Opened 7 years ago

Closed 7 years ago

Last modified 5 years ago

#12156 closed (wontfix)

The csrf_token should be able to use a custom template

Reported by: tolano Owned by: ericholscher
Component: Contrib apps Version: master
Severity: Keywords: csrf_token, template
Cc: aribao@… Triage Stage: Accepted
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: UI/UX:


The code generated by this tag is wrapped into a <div style='display:none;'>

It would be very usefull in order to avoid some design problems.

Besides I'd like it more if instead of having style='display:none' was <div class="hidden"> for example.

Change History (8)

comment:1 Changed 7 years ago by ericholscher

  • Needs documentation unset
  • Needs tests unset
  • Owner changed from nobody to ericholscher
  • Patch needs improvement unset
  • Status changed from new to assigned

Might not be the correct solution, but it should be somehow themable.

comment:2 Changed 7 years ago by ericholscher

  • Owner ericholscher deleted
  • Status changed from assigned to new

comment:3 Changed 7 years ago by ericholscher

  • Triage Stage changed from Unreviewed to Accepted

comment:4 Changed 7 years ago by lukeplant

Would you mind specifying what the design problems are? The whole output is supposed to be invisible.

The problem here is that any solution is going to be global, and I imagine that if you change it to 'work' in one app, it might not 'work' in another app. I don't want to introduce a setting which will have this problem. Rather, we should encourage consistency.

<div class="hidden"> depends on there being some certain CSS, which isn't a good idea. Actually, the whole style="display:none" is just being defensive against browser bugs anyway, it shouldn't strictly be needed. But the div itself is needed, for HTML validity.

comment:5 Changed 7 years ago by tolano

  • Owner set to tolano
  • Status changed from new to assigned

I know that is supposed to be invisible, but the designer should have all the control over the HTML. IMHO I don't like to insert any style into the HTML, and it's a guideline in my company.

Besides of that, I don't think this makes any application less consistent, Django provides in several parts a way to override a template.

The first priority should be to provide full control of the generated HTML.

comment:6 Changed 7 years ago by tolano

  • Owner changed from tolano to ericholscher
  • Status changed from assigned to new

comment:7 Changed 7 years ago by lukeplant

  • Resolution set to wontfix
  • Status changed from new to closed

I think this is one of those cases where guidelines should be broken :-) because:

  • We never want the div to be displayed, so it should be invisible preferably even the in presence of rules like form div { margin: 10px; }
  • We cannot output class=hidden, because this code needs to be stylesheet agnostic.

If you are desperate, then provide your own {% csrf_token %} - if you load a template library that provides one, it will override the builtin. You could also use template.add_to_builtins. The amount of code needed is very small.

Closing WONTFIX for the above reasons - a stylistic problem in some code invisible to the user is not a bug :-)

comment:8 Changed 5 years ago by jacob

  • milestone 1.2 deleted

Milestone 1.2 deleted

Note: See TracTickets for help on using tickets.
Back to Top