Opened 14 years ago
Closed 14 years ago
#15251 closed (fixed)
Ajax CSRF example doesn't work as documented
Reported by: | Tim Graham | Owned by: | nobody |
---|---|---|---|
Component: | Documentation | Version: | 1.2 |
Severity: | Keywords: | csrf ajax | |
Cc: | Triage Stage: | Accepted | |
Has patch: | yes | Needs documentation: | no |
Needs tests: | no | Patch needs improvement: | no |
Easy pickings: | no | UI/UX: | no |
Description
The jQuery example on the 1.2.5 release notes page uses $("#csrfmiddlewaretoken") but {% csrf_token %} doesn't appear to render with an ID attribute. $("input[name=csrfmiddlewaretoken]") works for me.
Attachments (1)
Change History (4)
by , 14 years ago
Attachment: | 15251.diff added |
---|
comment:1 by , 14 years ago
Triage Stage: | Unreviewed → Accepted |
---|
comment:3 by , 14 years ago
Resolution: | → fixed |
---|---|
Status: | new → closed |
Note:
See TracTickets
for help on using tickets.
Accepted - this is a confusion from the docs for 1.1: http://docs.djangoproject.com/en/1.1/ref/contrib/csrf/#ajax . I'm not sure this is the best solution, as it requires having a form on the page for it to work.
In 1.1, the CSRF response middleware was the recommended method, and it inserted an input tag with an id attribute. In 1.2, the response middleware is deprecated, and the CSRF template tag (the recommended method) does not insert an input tag with an id attribute (for reasons of HTML validity - it would be much harder to ensure that only one input has an id attribute, and two with the same id is invalid HTML).
For purposes of javascript with 1.2 and later, I would recommend the cookie method that is found in the docs for trunk: http://docs.djangoproject.com/en/dev/ref/contrib/csrf/#ajax because this will work even if there is no form on the page. But the code is significantly longer due to the need to parse cookies. This method will not work for 1.1.
So we need the blog announcement to be updated to have both methods. The 1.2.5 release notes in svn need to be updated to have the method that works for 1.2.X. We don't appear to have any 1.1.4 release notes in svn for some reason (or 1.1.3).