Ticket #6925: csrf_html_fix.diff
| File csrf_html_fix.diff, 2.5 KB (added by , 16 years ago) |
|---|
-
django/conf/global_settings.py
275 275 'django.middleware.doc.XViewMiddleware', 276 276 ) 277 277 278 # Set CSRF middleware output (HTML or XHTML) 279 CSRF_MIDDLEWARE_OUTPUT_HTML = False 280 278 281 ############ 279 282 # SESSIONS # 280 283 ############ -
django/contrib/csrf/middleware.py
83 83 itertools.repeat('')) 84 84 def add_csrf_field(match): 85 85 """Returns the matched <form> tag plus the added <input> element""" 86 return mark_safe(match.group() + "<div style='display:none;'>" + \ 87 "<input type='hidden' " + idattributes.next() + \ 88 " name='csrfmiddlewaretoken' value='" + csrf_token + \ 89 "' /></div>") 86 csrf_field = "<div style='display:none;'>" + \ 87 "<input type='hidden' " + idattributes.next() + \ 88 " name='csrfmiddlewaretoken' value='" + csrf_token 90 89 90 if settings.CSRF_MIDDLEWARE_OUTPUT_HTML: 91 csrf_field = csrf_field + "'></div>" 92 else: 93 csrf_field = csrf_field + "' /></div>" 94 return mark_safe(match.group() + csrf_field) 95 91 96 # Modify any POST forms 92 97 response.content = _POST_FORM_RE.sub(add_csrf_field, response.content) 93 98 return response -
docs/csrf.txt
54 54 pages that are served as 'text/html' or 'application/xml+xhtml' 55 55 are modified. 56 56 57 The default output for the 'csrfmiddlewaretoken' field is XHTML. For HTML set 58 ''CSRF_MIDDLEWARE_OUTPUT_HTML'' to ''True''. 59 57 60 .. _9.1.1 Safe Methods, HTTP 1.1, RFC 2616: http://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html 58 61 59 62 Limitations … … 68 71 you might bypass the filter that adds the hidden field to the form, 69 72 in which case form submission will always fail. It may still be possible 70 73 to use the middleware, provided you can find some way to get the 71 CSRF token and ensure that is included when your form is submitted. 72 No newline at end of file 74 CSRF token and ensure that is included when your form is submitted.