I am using framework version 1.1.20. I have noticed that validateCSRFToken is not working with a POST request. In investigating further I discovered that the token value store in $_POST is UrlEncoded, and thus does not get unmasked by unmaskToken.
To prove this, I changed line 1370 in CHttpRequest.php from
This solved the problem, but I am wondering if there is a way to resolve this without changing the framework.