id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
10884	CSRF Middleware regular expression doesn't take in account spaces.	Ryszard Szopa <ryszard.szopa@…>	nobody	"The CSRF protection middleware regular expression that looks for forms with method POST assumes that there are no spaces between the attribute name and the '=' sign or between the '=' sign and the attribute value.
This means that forms like this:
{{{
<form method = ""post"">
    ...
</form>
}}}

(which browsers generally accept and interpret correctly) won't be caught by the regexp, the inputs with the magic tokens be inserted, and the user will get a 403 Forbidden error. Moreover, additional whitespace is rather dificult to spot (and isn't obviously relevant to the issue of CSRF), making the whole thing rather frustrating to debug.

A very easy fix is to change the regular expression:

{{{
_POST_FORM_RE = \
    re.compile(r'(<form\W[^>]*\bmethod\s*=\s*(\'|""|)POST(\'|""|)\b[^>]*>)', re.IGNORECASE)
}}}"		closed	Contrib apps	dev		fixed	csrf		Unreviewed	1	0	0	0	0	0