Ticket #6925: csrf_html_fix.diff

File csrf_html_fix.diff, 2.5 KB (added by jgelens, 7 years ago)
  • django/conf/global_settings.py

     
    275275    'django.middleware.doc.XViewMiddleware',
    276276)
    277277
     278# Set CSRF middleware output (HTML or XHTML)
     279CSRF_MIDDLEWARE_OUTPUT_HTML = False
     280
    278281############
    279282# SESSIONS #
    280283############
  • django/contrib/csrf/middleware.py

     
    8383                                            itertools.repeat(''))
    8484            def add_csrf_field(match):
    8585                """Returns the matched <form> tag plus the added <input> element"""
    86                 return mark_safe(match.group() + "<div style='display:none;'>" + \
    87                 "<input type='hidden' " + idattributes.next() + \
    88                 " name='csrfmiddlewaretoken' value='" + csrf_token + \
    89                 "' /></div>")
     86                csrf_field = "<div style='display:none;'>" + \
     87                    "<input type='hidden' " + idattributes.next() + \
     88                    " name='csrfmiddlewaretoken' value='" + csrf_token
    9089
     90                if settings.CSRF_MIDDLEWARE_OUTPUT_HTML:
     91                    csrf_field = csrf_field + "'></div>"
     92                else:
     93                    csrf_field = csrf_field + "' /></div>"
     94                return mark_safe(match.group() + csrf_field)
     95
    9196            # Modify any POST forms
    9297            response.content = _POST_FORM_RE.sub(add_csrf_field, response.content)
    9398        return response
  • docs/csrf.txt

     
    5454pages that are served as 'text/html' or 'application/xml+xhtml'
    5555are modified.
    5656
     57The default output for the 'csrfmiddlewaretoken' field is XHTML. For HTML set
     58''CSRF_MIDDLEWARE_OUTPUT_HTML'' to ''True''.
     59
    5760.. _9.1.1 Safe Methods, HTTP 1.1, RFC 2616: http://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html
    5861
    5962Limitations
     
    6871you might bypass the filter that adds the hidden field to the form,
    6972in which case form submission will always fail.  It may still be possible
    7073to use the middleware, provided you can find some way to get the
    71 CSRF token and ensure that is included when your form is submitted.
    72  No newline at end of file
     74CSRF token and ensure that is included when your form is submitted.
Back to Top