From 77974a684a2e874bccd8bd9e0939ddcb367a8ed2 Mon Sep 17 00:00:00 2001 From: Luke Plant Date: Thu, 21 Jan 2016 15:54:13 +0000 Subject: [PATCH] Changed `action="."` to `action=""` in tests and docs. `action="."` strips query parameters from the URL which is not usually what you want. Copy-paste coding of these examples could lead to difficult to track down bugs or even data loss if the query parameter was meant to alter the scope of a form's POST request. --- docs/ref/csrf.txt | 2 +- tests/forms_tests/templates/forms_tests/article_form.html | 2 +- tests/templates/form_view.html | 2 +- tests/templates/login.html | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/docs/ref/csrf.txt b/docs/ref/csrf.txt index 6410b9eef0..cb49d28d29 100644 --- a/docs/ref/csrf.txt +++ b/docs/ref/csrf.txt @@ -40,7 +40,7 @@ To take advantage of CSRF protection in your views, follow these steps: 2. In any template that uses a POST form, use the :ttag:`csrf_token` tag inside the ``
`` element if the form is for an internal URL, e.g.:: - {% csrf_token %} + {% csrf_token %} This should not be done for POST forms that target external URLs, since that would cause the CSRF token to be leaked, leading to a vulnerability. diff --git a/tests/forms_tests/templates/forms_tests/article_form.html b/tests/forms_tests/templates/forms_tests/article_form.html index de38466335..8ab7a85bb9 100644 --- a/tests/forms_tests/templates/forms_tests/article_form.html +++ b/tests/forms_tests/templates/forms_tests/article_form.html @@ -1,6 +1,6 @@ - {% csrf_token %} + {% csrf_token %} {{ form.as_p }}
diff --git a/tests/templates/form_view.html b/tests/templates/form_view.html index a23fd0b657..1ef410fb71 100644 --- a/tests/templates/form_view.html +++ b/tests/templates/form_view.html @@ -2,7 +2,7 @@ {% block title %}Submit data{% endblock %} {% block content %}

{{ message }}

-
+ {% if form.errors %}

Please correct the errors below:

{% endif %} diff --git a/tests/templates/login.html b/tests/templates/login.html index 7f50df2ba1..0d301600a5 100644 --- a/tests/templates/login.html +++ b/tests/templates/login.html @@ -5,7 +5,7 @@

Your username and password didn't match. Please try again.

{% endif %} - +
{{ form.username }}
{{ form.password }}