On Sep 23, 3:26 am, Simon Willison <[EMAIL PROTECTED]> wrote: > On Sep 23, 9:00 am, oggie rob <[EMAIL PROTECTED]> wrote: >> Is it worth a gut check to make sure this is worthwhile? > > Here's a useful case in point: the admin. Django's admin should ship > with CSRF protection turned on and baked in. Right now, I'm willing to > bet 95% of the Django admin sites out there are exploitable via CSRF > because the middleware wasn't turned on. This is really bad. >
I'm sorry, I used the wrong term here. I didn't mean that CSRF protection isn't worthwhile, just that going the route of an extended form might not be the best way to do it. As for suggestions, I'm not sure I have one exactly, but I'm thinking of perhaps overriding is_valid() and maybe using the RequestContext object.. not sure yet. -rob --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-developers@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-developers?hl=en -~----------~----~----~----~------~----~------~--~---
