feat(Form): add parameter to omit security token in forms

This is useful for anonymously useable forms, like the search.

inc/Form/Form.php

@@ -24,8 +24,9 @@ class Form extends Element {
      * Creates a new, empty form with some default attributes
      *
      * @param array $attributes
+     * @param bool  $unsafe     if true, then the security token is ommited
      */
-    public function __construct($attributes = array()) {
+    public function __construct($attributes = array(), $unsafe = false) {
         global $ID;
 
         parent::__construct('form', $attributes);
@@ -49,7 +50,9 @@ class Form extends Element {
         }
 
         // add the security token by default
-        $this->setHiddenField('sectok', getSecurityToken());
+        if (!$unsafe) {
+            $this->setHiddenField('sectok', getSecurityToken());
+        }
 
         // identify this as a new form based form in HTML
         $this->addClass('doku_form');

inc/Ui/Search.php

@@ -65,7 +65,7 @@ class Search extends Ui
     {
         global $lang, $ID, $INPUT;
 
-        $searchForm = (new Form())->attrs(['method' => 'get'])->addClass('search-results-form');
+        $searchForm = (new Form(['method' => 'get'], true))->addClass('search-results-form');
         $searchForm->setHiddenField('do', 'search');
         $searchForm->setHiddenField('id', $ID);
         $searchForm->setHiddenField('sf', '1');

inc/template.php

@@ -667,7 +667,7 @@ function tpl_searchform($ajax = true, $autocomplete = true) {
         'role' => 'search',
         'class' => 'search',
         'id' => 'dw__search',
-    ]);
+    ], true);
     $searchForm->addTagOpen('div')->addClass('no');
     $searchForm->setHiddenField('do', 'search');
     $searchForm->setHiddenField('id', $ID);