Opened 4 years ago

Closed 4 years ago

Last modified 4 years ago

#15259 closed (fixed)

Django Weblog suggested workaround for XMLHttpRequest CSRF fix in 1.2.5 uses wrong jQuery selector

Reported by: markhellewell Owned by: nobody
Component: *.djangoproject.com Version: 1.2
Severity: Keywords: blocker
Cc: Triage Stage: Accepted
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: UI/UX:

Description

The "{% csrf_token %}" template tag outputs a form field which looks like this:

<input type='hidden' name='csrfmiddlewaretoken' value='...'/>

but the jQuery example of how to include this in your XMLHttpRequest uses an id-style selector. It should instead look like this:

$("input[name='csrfmiddlewaretoken']").val()

Change History (5)

comment:1 Changed 4 years ago by russellm

  • Keywords blocker added
  • Needs documentation unset
  • Needs tests unset
  • Patch needs improvement unset
  • Triage Stage changed from Unreviewed to Accepted

There are a couple of follow up items that probably bear mentioning:

  • Correcting this error in the example
  • Pointing out the other two minor backwards incompatibilities listed in the release notes.

comment:2 Changed 4 years ago by russellm

  • Resolution set to fixed
  • Status changed from new to closed

In [15482]:

Fixed #15253, #15259 -- Added 1.1.4 release notes, added a section on CSRF changes to the 1.3 release notes, and corrected the example in the 1.2.5 release notes. Thanks to Gary Wilson and Mark Hellewell for the reports.

comment:3 Changed 4 years ago by russellm

Blog post has been made; fixes to release notes will be landing soon.

comment:4 Changed 4 years ago by russellm

In [15483]:

[1.2.X] Fixed #15253, #15259 -- Added 1.1.4 release notes, added a section on CSRF changes to the 1.3 release notes, and corrected the example in the 1.2.5 release notes. Thanks to Gary Wilson and Mark Hellewell for the reports.

Backport of r15482 from trunk.

comment:4 Changed 4 years ago by russellm

In [15484]:

[1.1.X] Fixed #15253, #15259 -- Added 1.1.4 release notes, added a section on CSRF changes to the 1.3 release notes, and corrected the example in the 1.2.5 release notes. Thanks to Gary Wilson and Mark Hellewell for the reports.

Backport of r15482 from trunk.

Note: See TracTickets for help on using tickets.
Back to Top