Opened 4 years ago

Closed 4 years ago

#16704 closed New feature (fixed)

Documentation on using csrf_token with non-Django template engine

Reported by: vietjtnguyen@… Owned by: paulcwatts
Component: Documentation Version: 1.3
Severity: Normal Keywords:
Cc: Triage Stage: Ready for checkin
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: yes UI/UX: no


I've been teaching myself Django today by going through your tutorials. The system is great! The tutorials are great as well. Thank you very much.

I'm a big fan of the Cheetah template engine so from the get-go I've been trying to set up my Django to use Cheetah. One thing I noticed though is the Django template engine has a special handler for the {% csrf_token %} token. I had to delve into the handler for that token to figure out what to do for Cheetah. I think it's worth adding to the documentation that if they're using a non-Django template engine they should use the following HTML code in lieu of the {% csrf_token %}:

<div style="display:none"><input type="hidden" name="csrfmiddlewaretoken" value="$csrf_token"/></div>

Attachments (2)

16704.diff (837 bytes) - added by paulcwatts 4 years ago.
16704.csrftoken.diff (952 bytes) - added by bpeschier 4 years ago.

Download all attachments as: .zip

Change History (8)

comment:1 Changed 4 years ago by aaugustin

  • Needs documentation unset
  • Needs tests unset
  • Patch needs improvement unset
  • Triage Stage changed from Unreviewed to Accepted

The docs state that Django doesn't force you to use its template language, and that it's designed to make it easy to use another template engine. It's coherent to give this extra bit of information in the docs of the CSRF framework.

comment:2 Changed 4 years ago by paulcwatts

  • Owner changed from nobody to paulcwatts

Changed 4 years ago by paulcwatts

comment:3 Changed 4 years ago by paulcwatts

  • Has patch set

This is a first draft. My concern is it may be misleading to people who are using other template engines like jQuery templates because the syntax is different. In addition, you would also need to add a modified version of the code in the AJAX section to retrieve the token from the cookie.

Documenting the HTML that the csrf_token template tag generates is useful, but hopefully the template syntax won't be leading someone down a wrong path.

comment:4 Changed 4 years ago by bpeschier

I believe Idan was working on improved AJAX docs for CSRF, I made the same suggestion about typing out what the csrf_token outputs to him :-)

I only have two small comments:

  • Cheetah might be a tad central in the description, maybe better suited more exclusively with the example so people know it's Cheetah (similar to your suggestion)
  • A small "en passant" reminder to people you still need to make the token available in context might be a good thing.

Typed it out, will attach an updated patch.

Changed 4 years ago by bpeschier

comment:5 Changed 4 years ago by krzysiumed

  • Triage Stage changed from Accepted to Ready for checkin

comment:6 Changed 4 years ago by aaugustin

  • Resolution set to fixed
  • Status changed from new to closed

In [17299]:

Fixed #16704 -- Documented how to insert the CSRF token outside of Django's own template engine. Thanks paulcwatts and bpeschier for the patch.

Note: See TracTickets for help on using tickets.
Back to Top