diff --git a/op/op.MoveDocument.php b/op/op.MoveDocument.php
index 54a93683f..d62e349d2 100644
--- a/op/op.MoveDocument.php
+++ b/op/op.MoveDocument.php
@@ -20,6 +20,7 @@
 
 include("../inc/inc.Settings.php");
 include("../inc/inc.LogInit.php");
+include("../inc/inc.Utils.php");
 include("../inc/inc.Language.php");
 include("../inc/inc.Init.php");
 include("../inc/inc.Extension.php");
@@ -27,6 +28,11 @@ include("../inc/inc.DBInit.php");
 include("../inc/inc.ClassUI.php");
 include("../inc/inc.Authentication.php");
 
+/* Check if the form data comes from a trusted request */
+if(!checkFormKey('movedocument', 'GET')) {
+	UI::exitError(getMLText("document_title", array("documentname" => getMLText("invalid_request_token"))),getMLText("invalid_request_token"));
+}
+
 if (!isset($_GET["documentid"]) || !is_numeric($_GET["documentid"]) || intval($_GET["documentid"])<1) {
 	UI::exitError(getMLText("document_title", array("documentname" => getMLText("invalid_doc_id"))),getMLText("invalid_doc_id"));
 }
@@ -62,46 +68,48 @@ if($document->isLocked()) {
 	}
 }
 
+if ($targetid == $oldFolder->getID()) {
+	UI::exitError(getMLText("document_title", array("documentname" => htmlspecialchars($document->getName()))),getMLText("target_equals_source_folder"));
+}
+
 /* Check if name already exists in the folder */
 if(!$settings->_enableDuplicateDocNames) {
 	if($targetFolder->hasDocumentByName($document->getName())) {
-		UI::exitError(getMLText("folder_title", array("documentname" => htmlspecialchars($document->getName()))),getMLText("document_duplicate_name"));
+		UI::exitError(getMLText("document_title", array("documentname" => htmlspecialchars($document->getName()))),getMLText("document_duplicate_name"));
 	}
 }
 
-if ($targetid != $oldFolder->getID()) {
-	if ($document->setFolder($targetFolder)) {
-		// Send notification to subscribers.
-		if($notifier) {
-			$nl1 = $oldFolder->getNotifyList();
-			$nl2 = $document->getNotifyList();
-			$nl3 = $targetFolder->getNotifyList();
-			$nl = array(
-				'users'=>array_unique(array_merge($nl1['users'], $nl2['users'], $nl3['users']), SORT_REGULAR),
-				'groups'=>array_unique(array_merge($nl1['groups'], $nl2['groups'], $nl3['groups']), SORT_REGULAR)
-			);
-			$subject = "document_moved_email_subject";
-			$message = "document_moved_email_body";
-			$params = array();
-			$params['name'] = $document->getName();
-			$params['old_folder_path'] = $oldFolder->getFolderPathPlain();
-			$params['new_folder_path'] = $targetFolder->getFolderPathPlain();
-			$params['username'] = $user->getFullName();
-			$params['url'] = getBaseUrl().$settings->_httpRoot."out/out.ViewDocument.php?documentid=".$document->getID();
-			$params['sitename'] = $settings->_siteName;
-			$params['http_root'] = $settings->_httpRoot;
-			$notifier->toList($user, $nl["users"], $subject, $message, $params);
-			foreach ($nl["groups"] as $grp) {
-				$notifier->toGroup($user, $grp, $subject, $message, $params);
-			}
-			// if user is not owner send notification to owner
+if ($document->setFolder($targetFolder)) {
+	// Send notification to subscribers.
+	if($notifier) {
+		$nl1 = $oldFolder->getNotifyList();
+		$nl2 = $document->getNotifyList();
+		$nl3 = $targetFolder->getNotifyList();
+		$nl = array(
+			'users'=>array_unique(array_merge($nl1['users'], $nl2['users'], $nl3['users']), SORT_REGULAR),
+			'groups'=>array_unique(array_merge($nl1['groups'], $nl2['groups'], $nl3['groups']), SORT_REGULAR)
+		);
+		$subject = "document_moved_email_subject";
+		$message = "document_moved_email_body";
+		$params = array();
+		$params['name'] = $document->getName();
+		$params['old_folder_path'] = $oldFolder->getFolderPathPlain();
+		$params['new_folder_path'] = $targetFolder->getFolderPathPlain();
+		$params['username'] = $user->getFullName();
+		$params['url'] = getBaseUrl().$settings->_httpRoot."out/out.ViewDocument.php?documentid=".$document->getID();
+		$params['sitename'] = $settings->_siteName;
+		$params['http_root'] = $settings->_httpRoot;
+		$notifier->toList($user, $nl["users"], $subject, $message, $params);
+		foreach ($nl["groups"] as $grp) {
+			$notifier->toGroup($user, $grp, $subject, $message, $params);
+		}
+		// if user is not owner send notification to owner
 //			if ($user->getID() != $document->getOwner()->getID()) 
 //				$notifier->toIndividual($user, $document->getOwner(), $subject, $message, $params);
-		}
-
-	} else {
-		UI::exitError(getMLText("document_title", array("documentname" => $document->getName())),getMLText("error_occured"));
 	}
+
+} else {
+	UI::exitError(getMLText("document_title", array("documentname" => $document->getName())),getMLText("error_occured"));
 }
 
