> I propose django.forms should include a SafeForm class, which is a > subclass of Form that includes built-in protection against CSRF. I > imagine the interface looking something like this:
Why wouldn't the safe form class be the forms.Form class instead? We do XSS-protection by default already, so why don't we encourage CSRF- protection, too? If for some reason you wouldn't want CSRF-magic to your forms, we could have forms.UnsafeForm (or whatever). Of course, this would propably mean backwards incompatible change, but I think that this is something that we'd want in the long run. I'm not saying that we should push this further from 1.1 but that we should definitely make something like this (however it's implemented) as the default way in the long run. As a separate note, I'd also like some well documented low-level helpers to make protecting AJAX-calls easier. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-developers@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-developers?hl=en -~----------~----~----~----~------~----~------~--~---
