On Sep 22, 4:25 pm, Simon Willison <[EMAIL PROTECTED]> wrote:
> CSRF[1] is one of the most common web application vulnerabilities, but
> continues to have very poor awareness in the developer community.
> Django ships with CSRF protection in the form of middleware, but it's
> off by default. I'm willing to bet most people don't turn it on.
+0.5, I've written almost the exact code for this in a project for a
client. I would be +1 if:
- CsrfMiddleware was marked as deprecated. You're right; it's ugly.
However:
-- What about third-party app forms that aren't SafeForms, but need to
be? The situation dictates this, not the form author.
- If there's some other way to spell form.protect(response).
-- What about situations where the developer does not have access to
the response; if the form is loaded from a template tag or filter, for
instance: {% with model_obj|get_the_right_form as obj_form %} (I know,
you probably don't recommend this ;)
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Django developers" group.
To post to this group, send email to django-developers@googlegroups.com
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/django-developers?hl=en
-~----------~----~----~----~------~----~------~--~---
