#15352: id="csrfmiddlewaretoken" regression
-----------------------------+----------------------------------------------
Reporter: jl6 | Owner: nobody
Status: new | Milestone: 1.4
Component: Template system | Version: SVN
Keywords: csrf token | Triage Stage: Unreviewed
Has patch: 0 |
-----------------------------+----------------------------------------------
Once upon a time, it was noted in issue #1827 that adding an extra
attribute to the generated {% csrf_token %} would be a good idea.
Changeset [2899] implemented it. However, that code path seems to have
been deprecated in favor of the modern CSRF-protection system, whose token
does not feature the id attribute. This is what {% csrf_token %} currently
generates:
<input type='hidden' name='csrfmiddlewaretoken'
value='296dfe12298a615b8a5db897af2d1697' />
Fast forward to the AJAX-CSRF-related changes in the latest Django 1.2.x
releases, where the example fix
(http://www.djangoproject.com/weblog/2011/feb/08/security/) is a piece of
jQuery referencing the CSRF token value using $("#csrfmiddlewaretoken") -
which relies on the token being locatable via its id attribute. If
somebody uses {% csrf_token %} in their form template, this fix will not
work for them.
Would it be a good idea to add this id attribute back into the token?
--
Ticket URL: <http://code.djangoproject.com/ticket/15352>
Django <http://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/django-updates?hl=en.
