twig
+++ b/templates/manage/users/view.twig
@@ -1,13 +1,14 @@
 {% extends 'manage/users/master.twig' %}
 {% from 'macros.twig' import container_title %}
 {% from 'manage/macros.twig' import permissions_table %}
+{% from '_layout/input.twig' import input_csrf, input_text %}
 
 {% set site_link = '/profile.php?u=' ~ view_user.user_id %}
 
 {% block manage_content %}
     {% if can_manage_users %}
         <form method="post" enctype="multipart/form-data" action=""{% if view_user is defined %} style="{{ view_user.user_colour|html_colour('--accent-colour') }}"{% endif %}>
-            {{ 'users_edit'|csrf|raw }}
+            {{ input_csrf('users_edit') }}
 
             <div class="container">
                 {{ container_title('Viewing ' ~ view_user.username ~ ' (' ~ view_user.user_id ~ ')') }}
@@ -15,56 +16,56 @@
                 <label class="form__label">
                     <div class="form__label__text">Username</div>
                     <div class="form__label__input">
-                        <input class="input__text" type="text" value="{{ view_user.username }}" name="user[username]" maxlength="16">
+                        {{ input_text('user[username]', '', view_user.username, 'text', '', true, {'maxlength':16}) }}
                     </div>
                 </label>
 
                 <label class="form__label">
                     <div class="form__label__text">E-mail address</div>
                     <div class="form__label__input">
-                        <input class="input__text" type="text" value="{{ view_user.email }}" name="user[email]" maxlength="255">
+                        {{ input_text('user[email]', '', view_user.email, 'text', '', true, {'maxlength':255}) }}
                     </div>
                 </label>
 
                 <label class="form__label">
                     <div class="form__label__text">Title</div>
                     <div class="form__label__input">
-                        <input class="input__text" type="text" value="{{ view_user.user_title }}" name="user[title]" maxlength="64">
+                        {{ input_text('user[title]', '', view_user.user_title, 'text', '', false, {'maxlength':64}) }}
                     </div>
                 </label>
 
                 <label class="form__label">
                     <div class="form__label__text">Joined</div>
                     <div class="form__label__input">
-                        <input class="input__text" readonly type="text" value="{{ view_user.created_at }}">
+                        {{ input_text('', '', view_user.created_at) }}
                     </div>
                 </label>
 
                 <label class="form__label">
                     <div class="form__label__text">Last online</div>
                     <div class="form__label__input">
-                        <input class="input__text" readonly type="text" value="{{ view_user.last_seen }}">
+                        {{ input_text('', '', view_user.last_seen) }}
                     </div>
                 </label>
 
                 <label class="form__label">
                     <div class="form__label__text">Register IP</div>
                     <div class="form__label__input">
-                        <input class="input__text" readonly type="text" value="{{ view_user.register_ip_decoded }}">
+                        {{ input_text('', '', view_user.register_ip_decoded) }}
                     </div>
                 </label>
 
                 <label class="form__label">
                     <div class="form__label__text">Last IP</div>
                     <div class="form__label__input">
-                        <input class="input__text" readonly type="text" value="{{ view_user.last_ip_decoded }}">
+                        {{ input_text('', '', view_user.last_ip_decoded) }}
                     </div>
                 </label>
 
                 <label class="form__label">
                     <div class="form__label__text">Country</div>
                     <div class="form__label__input">
-                        <input class="input__text" type="text" value="{{ view_user.user_country }}" name="user[country]" maxlength="2">
+                        {{ input_text('user[country]', '', view_user.user_country, 'text', 'XX', true, {'maxlength':2,'minlength':2}) }}
                     </div>
                 </label>
             </div>
@@ -93,14 +94,14 @@
                 <label class="form__label">
                     <div class="form__label__text">New Password</div>
                     <div class="form__label__input">
-                        <input class="input__text" type="password" name="password[new]">
+                        {{ input_text('password[new]', '', '', 'password') }}
                     </div>
                 </label>
 
                 <label class="form__label">
                     <div class="form__label__text">Confirm Password</div>
                     <div class="form__label__input">
-                        <input class="input__text" type="password" name="password[confirm]">
+                        {{ input_text('password[confirm]', '', '', 'password') }}
                     </div>
                 </label>
             </div>
@@ -156,7 +157,7 @@
                 {{ container_title('Manage Roles') }}
 
