Context Navigation

← Previous Ticket
Next Ticket →

#6925 closed Bug (wontfix)

CSRF html output is not valid html (it is xhtml)

Reported by:	Jeffrey Gelens	Owned by:	Jeffrey Gelens
Component:	CSRF	Version:	dev
Severity:	Normal	Keywords:
Cc:		Triage Stage:	Someday/Maybe
Has patch:	yes	Needs documentation:	no
Needs tests:	no	Patch needs improvement:	no
Easy pickings:	no	UI/UX:	no

Description

The csrfmiddlewaretoken output input field is XHTML and invalidates HTML 4.01 pages when used.

To enable HTML output I think the following setting will be ok:
CSRF_MIDDLEWARE_OUTPUT_HTML = True
With default set to False.

The current output looks like,

<div style='display:none;'><input type='hidden' id='csrfmiddlewaretoken' name='csrfmiddlewaretoken' value='f78gdfgf68gdfs6' /></div>

So the new output will look like this (with html output enabled):

<div style='display:none;'><input type='hidden' id='csrfmiddlewaretoken' name='csrfmiddlewaretoken' value='f78gdfgf68gdfs6'></div>

Attachments (1)

csrf_html_fix.diff (2.5 KB ) - added by Jeffrey Gelens 17 years ago.

Download all attachments as: .zip

Change History (9)

by Jeffrey Gelens, 17 years ago

Attachment:	csrf_html_fix.diff added

comment:1 by Jeffrey Gelens, 17 years ago

Status:	new → assigned

Note: the preview for the patch doesn't seem to work, it can be download by clicking "Original Format".

comment:2 by Marc Fargas, 16 years ago

Triage Stage:	Unreviewed → Someday/Maybe

a thread about this from 2006.
Also, more recent: this one about HTML4 and XHTML in general.

It was said to hold this kind of stuff until 1.0 gets out.

comment:3 by Marc Fargas, 16 years ago

#7452 is there to keep track of the HTML5/XHTML thing.

comment:4 by Julian Bez, 16 years ago

milestone:	→ post-1.0

comment:5 by (none), 16 years ago

milestone:	post-1.0

Milestone post-1.0 deleted

comment:6 by Gabriel Hurley, 14 years ago

Component:	Contrib apps → contrib.csrf

comment:7 by Julien Phalip, 14 years ago

Severity:	→ Normal
Type:	→ Bug

comment:8 by Luke Plant, 14 years ago

Easy pickings:	unset
Resolution:	→ wontfix
Status:	assigned → closed

There is now no way we are going to provide a setting to control the HTML flavour of a single feature. It is doubtful whether we are ever going to support HTML4, as we are moving more to HTML5 now. If we ever do move to multiple-flavour, there is no need to have a separate ticket for this - #7452 tracks that.

Note: See TracTickets for help on using tickets.

Download in other formats:

Issues