diff --git a/server.py b/server.py
index 182f3cc43ae584cc358309def78835474ee9718d..9bd7b07a54074b32a3a08ecdd7e86885d0e30a78 100644
--- a/server.py
+++ b/server.py
@@ -71,7 +71,10 @@ def mod_required(func):
 			return func(*args, **kwargs)
 	return decorator
 
+csrf_endpoints = []
+
 def csrf_protect(func):
+	csrf_endpoints.append(func.__name__)
 	@wraps(func)
 	def decorator(*args, **kwargs):
 		if '_csrf_token' in request.values:
@@ -79,13 +82,19 @@ def csrf_protect(func):
 		elif request.get_json() and ('_csrf_token' in request.get_json()):
 			token = request.get_json()['_csrf_token']
 		else:
-			token = none
+			token = None
 		if not ('_csrf_token' in session) or (session['_csrf_token'] != token ) or not token: 
 			return 'csrf test failed', 403
 		else:
 			return func(*args, **kwargs)
 	return decorator
 
+@app.url_defaults
+def csrf_inject(endpoint, values):
+	if endpoint not in csrf_endpoints or not session['_csrf_token']:
+		return
+	values['_csrf_token'] = session['_csrf_token']
+
 def evalperm(perms):
 	cperms = []
 	lperms = []
diff --git a/templates/course.html b/templates/course.html
index 25553daecab39902cf380b5c4deab33adc8a3490..3c114e1d830f938a54aa116016893d6132a5ab65 100644
--- a/templates/course.html
+++ b/templates/course.html
@@ -51,7 +51,7 @@
 </div>
 <div class="panel panel-default">
 	<div class="panel-heading">
-		<h1 class="panel-title">Videos{% if ismod() %} <a class="btn btn-default" style="margin-right: 5px;" href="{{ url_for('create', table='lectures', time=datetime.now(), title='Noch kein Titel', visible='0', course_id=course.id, ref=request.url, _csrf_token=session['_csrf_token']) }}">Neuer Termin</a><a class="btn btn-default" style="margin-right: 5px;" href="{{url_for('import_from', id=course['id'])}}">Campus Import</a>{% endif %} <a class="fa fa-rss-square pull-right" aria-hidden="true" href="{{url_for('feed', handle=course.handle)}}" style="text-decoration: none"></a> </h1>
+		<h1 class="panel-title">Videos{% if ismod() %} <a class="btn btn-default" style="margin-right: 5px;" href="{{ url_for('create', table='lectures', time=datetime.now(), title='Noch kein Titel', visible='0', course_id=course.id, ref=request.url) }}">Neuer Termin</a><a class="btn btn-default" style="margin-right: 5px;" href="{{url_for('import_from', id=course['id'])}}">Campus Import</a>{% endif %} <a class="fa fa-rss-square pull-right" aria-hidden="true" href="{{url_for('feed', handle=course.handle)}}" style="text-decoration: none"></a> </h1>
 	</div>
 	<ul class="list-group lectureslist">
 		{% for l in lectures %}
diff --git a/templates/courses.html b/templates/courses.html
index cbdb4c800cd491bd8cc4b197bfd080bccc53ef27..d8ef682fa620ed2588141ec9c5ad44d31ecaec71 100644
--- a/templates/courses.html
+++ b/templates/courses.html
@@ -9,7 +9,7 @@
 			</li>
 			{% if ismod() %} 
 			<li>
-				<a class="btn btn-default" href="{{ url_for('create', table='courses', handle='new'+(randint(0,1000)|string), title='Neue Veranstaltung', responsible=session.user.givenName, ref=request.url, _csrf_token=session['_csrf_token']) }}">Neue Veranstaltung</a>
+				<a class="btn btn-default" href="{{ url_for('create', table='courses', handle='new'+(randint(0,1000)|string), title='Neue Veranstaltung', responsible=session.user.givenName, ref=request.url) }}">Neue Veranstaltung</a>
 			</li>
 			{% endif %}
 			<li class="dropdown" style="padding-right: 0px">
diff --git a/templates/index.html b/templates/index.html
index 6807ef804d3a10ed7fc6dd53a8dcef46e32dd8dd..22e62d09bcbce72aedd29073fc538aba00a7aeca 100644
--- a/templates/index.html
+++ b/templates/index.html
@@ -54,7 +54,7 @@
 	<div class="col-xs-12">
 		<ul class="list-inline pull-right">
 			<li style="padding-right: 0px;">
-				<a class="btn btn-default" href="{{ url_for('create', table='announcements', text='Neue Ankündigung', time_publish=datetime.now().replace(hour=0, minute=0, second=0, microsecond=0), time_expire=datetime.now().replace(hour=0, minute=0, second=0, microsecond=0)+timedelta(days=7), ref=request.url, _csrf_token=session['_csrf_token']) }}">Neue Ankündigung</a>
+				<a class="btn btn-default" href="{{ url_for('create', table='announcements', text='Neue Ankündigung', time_publish=datetime.now().replace(hour=0, minute=0, second=0, microsecond=0), time_expire=datetime.now().replace(hour=0, minute=0, second=0, microsecond=0)+timedelta(days=7), ref=request.url) }}">Neue Ankündigung</a>
 			</li>
 		</ul>
 	</div>