                 <div class="container__content">
-                    {{ 'users_edit'|csrf|raw }}
+                    {{ input_csrf('users_edit') }}
 
                     <label class="form__label">
                         <div class="form__label__text">Has Roles</div>
diff --git a/templates/settings/account.twig b/templates/settings/account.twig
index 99df852e..8dc78e94 100644
--- a/templates/settings/account.twig
+++ b/templates/settings/account.twig
@@ -1,5 +1,6 @@
 {% extends 'settings/master.twig' %}
 {% from 'macros.twig' import container_title %}
+{% from '_layout/input.twig' import input_hidden, input_csrf, input_text %}
 
 {% if user_has_background %}
     {% set site_background_url = '/profile.php?m=background&u=' ~ settings_user_id %}
@@ -16,7 +17,7 @@
         {{ container_title('Account') }}
 
         <form action="" method="post" class="settings__account">
-            {{ 'settings'|csrf|raw }}
+            {{ input_csrf('settings') }}
 
             <div class="settings__account__row">
                 {% if settings_perms.edit_profile %}
@@ -29,7 +30,7 @@
                                 {{ props.name }}
                             </div>
                             <div class="settings__account__input__value">
-                                <input type="{{ props.type|default('text') }}" name="profile[{{ name }}]" value="{{ account_info['user_' ~ name] }}" class="input__text settings__account__input__value__text">
+                                {{ input_text('profile[' ~ name ~ ']', 'settings__account__input__value__text', account_info['user_' ~ name], props.type|default('text')) }}
                             </div>
                         </label>
                         {% endfor %}
@@ -58,7 +59,7 @@
                                         Current e-mail address
                                     </div>
                                     <div class="settings__account__input__value">
-                                        <input type="text" class="input__text input__text--readonly settings__account__input__value__text" readonly value="{{ account_info.email }}">
+                                        {{ input_text('', 'settings__account__input__value__text', account_info.email) }}
                                     </div>
                                 </label>
 
@@ -67,7 +68,7 @@
                                         New e-mail Address
                                     </div>
                                     <div class="settings__account__input__value">
-                                        <input type="text" name="email[new]" class="input__text settings__account__input__value__text">
+                                        {{ input_text('email[new]', 'settings__account__input__value__text') }}
                                     </div>
                                 </label>
 
@@ -76,7 +77,7 @@
                                         Confirmation
                                     </div>
                                     <div class="settings__account__input__value">
-                                        <input type="text" name="email[confirm]" class="input__text settings__account__input__value__text">
+                                        {{ input_text('email[confirm]', 'settings__account__input__value__text') }}
                                     </div>
                                 </label>
                             </div>
@@ -91,7 +92,7 @@
                                         New Password
                                     </div>
                                     <div class="settings__account__input__value">
-                                        <input type="password" name="password[new]" class="input__text settings__account__input__value__text">
+                                        {{ input_text('password[new]', 'settings__account__input__value__text', '', 'password') }}
                                     </div>
                                 </label>
 
@@ -100,7 +101,7 @@
                                         Confirmation
                                     </div>
                                     <div class="settings__account__input__value">
-                                        <input type="password" name="password[confirm]" class="input__text settings__account__input__value__text">
+                                        {{ input_text('password[confirm]', 'settings__account__input__value__text', '', 'password') }}
                                     </div>
                                 </label>
                             </div>
@@ -115,7 +116,7 @@
                                         Current Password
                                     </div>
                                     <div class="settings__account__input__value">
-                                        <input type="password" name="current_password" placeholder="only needed for e-mail and password updating" class="input__text settings__account__input__value__text">
+                                        {{ input_text('current_password', 'settings__account__input__value__text', '', 'password', 'only needed for e-mail and password updating') }}
                                     </div>
                                 </label>
                             </div>
@@ -138,8 +139,8 @@
             {{ container_title('Avatar') }}
 
             <form action="" method="post" class="settings__images" enctype="multipart/form-data">
-                <input type="hidden" name="MAX_FILE_SIZE" value="{{ background.max_size }}">
-                {{ 'settings'|csrf|raw }}
+                {{ input_hidden('MAX_FILE_SIZE', avatar.max_size) }}
+                {{ input_csrf('settings') }}
 
