diff --git c/core/modules/system/lib/Drupal/system/Controller/ThemeController.php w/core/modules/system/lib/Drupal/system/Controller/ThemeController.php
index 43166f0..7cb00c8 100644
--- c/core/modules/system/lib/Drupal/system/Controller/ThemeController.php
+++ w/core/modules/system/lib/Drupal/system/Controller/ThemeController.php
@@ -9,6 +9,7 @@
 
 use Drupal\Core\Config\Config;
 use Drupal\Core\Controller\ControllerBase;
+use Drupal\Core\Access\CsrfTokenGenerator;
 use Symfony\Component\HttpFoundation\Request;
 use Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException;
 
@@ -35,7 +36,7 @@ public function disable(Request $request) {
     $token = $request->get('token');
     $config = $this->config('system.theme');
 
-    if (isset($theme) && isset($token) && drupal_valid_token($token, 'system-theme-operation-link')) {
+    if (isset($theme) && isset($token) && $this->getTokenGenerator()->validate($token, 'system-theme-operation-link')) {
       // Get current list of themes.
       $themes = list_themes();
 
@@ -77,7 +78,7 @@ public function enable(Request $request) {
     $theme = $request->get('theme');
     $token = $request->get('token');
 
-    if (isset($theme) && isset($token) && drupal_valid_token($token, 'system-theme-operation-link')) {
+    if (isset($theme) && isset($token) && $this->getTokenGenerator()->validate($token, 'system-theme-operation-link')) {
       // Get current list of themes.
       $themes = list_themes(TRUE);
 
@@ -98,7 +99,7 @@ public function enable(Request $request) {
 
   /**
    * Set the default theme.
-   * 
+   *
    * @param \Symfony\Component\HttpFoundation\Request $request
    *   A request object containing a theme name and a valid token.
    *
@@ -110,12 +111,11 @@ public function enable(Request $request) {
    *   the token is invalid.
    */
   public function defaultTheme(Request $request) {
-    // Set the page title.
     $config = $this->config('system.theme');
 
     $theme = $request->query->get('theme');
     $token = $request->query->get('token');
-    if (isset($theme) && isset($token) && drupal_valid_token($token, 'system-theme-operation-link')) {
+    if (isset($theme) && isset($token) && $this->getTokenGenerator()->validate($token, 'system-theme-operation-link')) {
       // Get current list of themes.
       $themes = list_themes();
 
@@ -158,4 +158,17 @@ public function defaultTheme(Request $request) {
     throw new AccessDeniedHttpException();
   }
 
+  /**
+   * Gets Token Generator Service.
+   *
+   * @return \Drupal\Core\Access\CsrfTokenGenerator
+   **/
+  public function getTokenGenerator()
+  {
+    if (empty($this->tokenGenerator)) {
+      $this->tokenGenerator = $this->container->get('csrf_token');
+    }
+    return $this->tokenGenerator;
+  }
+
 }