Re: [Django] #9977: CSRFMiddleware needs template tag

Mon, 20 Apr 2009 13:18:22 -0700 

#9977: CSRFMiddleware needs template tag
---------------------------------------------+------------------------------
          Reporter:  bthomas                 |         Owner:  lukeplant
            Status:  assigned                |     Milestone:           
         Component:  Uncategorized           |       Version:  SVN      
        Resolution:                          |      Keywords:  csrf     
             Stage:  Design decision needed  |     Has_patch:  1        
        Needs_docs:  1                       |   Needs_tests:  0        
Needs_better_patch:  1                       |  
---------------------------------------------+------------------------------
Comment (by Glenn):

 > If you obsess about HTML perfection, even though it is invisible to
 users, then you might be bothered about the field being inserted twice

 I don't consider avoiding sloppy data "obsession".

 > one could argue that every time you write <form action="" method="POST">

 This isn't really repetition, because it's actually specifying something:
 the form's target and type.  By contrast, the CSRF field is, with few
 exceptions, strictly boilerplate.  In any case, existing repetition is a
 weak justification for more.

 In any case, here's an alternative approach.  Rails provides a helper for
 generating form tags.  It more or less wraps their equivalent of reverse()
 and generates the <form> and </form> tags.  The tag generation itself
 isn't very interesting, but it's particularly handy for automating things
 like this.  form(action="url", method="POST"); form(view="view.name",
 method="GET"), etc.  I'd probably implement something like this in my
 templates (I'm not using Django's) if I wanted to have CSRF tags added
 without postprocessing.  Of course, this is supplementary, not a
 replacement; there's no reason to block this patch for it.

-- 
Ticket URL: <http://code.djangoproject.com/ticket/9977#comment:24>
Django <http://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to 
[email protected]
For more options, visit this group at 
http://groups.google.com/group/django-updates?hl=en
-~----------~----~----~----~------~----~------~--~---

Reply via email to