Opened 5 years ago
Closed 5 years ago
#31101 closed Cleanup/optimization (wontfix)
{% csrf_token %} fails validation for xhtml
| Reported by: | Ruben Garcia | Owned by: | nobody |
|---|---|---|---|
| Component: | CSRF | Version: | 3.0 |
| Severity: | Normal | Keywords: | xhtml, csrf |
| Cc: | Triage Stage: | Unreviewed | |
| Has patch: | no | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | yes | UI/UX: | no |
Description
{% csrf_token %} produces
<input type="hidden" name="csrfmiddlewaretoken" value="TOKEN">
which does not work with xhtml.
https://docs.djangoproject.com/en/3.0/ref/csrf/
does not mention any option to make it output the correct value
<input type="hidden" name="csrfmiddlewaretoken" value="TOKEN"/>
Of course, templates could use
<input type="hidden" name="{{CSRF_COOKIE_NAME}}" value={{csrf_token}}/>
themselves, but this should be easy to implement.
If there is a general django option which all middleware uses to distinguish html from xhtml, I have not found it; I would request that it be mentioned at
https://docs.djangoproject.com/en/3.0/ref/csrf/
Change History (2)
comment:1 by , 5 years ago
comment:2 by , 5 years ago
| Resolution: | → wontfix |
|---|---|
| Status: | new → closed |
Django favours HTML 5, rather than XHTML across the board. There's a long history here, most recently #29681 I think (but also see #6925 which is the opposite of this ticket, from a long time ago.)
(#19363 points to the 1.4 release notes for moving the admin to HTML5, so that gives you an idea of the timescale.)
Form generation is also affected and
https://docs.djangoproject.com/en/3.0/topics/forms/
does not mention how to switch from
<input type="submit" value="OK">
to
<input type="submit" value="OK"/>
A general variable to indicate whether to generate html or xhtml code throughout the django template system may be the best solution.