id,summary,reporter,owner,description,type,status,component,version,severity,resolution,keywords,cc,stage,has_patch,needs_docs,needs_tests,needs_better_patch,easy,ui_ux 10884,CSRF Middleware regular expression doesn't take in account spaces.,Ryszard Szopa ,nobody,"The CSRF protection middleware regular expression that looks for forms with method POST assumes that there are no spaces between the attribute name and the '=' sign or between the '=' sign and the attribute value. This means that forms like this: {{{
...
}}} (which browsers generally accept and interpret correctly) won't be caught by the regexp, the inputs with the magic tokens be inserted, and the user will get a 403 Forbidden error. Moreover, additional whitespace is rather dificult to spot (and isn't obviously relevant to the issue of CSRF), making the whole thing rather frustrating to debug. A very easy fix is to change the regular expression: {{{ _POST_FORM_RE = \ re.compile(r'(]*\bmethod\s*=\s*(\'|""|)POST(\'|""|)\b[^>]*>)', re.IGNORECASE) }}}",,closed,Contrib apps,dev,,fixed,csrf,,Unreviewed,1,0,0,0,0,0