 add_log_line();
diff --git a/op/op.MoveFolder.php b/op/op.MoveFolder.php
index 84090c704..31c77a6c8 100644
--- a/op/op.MoveFolder.php
+++ b/op/op.MoveFolder.php
@@ -20,6 +20,7 @@
 
 include("../inc/inc.Settings.php");
 include("../inc/inc.LogInit.php");
+include("../inc/inc.Utils.php");
 include("../inc/inc.Language.php");
 include("../inc/inc.Init.php");
 include("../inc/inc.Extension.php");
@@ -27,6 +28,11 @@ include("../inc/inc.DBInit.php");
 include("../inc/inc.ClassUI.php");
 include("../inc/inc.Authentication.php");
 
+/* Check if the form data comes from a trusted request */
+if(!checkFormKey('movefolder', 'GET')) {
+	UI::exitError(getMLText("folder_title", array("foldername" => getMLText("invalid_request_token"))),getMLText("invalid_request_token"));
+}
+
 if (!isset($_GET["folderid"]) || !is_numeric($_GET["folderid"]) || intval($_GET["folderid"])<1) {
 	UI::exitError(getMLText("folder_title", array("foldername" => getMLText("invalid_folder_id"))),getMLText("invalid_folder_id"));
 }
@@ -52,6 +58,11 @@ if (!is_object($targetFolder)) {
 	UI::exitError(getMLText("folder_title", array("foldername" => getMLText("invalid_folder_id"))),getMLText("invalid_folder_id"));
 }
 
+$oldFolder = $folder->getParent();
+if ($targetid == $oldFolder->getID()) {
+	UI::exitError(getMLText("folder_title", array("foldername" => htmlspecialchars($folder->getName()))),getMLText("target_equals_source_folder"));
+}
+
 if($folder->isSubFolder($targetFolder)) {
 	UI::exitError(getMLText("folder_title", array("foldername" => $folder->getName())),getMLText("invalid_target_folder"));
 }
@@ -67,7 +78,6 @@ if(!$settings->_enableDuplicateSubFolderNames) {
 	}
 }
 
-$oldFolder = $folder->getParent();
 if ($folder->setParent($targetFolder)) {
 	// Send notification to subscribers.
 	if($notifier) {
diff --git a/views/bootstrap/class.MoveDocument.php b/views/bootstrap/class.MoveDocument.php
index 8862db301..66502bf23 100644
--- a/views/bootstrap/class.MoveDocument.php
+++ b/views/bootstrap/class.MoveDocument.php
@@ -52,6 +52,7 @@ class SeedDMS_View_MoveDocument extends SeedDMS_Bootstrap_Style {
 		$this->contentContainerStart('warning');
 ?>
 <form class="form-horizontal" action="../op/op.MoveDocument.php" name="form1">
+	<?php echo createHiddenFieldWithKey('movedocument'); ?>
 	<input type="hidden" name="documentid" value="<?php print $document->getID();?>">
 <?php
 		$this->formField(getMLText("choose_target_folder"), $this->getFolderChooserHtml("form1", M_READWRITE, -1, $target));
diff --git a/views/bootstrap/class.MoveFolder.php b/views/bootstrap/class.MoveFolder.php
index f9091fe31..f990ae3a8 100644
--- a/views/bootstrap/class.MoveFolder.php
+++ b/views/bootstrap/class.MoveFolder.php
@@ -52,6 +52,7 @@ class SeedDMS_View_MoveFolder extends SeedDMS_Bootstrap_Style {
 
 ?>
 <form class="form-horizontal" action="../op/op.MoveFolder.php" name="form1">
+	<?php echo createHiddenFieldWithKey('movefolder'); ?>
 	<input type="hidden" name="folderid" value="<?php print $folder->getID();?>">
 	<input type="hidden" name="showtree" value="<?php echo showtree();?>">
 <?php