Opened 17 years ago

Closed 14 years ago

#6925 closed Bug (wontfix)

CSRF html output is not valid html (it is xhtml)

Reported by: Jeffrey Gelens Owned by: Jeffrey Gelens
Component: CSRF Version: dev
Severity: Normal Keywords:
Cc: Triage Stage: Someday/Maybe
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

The csrfmiddlewaretoken output input field is XHTML and invalidates HTML 4.01 pages when used.

To enable HTML output I think the following setting will be ok:
CSRF_MIDDLEWARE_OUTPUT_HTML = True
With default set to False.

The current output looks like,

<div style='display:none;'><input type='hidden' id='csrfmiddlewaretoken' name='csrfmiddlewaretoken' value='f78gdfgf68gdfs6' /></div>

So the new output will look like this (with html output enabled):

<div style='display:none;'><input type='hidden' id='csrfmiddlewaretoken' name='csrfmiddlewaretoken' value='f78gdfgf68gdfs6'></div>

Attachments (1)

csrf_html_fix.diff (2.5 KB ) - added by Jeffrey Gelens 17 years ago.

Download all attachments as: .zip

Change History (9)

by Jeffrey Gelens, 17 years ago

Attachment: csrf_html_fix.diff added

comment:1 by Jeffrey Gelens, 17 years ago

Status: newassigned

Note: the preview for the patch doesn't seem to work, it can be download by clicking "Original Format".

comment:2 by Marc Fargas, 17 years ago

Triage Stage: UnreviewedSomeday/Maybe

a thread about this from 2006.
Also, more recent: this one about HTML4 and XHTML in general.

It was said to hold this kind of stuff until 1.0 gets out.

comment:3 by Marc Fargas, 17 years ago

#7452 is there to keep track of the HTML5/XHTML thing.

comment:4 by Julian Bez, 16 years ago

milestone: post-1.0

comment:5 by (none), 16 years ago

milestone: post-1.0

Milestone post-1.0 deleted

comment:6 by Gabriel Hurley, 14 years ago

Component: Contrib appscontrib.csrf

comment:7 by Julien Phalip, 14 years ago

Severity: Normal
Type: Bug

comment:8 by Luke Plant, 14 years ago

Easy pickings: unset
Resolution: wontfix
Status: assignedclosed

There is now no way we are going to provide a setting to control the HTML flavour of a single feature. It is doubtful whether we are ever going to support HTML4, as we are moving more to HTML5 now. If we ever do move to multiple-flavour, there is no need to have a separate ticket for this - #7452 tracks that.

Note: See TracTickets for help on using tickets.
Back to Top