diff --git a/django/views/csrf.py b/django/views/csrf.py index 5bdcbd10a68..aa5e25b5b41 100644 --- a/django/views/csrf.py +++ b/django/views/csrf.py @@ -39,6 +39,11 @@ CSRF_FAILRE_TEMPLATE = """
{% templatetag openblock %} csrf_token
{% templatetag closeblock %}
template tag inside each POST form that
targets an internal URL.CsrfViewMiddleware
, then you must use
+ csrf_protect
on any views that use the csrf_token
+ template tag, as well as those that accept the POST data.You're seeing the help section of this page because you have DEBUG =
diff --git a/docs/ref/contrib/comments/index.txt b/docs/ref/contrib/comments/index.txt
index 880be341015..6ee109782fb 100644
--- a/docs/ref/contrib/comments/index.txt
+++ b/docs/ref/contrib/comments/index.txt
@@ -216,6 +216,13 @@ should know about:
it with a warning field; if you use the comment form with a custom
template you should be sure to do the same.
+The comments app also depends on the more general :ref:`Cross Site Request
+Forgery protection < ref-contrib-csrf>` that comes with Django. As described in
+the documentation, it is best to use ``CsrfViewMiddleware``. However, if you
+are not using that, you will need to use the ``csrf_protect`` decorator on any
+views that include the comment form, in order for those views to be able to
+output the CSRF token and cookie.
+
.. _honeypot: http://en.wikipedia.org/wiki/Honeypot_(computing)
More information
diff --git a/docs/ref/contrib/csrf.txt b/docs/ref/contrib/csrf.txt
index 126df836765..c1bdb59cd1b 100644
--- a/docs/ref/contrib/csrf.txt
+++ b/docs/ref/contrib/csrf.txt
@@ -44,9 +44,7 @@ To enable CSRF protection for your views, follow these steps:
Alternatively, you can use the decorator
``django.views.decorators.csrf.csrf_protect`` on particular views you
- want to protect. This is **not recommended** by itself, since if you
- forget to use it, you will have a security hole. The 'belt and braces'
- strategy of using both is fine, and will incur minimal overhead.
+ want to protect (see below).
2. In any template that uses a POST form, use the ``csrf_token`` tag inside
the ``