Opened 7 years ago

Closed 7 years ago

Last modified 5 years ago

#12156 closed (wontfix)

The csrf_token should be able to use a custom template

Reported by: Adrian Ribao Owned by: Eric Holscher
Component: Contrib apps Version: master
Severity: Keywords: csrf_token, template
Cc: aribao@… Triage Stage: Accepted
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: UI/UX:

Description

The code generated by this tag is wrapped into a <div style='display:none;'>

It would be very usefull in order to avoid some design problems.

Besides I'd like it more if instead of having style='display:none' was <div class="hidden"> for example.

Change History (8)

comment:1 Changed 7 years ago by Eric Holscher

Needs documentation: unset
Needs tests: unset
Owner: changed from nobody to Eric Holscher
Patch needs improvement: unset
Status: newassigned

Might not be the correct solution, but it should be somehow themable.

comment:2 Changed 7 years ago by Eric Holscher

Owner: Eric Holscher deleted
Status: assignednew

comment:3 Changed 7 years ago by Eric Holscher

Triage Stage: UnreviewedAccepted

comment:4 Changed 7 years ago by Luke Plant

Would you mind specifying what the design problems are? The whole output is supposed to be invisible.

The problem here is that any solution is going to be global, and I imagine that if you change it to 'work' in one app, it might not 'work' in another app. I don't want to introduce a setting which will have this problem. Rather, we should encourage consistency.

<div class="hidden"> depends on there being some certain CSS, which isn't a good idea. Actually, the whole style="display:none" is just being defensive against browser bugs anyway, it shouldn't strictly be needed. But the div itself is needed, for HTML validity.

comment:5 Changed 7 years ago by Adrian Ribao

Owner: set to Adrian Ribao
Status: newassigned

I know that is supposed to be invisible, but the designer should have all the control over the HTML. IMHO I don't like to insert any style into the HTML, and it's a guideline in my company.

Besides of that, I don't think this makes any application less consistent, Django provides in several parts a way to override a template.

The first priority should be to provide full control of the generated HTML.

comment:6 Changed 7 years ago by Adrian Ribao

Owner: changed from Adrian Ribao to Eric Holscher
Status: assignednew

comment:7 Changed 7 years ago by Luke Plant

Resolution: wontfix
Status: newclosed

I think this is one of those cases where guidelines should be broken :-) because:

  • We never want the div to be displayed, so it should be invisible preferably even the in presence of rules like form div { margin: 10px; }
  • We cannot output class=hidden, because this code needs to be stylesheet agnostic.

If you are desperate, then provide your own {% csrf_token %} - if you load a template library that provides one, it will override the builtin. You could also use template.add_to_builtins. The amount of code needed is very small.

Closing WONTFIX for the above reasons - a stylistic problem in some code invisible to the user is not a bug :-)

comment:8 Changed 5 years ago by Jacob

milestone: 1.2

Milestone 1.2 deleted

Note: See TracTickets for help on using tickets.
Back to Top