Hi Luke,
Thanks for your quick response.
I've read the discussions about CSRF and SafeForm, in fact I already
did before posting my message. Because of your excellente wiki the
threads were easy to find.
I am not talking about SafeForm. I am sorry I wasn't clear before, but
in fact, what I want to propose is to include the lines:
<div style='display:none'><input type='hidden'
name='csrfmiddlewaretoken' value='1234567890abcdef etc' /></div>
by default when rendering a form with {{ form }}.
Would that be possible? I know of several unwanted side-effects, which
I believe we will be able to deal with using the reasoning in my first
post, but please correct me if I overlooked any loopholes.
I am looking forward to your response.
Thanks,
Wim
On Dec 31 2009, 2:29 am, Luke Plant <[email protected]> wrote:
> Hi Wim,
>
> Your suggestion sounds something like Simon's SafeForm. While some
> elements of that proposal may end up in Django, it turns out that
> implementing SafeForm as the default solution requires *bigger*
> changes to existing code than adding the csrf_token, because you would
> need to pass additional info from the request to Form for it to be
> able to do the CSRF checks. It also only works if you are using
> Django Forms and rendering them via {{ form }} (instead of field-by-
> field, for instance).
>
> If you want to see how we got to where we are, have a look at this
> thread:http://groups.google.com/group/django-
> developers/browse_thread/thread/3d2dc750082103dc/f3beb18c27fb7152
>
> (OK, that was a nasty trick - the thread is huge, we discussed this
> nearly to death, but that's why I'm not going to repeat all the
> arguments here).
>
> Also, you can use CsrfResponseMiddleware as an interim measure to stop
> your code from breaking, so the change to require csrf_token isn't
> quite so bad.
>
> Thanks,
>
> Luke
>
> --
> "It is a truth universally acknowledged, that a single man in
> possession of a good fortune, must be in want of a wife." (Jane
> Austen)
>
> Luke Plant ||http://lukeplant.me.uk/
--
You received this message because you are subscribed to the Google Groups
"Django developers" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/django-developers?hl=en.