                 <div class="settings__images__sections">
                     <div class="settings__images__requirements">
@@ -210,8 +211,8 @@
             {{ container_title('Background') }}
 
             <form action="" method="post" class="settings__images" enctype="multipart/form-data">
-                <input type="hidden" name="MAX_FILE_SIZE" value="{{ background.max_size }}">
-                {{ 'settings'|csrf|raw }}
+                {{ input_hidden('MAX_FILE_SIZE', background.max_size) }}
+                {{ input_csrf('settings') }}
 
                 <div class="settings__images__sections">
                     <div class="settings__images__requirements">
@@ -295,7 +296,7 @@
             {{ container_title('About') }}
 
             <form method="post" action="" enctype="multipart/form-data" class="settings__about">
-                {{ 'settings'|csrf|raw }}
+                {{ input_csrf('settings') }}
 
                 <textarea name="about[text]" class="input__textarea settings__about__text" id="about-textarea">{{ account_info.user_about_content|escape }}</textarea>
 
diff --git a/templates/settings/sessions.twig b/templates/settings/sessions.twig
index 14959d16..7f3b84eb 100644
--- a/templates/settings/sessions.twig
+++ b/templates/settings/sessions.twig
@@ -1,5 +1,6 @@
 {% extends 'settings/master.twig' %}
 {% from 'macros.twig' import pagination, container_title %}
+{% from '_layout/input.twig' import input_hidden, input_csrf %}
 
 {% set spagination = pagination(sessions_count, sessions_take, sessions_offset, '?m=sessions') %}
 
@@ -13,7 +14,7 @@
             </div>
 
             <form class="settings__sessions__actions" method="post" action="?m=sessions">
-                {{ 'settings'|csrf|raw }}
+                {{ input_csrf('settings') }}
 
                 <button class="input__button" name="session_action" value="kill-all">
                     Kill all active sessions
@@ -66,8 +67,8 @@
                     {% endif %}
 
                     <form class="settings__sessions__column settings__sessions__column--options" method="post" action="?m=sessions">
-                        <input type="hidden" name="session" value="{{ session.session_id }}">
-                        {{ 'settings'|csrf|raw }}
+                        {{ input_hidden('session', session.session_id) }}
+                        {{ input_csrf('settings') }}
 
                         <button class="input__button settings__sessions__button">
                             {{ session.session_id == active_session_id ? 'Logout' : 'Kill' }}
diff --git a/templates/user/profile.twig b/templates/user/profile.twig
index 7f952755..457a5746 100644
--- a/templates/user/profile.twig
+++ b/templates/user/profile.twig
@@ -1,5 +1,6 @@
 {% extends 'user/master.twig' %}
 {% from 'macros.twig' import container_title %}
+{% from '_layout/input.twig' import input_hidden, input_csrf, input_text %}
 
 {% set image = '/profile.php?u=' ~ profile.user_id ~ '&m=avatar' %}
 {% set canonical_url = '/profile.php?u=' ~ profile.user_id %}
@@ -42,8 +43,8 @@
 {% block content %}
     {% if is_editing %}
         <form class="profile" method="post" action="/settings.php" enctype="multipart/form-data">
-            <input type="hidden" name="user" value="{{ profile.user_id }}">
-            {{ 'settings'|csrf|raw }}
+            {{ input_hidden('user', profile.user_id) }}
+            {{ input_csrf('settings') }}
 
             {% if perms.edit_avatar %}
                 <input class="settings__avatar__input"
@@ -130,7 +131,7 @@
                                         </div>
 
                                         {% if is_editing %}
-                                            <input type="{{ data.type|default('text') }}" name="profile[{{ name }}]" value="{{ profile['user_' ~ name] }}" class="input__text profile__accounts__input">
+                                            {{ input_text('profile[' ~ name ~ ']', 'profile__accounts__input', profile['user_' ~ name], data.type|default('text')) }}
                                         {% else %}
                                             <div class="profile__accounts__value"
                                                 {% if data.tooltip is defined %}title="{{ data.tooltip|format(data.value)|raw }}"{% endif %}>