Opened 13 years ago
Closed 13 years ago
#16704 closed New feature (fixed)
Documentation on using csrf_token with non-Django template engine
| Reported by: | Owned by: | paulcwatts | |
|---|---|---|---|
| Component: | Documentation | Version: | 1.3 |
| Severity: | Normal | Keywords: | |
| Cc: | Triage Stage: | Ready for checkin | |
| Has patch: | yes | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | yes | UI/UX: | no |
Description
I've been teaching myself Django today by going through your tutorials. The system is great! The tutorials are great as well. Thank you very much.
I'm a big fan of the Cheetah template engine so from the get-go I've been trying to set up my Django to use Cheetah. One thing I noticed though is the Django template engine has a special handler for the {% csrf_token %} token. I had to delve into the handler for that token to figure out what to do for Cheetah. I think it's worth adding to the documentation that if they're using a non-Django template engine they should use the following HTML code in lieu of the {% csrf_token %}:
<div style="display:none"><input type="hidden" name="csrfmiddlewaretoken" value="$csrf_token"/></div>
Attachments (2)
Change History (8)
comment:1 by , 13 years ago
| Triage Stage: | Unreviewed → Accepted |
|---|
comment:2 by , 13 years ago
| Owner: | changed from to |
|---|
by , 13 years ago
| Attachment: | 16704.diff added |
|---|
comment:3 by , 13 years ago
| Has patch: | set |
|---|
This is a first draft. My concern is it may be misleading to people who are using other template engines like jQuery templates because the syntax is different. In addition, you would also need to add a modified version of the code in the AJAX section to retrieve the token from the cookie.
Documenting the HTML that the csrf_token template tag generates is useful, but hopefully the template syntax won't be leading someone down a wrong path.
comment:4 by , 13 years ago
I believe Idan was working on improved AJAX docs for CSRF, I made the same suggestion about typing out what the csrf_token outputs to him :-)
I only have two small comments:
- Cheetah might be a tad central in the description, maybe better suited more exclusively with the example so people know it's Cheetah (similar to your suggestion)
- A small "en passant" reminder to people you still need to make the token available in context might be a good thing.
Typed it out, will attach an updated patch.
by , 13 years ago
| Attachment: | 16704.csrftoken.diff added |
|---|
comment:5 by , 13 years ago
| Triage Stage: | Accepted → Ready for checkin |
|---|
The docs state that Django doesn't force you to use its template language, and that it's designed to make it easy to use another template engine. It's coherent to give this extra bit of information in the docs of the CSRF framework.