Message6652
Hi Matt:
In message <1568908644.07.0.208859850186.issue2551060@roundup.psfhosted.org>,
Matt writes:
>Matt added the comment:
>
>One thing I clearly didn't appreciate when reading the instructions
>to upgrade to version 1.6.0 was that the following CSRF hidden fields
>should be added to all the forms:
>
><input name="@csrf" type="hidden"
> tal:attributes="value python:utils.anti_csrf_nonce()">
>
>[...]
>If it is necessary to update all forms with this field,
If you use the standard context/submit templating item then the hidden
field is added automatically. So you must not add the html snippet
otherwise the same field is defined twice. See checkin 4d32fa88c5d2
for a fix for an overeager automated addition of the @csrf field.
>perhaps the upgrade document could be made more explicit with
>this instruction?
What wpuld you suggest for wording?
If you have forms using the POST method that are not using
the standard submit routine, you should add the following field to all
forms:
<input name="@csrf" type="hidden"
tal:attributes="value python:utils.anti_csrf_nonce()">
Would replacing "should add" by "must add" be sufficient? |
|
| Date |
User |
Action |
Args |
| 2019-09-19 23:21:41 | rouilj | set | recipients:
+ rouilj, tekberg, matt109 |
| 2019-09-19 23:21:41 | rouilj | link | issue2551060 messages |
| 2019-09-19 23:21:41 | rouilj | create | |
|