On Mon, Sep 22, 2008 at 3:25 PM, Simon Willison <[EMAIL PROTECTED]> wrote: > I propose django.forms should include a SafeForm class, which is a > subclass of Form that includes built-in protection against CSRF. I > imagine the interface looking something like this:
Yes, indeed -- we should do this, and do it quick. CSRFMiddleware is a hack; this would be quite a bit nicer. I've not thought this through nearly as much as you or Brian obvious have, so I'll leave you two to discuss, however, I have one thought... On Mon, Sep 22, 2008 at 4:16 PM, Simon Willison <[EMAIL PROTECTED]> wrote: > You've reminded me of another problem with SafeForm: how does it > interact with ModelForms? Is there a SafeModelForm as well? What about > FormSets? This makes me think -- is it possible that CSRF protection at the form level is too low? Perhaps it's something that needs to be happening at, say, the view level? Some sort of decorator, and/or a tag to spit out the CSRF token in the template... Just a thought, and now I'll butt out and let you two actually get some work done. Jacob --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-developers@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-developers?hl=en -~----------~----~----~----~------~----~------~--~---
