On Thursday 19 March 2009 15:55:35 Bob Thomas wrote: > On Mar 18, 1:25 pm, Luke Plant <[email protected]> wrote: > > Yep, agreed. I plan to replace the content re-writing stuff with > > a template tag which hopefully won't be too nasty. It's just I > > haven't had time yet, and I'd rather fix the security hole now, > > and improve the implementation later. The exception mechanisms > > we've got in place mean that it's not too painful to migrate: > > There is a patch to add the template tag on > http://code.djangoproject.com/ticket/9977 There are still docs and > tests to be added (though I wasn't able to find the existing tests > for CSRF), but I think your initial concerns about the patch have > been addressed.
The hard work isn't the template tag, it's: - tests (the existing ones are in django/contrib/csrf/tests.py) - documentation - converting the admin (I really think this needs to be done before we can check this in, because we want to deprecate CsrfResponseMiddleware and make it clear in the docs what the One True Way is. Luke -- "Oh, look. I appear to be lying at the bottom of a very deep, dark hole. That seems a familiar concept. What does it remind me of? Ah, I remember. Life." (Marvin the paranoid android) Luke Plant || http://lukeplant.me.uk/ --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/django-developers?hl=en -~----------~----~----~----~------~----~------~--~---
