Opened 5 years ago

Closed 5 years ago

#31101 closed Cleanup/optimization (wontfix)

{% csrf_token %} fails validation for xhtml

Reported by: Ruben Garcia Owned by: nobody
Component: CSRF Version: 3.0
Severity: Normal Keywords: xhtml, csrf
Cc: Triage Stage: Unreviewed
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: yes UI/UX: no

Description

{% csrf_token %} produces
<input type="hidden" name="csrfmiddlewaretoken" value="TOKEN">
which does not work with xhtml.
https://docs.djangoproject.com/en/3.0/ref/csrf/
does not mention any option to make it output the correct value
<input type="hidden" name="csrfmiddlewaretoken" value="TOKEN"/>

Of course, templates could use
<input type="hidden" name="{{CSRF_COOKIE_NAME}}" value={{csrf_token}}/>
themselves, but this should be easy to implement.

If there is a general django option which all middleware uses to distinguish html from xhtml, I have not found it; I would request that it be mentioned at
https://docs.djangoproject.com/en/3.0/ref/csrf/

Change History (2)

comment:1 by Ruben Garcia, 5 years ago

Form generation is also affected and
https://docs.djangoproject.com/en/3.0/topics/forms/
does not mention how to switch from
<input type="submit" value="OK">
to
<input type="submit" value="OK"/>

A general variable to indicate whether to generate html or xhtml code throughout the django template system may be the best solution.

comment:2 by Carlton Gibson, 5 years ago

Resolution: wontfix
Status: newclosed

Django favours HTML 5, rather than XHTML across the board. There's a long history here, most recently #29681 I think (but also see #6925 which is the opposite of this ticket, from a long time ago.)

(#19363 points to the 1.4 release notes for moving the admin to HTML5, so that gives you an idea of the timescale.)

Note: See TracTickets for help on using tickets.
Back to Top