Opened 4 years ago

Closed 4 years ago

#15251 closed (fixed)

Ajax CSRF example doesn't work as documented

Reported by: timo Owned by: nobody
Component: Documentation Version: 1.2
Severity: Keywords: csrf ajax
Cc: Triage Stage: Accepted
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: UI/UX:

Description

The jQuery example on the 1.2.5 release notes page uses $("#csrfmiddlewaretoken") but {% csrf_token %} doesn't appear to render with an ID attribute. $("input[name=csrfmiddlewaretoken]") works for me.

Attachments (1)

15251.diff (664 bytes) - added by timo 4 years ago.

Download all attachments as: .zip

Change History (4)

Changed 4 years ago by timo

comment:1 Changed 4 years ago by lukeplant

  • Needs documentation unset
  • Needs tests unset
  • Patch needs improvement unset
  • Triage Stage changed from Unreviewed to Accepted

Accepted - this is a confusion from the docs for 1.1: http://docs.djangoproject.com/en/1.1/ref/contrib/csrf/#ajax . I'm not sure this is the best solution, as it requires having a form on the page for it to work.

In 1.1, the CSRF response middleware was the recommended method, and it inserted an input tag with an id attribute. In 1.2, the response middleware is deprecated, and the CSRF template tag (the recommended method) does not insert an input tag with an id attribute (for reasons of HTML validity - it would be much harder to ensure that only one input has an id attribute, and two with the same id is invalid HTML).

For purposes of javascript with 1.2 and later, I would recommend the cookie method that is found in the docs for trunk: http://docs.djangoproject.com/en/dev/ref/contrib/csrf/#ajax because this will work even if there is no form on the page. But the code is significantly longer due to the need to parse cookies. This method will not work for 1.1.

So we need the blog announcement to be updated to have both methods. The 1.2.5 release notes in svn need to be updated to have the method that works for 1.2.X. We don't appear to have any 1.1.4 release notes in svn for some reason (or 1.1.3).

comment:2 Changed 4 years ago by timo

Fixed in commits for ticket #15259.

comment:3 Changed 4 years ago by timo

  • Resolution set to fixed
  • Status changed from new to closed
Note: See TracTickets for help on using tickets.
Back to Top