uPortal 5 adds CSRF protection through tokens managed by Spring Security.
This protection is automatic for portlets (no changes required), provided that portlets always use an actionURL for any POST request. (That was always a best practice.)
createCalendarDefinition.jsp has a <form> that violates this pattern: it uses a renderURL in a <form> with method=post.
We should change the method to GET or change the URL to an actionURL.