id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
15352	"id=""csrfmiddlewaretoken"" regression"	jl6	nobody	"Once upon a time, it was noted in issue #1827 that adding an extra attribute to the generated {% csrf_token %} would be a good idea. Changeset [2899] implemented it. However, that code path seems to have been deprecated in favor of the modern CSRF-protection system, whose token does not feature the id attribute. This is what {% csrf_token %} currently generates:

<input type='hidden' name='csrfmiddlewaretoken' value='296dfe12298a615b8a5db897af2d1697' />

Fast forward to the AJAX-CSRF-related changes in the latest Django 1.2.x releases, where the example fix (http://www.djangoproject.com/weblog/2011/feb/08/security/) is a piece of jQuery referencing the CSRF token value using $(""#csrfmiddlewaretoken"") - which relies on the token being locatable via its id attribute. If somebody uses {% csrf_token %} in their form template, this fix will not work for them.

Would it be a good idea to add this id attribute back into the token? "		closed	Template system	dev		wontfix	csrf token		Unreviewed	0	0	0	0	0	0