#12156 closed (wontfix)
The csrf_token should be able to use a custom template
Reported by: | Adrian Ribao | Owned by: | Eric Holscher |
---|---|---|---|
Component: | Contrib apps | Version: | dev |
Severity: | Keywords: | csrf_token, template | |
Cc: | aribao@… | Triage Stage: | Accepted |
Has patch: | no | Needs documentation: | no |
Needs tests: | no | Patch needs improvement: | no |
Easy pickings: | no | UI/UX: | no |
Description
The code generated by this tag is wrapped into a <div style='display:none;'>
It would be very usefull in order to avoid some design problems.
Besides I'd like it more if instead of having style='display:none' was <div class="hidden"> for example.
Change History (8)
comment:1 by , 15 years ago
Owner: | changed from | to
---|---|
Status: | new → assigned |
comment:2 by , 15 years ago
Owner: | removed |
---|---|
Status: | assigned → new |
comment:3 by , 15 years ago
Triage Stage: | Unreviewed → Accepted |
---|
comment:4 by , 15 years ago
Would you mind specifying what the design problems are? The whole output is supposed to be invisible.
The problem here is that any solution is going to be global, and I imagine that if you change it to 'work' in one app, it might not 'work' in another app. I don't want to introduce a setting which will have this problem. Rather, we should encourage consistency.
<div class="hidden"> depends on there being some certain CSS, which isn't a good idea. Actually, the whole style="display:none" is just being defensive against browser bugs anyway, it shouldn't strictly be needed. But the div itself is needed, for HTML validity.
comment:5 by , 15 years ago
Owner: | set to |
---|---|
Status: | new → assigned |
I know that is supposed to be invisible, but the designer should have all the control over the HTML. IMHO I don't like to insert any style into the HTML, and it's a guideline in my company.
Besides of that, I don't think this makes any application less consistent, Django provides in several parts a way to override a template.
The first priority should be to provide full control of the generated HTML.
comment:6 by , 15 years ago
Owner: | changed from | to
---|---|
Status: | assigned → new |
comment:7 by , 15 years ago
Resolution: | → wontfix |
---|---|
Status: | new → closed |
I think this is one of those cases where guidelines should be broken :-) because:
- We never want the div to be displayed, so it should be invisible preferably even the in presence of rules like
form div { margin: 10px; }
- We cannot output class=hidden, because this code needs to be stylesheet agnostic.
If you are desperate, then provide your own {% csrf_token %}
- if you load a template library that provides one, it will override the builtin. You could also use template.add_to_builtins
. The amount of code needed is very small.
Closing WONTFIX for the above reasons - a stylistic problem in some code invisible to the user is not a bug :-)
Might not be the correct solution, but it should be somehow themable.