Opened 10 years ago

Closed 7 years ago

#6925 closed Bug (wontfix)

CSRF html output is not valid html (it is xhtml)

Reported by: Jeffrey Gelens Owned by: Jeffrey Gelens
Component: CSRF Version: master
Severity: Normal Keywords:
Cc: Triage Stage: Someday/Maybe
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX:


The csrfmiddlewaretoken output input field is XHTML and invalidates HTML 4.01 pages when used.

To enable HTML output I think the following setting will be ok:
With default set to False.

The current output looks like,

<div style='display:none;'><input type='hidden' id='csrfmiddlewaretoken' name='csrfmiddlewaretoken' value='f78gdfgf68gdfs6' /></div>

So the new output will look like this (with html output enabled):

<div style='display:none;'><input type='hidden' id='csrfmiddlewaretoken' name='csrfmiddlewaretoken' value='f78gdfgf68gdfs6'></div>

Attachments (1)

csrf_html_fix.diff (2.5 KB) - added by Jeffrey Gelens 10 years ago.

Download all attachments as: .zip

Change History (9)

Changed 10 years ago by Jeffrey Gelens

Attachment: csrf_html_fix.diff added

comment:1 Changed 10 years ago by Jeffrey Gelens

Status: newassigned

Note: the preview for the patch doesn't seem to work, it can be download by clicking "Original Format".

comment:2 Changed 10 years ago by Marc Fargas

Triage Stage: UnreviewedSomeday/Maybe

a thread about this from 2006.
Also, more recent: this one about HTML4 and XHTML in general.

It was said to hold this kind of stuff until 1.0 gets out.

comment:3 Changed 10 years ago by Marc Fargas

#7452 is there to keep track of the HTML5/XHTML thing.

comment:4 Changed 10 years ago by Julian Bez

milestone: post-1.0

comment:5 Changed 9 years ago by (none)

milestone: post-1.0

Milestone post-1.0 deleted

comment:6 Changed 7 years ago by Gabriel Hurley

Component: Contrib appscontrib.csrf

comment:7 Changed 7 years ago by Julien Phalip

Severity: Normal
Type: Bug

comment:8 Changed 7 years ago by Luke Plant

Easy pickings: unset
Resolution: wontfix
Status: assignedclosed

There is now no way we are going to provide a setting to control the HTML flavour of a single feature. It is doubtful whether we are ever going to support HTML4, as we are moving more to HTML5 now. If we ever do move to multiple-flavour, there is no need to have a separate ticket for this - #7452 tracks that.

Note: See TracTickets for help on using tickets.
Back to Top