diff --git a/core/modules/image/image.admin.inc b/core/modules/image/image.admin.inc
index 59cc1c6..67cf89c 100644
--- a/core/modules/image/image.admin.inc
+++ b/core/modules/image/image.admin.inc
@@ -312,9 +312,10 @@
   $form['data']['#tree'] = TRUE;
 
   // Check the URL for a weight, then the image effect, otherwise use default.
+  $weight = Drupal::request()->query->get('weight');
   $form['weight'] = array(
     '#type' => 'hidden',
-    '#value' => isset($_GET['weight']) ? intval($_GET['weight']) : (isset($effect['weight']) ? $effect['weight'] : count($style->effects)),
+    '#value' => isset($weight) ? intval($weight) : (isset($effect['weight']) ? $effect['weight'] : count($style->effects)),
   );
 
   $form['actions'] = array('#type' => 'actions');
diff --git a/core/modules/image/image.module b/core/modules/image/image.module
index 47b2e21..6e1691d 100644
--- a/core/modules/image/image.module
+++ b/core/modules/image/image.module
@@ -537,7 +537,8 @@
   // denial-of-service attacks.)
   $valid = !empty($style) && file_stream_wrapper_valid_scheme($scheme);
   if (!config('image.settings')->get('allow_insecure_derivatives')) {
-    $valid = $valid && isset($_GET[IMAGE_DERIVATIVE_TOKEN]) && $_GET[IMAGE_DERIVATIVE_TOKEN] === image_style_path_token($style->name, $scheme . '://' . $target);
+    $image_derivative_token = Drupal::request()->query->get(IMAGE_DERIVATIVE_TOKEN);
+    $valid = $valid && isset($image_derivative_token) && $image_derivative_token === image_style_path_token($style->name, $scheme . '://' . $target);
   }
   if (!$valid) {
     throw new AccessDeniedHttpException();