diff --git a/include/staff/tpl.inc.php b/include/staff/tpl.inc.php
index 43412bcad7b0ac01aeb3ff80edc6f857232f6313..c973ab9ff9c1d083e6a6a13643e8d49ea14ff16b 100644
--- a/include/staff/tpl.inc.php
+++ b/include/staff/tpl.inc.php
@@ -26,6 +26,7 @@ $info=array_merge($template->getMsgTemplate($info['tpl']),$info);
     </form>
 </div>
 <form action="templates.php?id=<?php echo $template->getId(); ?>" method="post" id="save">
+<?php csrf_token(); ?>
 <input type="hidden" name="id" value="<?php echo $template->getId(); ?>">
 <input type="hidden" name="tpl" value="<?php echo $info['tpl']; ?>">
 <input type="hidden" name="a" value="manage">