Wherever you take in input from the internet, and output it directly as HTML, you have a CSRF.

i'd rather say, you have XSS, and CSRF is an effect of this, and by eliminating XSS you are not safe from CSRF

Basically, add add ESCAPE=HTML to all variables in your template.

or better, use default_escape 'HTML', so you can't forget to do it in the template.