Opened 13 years ago

Closed 13 years ago

#15251 closed (fixed)

Ajax CSRF example doesn't work as documented

Reported by: Tim Graham Owned by: nobody
Component: Documentation Version: 1.2
Severity: Keywords: csrf ajax
Cc: Triage Stage: Accepted
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no


The jQuery example on the 1.2.5 release notes page uses $("#csrfmiddlewaretoken") but {% csrf_token %} doesn't appear to render with an ID attribute. $("input[name=csrfmiddlewaretoken]") works for me.

Attachments (1)

15251.diff (664 bytes ) - added by Tim Graham 13 years ago.

Download all attachments as: .zip

Change History (4)

by Tim Graham, 13 years ago

Attachment: 15251.diff added

comment:1 by Luke Plant, 13 years ago

Triage Stage: UnreviewedAccepted

Accepted - this is a confusion from the docs for 1.1: . I'm not sure this is the best solution, as it requires having a form on the page for it to work.

In 1.1, the CSRF response middleware was the recommended method, and it inserted an input tag with an id attribute. In 1.2, the response middleware is deprecated, and the CSRF template tag (the recommended method) does not insert an input tag with an id attribute (for reasons of HTML validity - it would be much harder to ensure that only one input has an id attribute, and two with the same id is invalid HTML).

For purposes of javascript with 1.2 and later, I would recommend the cookie method that is found in the docs for trunk: because this will work even if there is no form on the page. But the code is significantly longer due to the need to parse cookies. This method will not work for 1.1.

So we need the blog announcement to be updated to have both methods. The 1.2.5 release notes in svn need to be updated to have the method that works for 1.2.X. We don't appear to have any 1.1.4 release notes in svn for some reason (or 1.1.3).

comment:2 by Tim Graham, 13 years ago

Fixed in commits for ticket #15259.

comment:3 by Tim Graham, 13 years ago

Resolution: fixed
Status: newclosed
Note: See TracTickets for help on using tickets.
Back to Top