StackOverflow2013

Note that there are some explanatory texts on larger screens.

plurals

POCSRF error in Django after removal of hidden fields
text
Body
copied!<p>I got some <a href="https://stackoverflow.com/questions/7745191/javascript-removing-contents-of-form-hidden-by-animatedcollapse-hide">good advice on StackOverflow</a> about how to remove all hidden fields using JavaScript.</p> <p>Submitting the form sends the user to <code>/submit</code>, calling the <code>submit_form</code> view. In my views.py file, I define my index page (with the form), and the page that receives the submission (my <code>/index</code> page prints errors for me, but that shouldn't influence anything):</p> <pre><code>def index(request, error_message = ''): t = get_template('index.html') html = t.render(Context( { 'ERROR_MESSAGE': error_message } )) return HttpResponse(html) def submit_form(request): # get the POST data out of request and do something pass </code></pre> <p>I've been able to suppress the error by changing the code to:</p> <pre><code>from django.contrib.csrf.middleware import csrf_exempt @csrf_exempt def submit_form(request): # get the POST data out of request and do something pass </code></pre> <p>This essentially turns off CSRF for the submit_form function. However, I'm sure this is not the ideal fix (now I'm not checking for forgeries in my form).</p> <p>I tried more sophisticated fixes, like</p> <ul> <li> Adding <a href="https://docs.djangoproject.com/en/1.3/ref/contrib/csrf/#ajax" rel="nofollow noreferrer">this code</a> to immediately follow the jQuery code (which removes hidden fields from submission) </li> </ul> <pre><code>init:function(){ var ac=this # advice from StackOverflow to remove hidden # fields from POST submission jQuery(document).ready(function($){ $("form").submit(function() { $(this).find(":hidden").remove(); }); # AJAX CSRF code inserted here #... } </code></pre> <ul><li><a href="https://docs.djangoproject.com/en/dev/ref/contrib/csrf/" rel="nofollow noreferrer">Adding `{% csrf_token %}` immediately after my form declaration</a>. I also tried adding code to my `index` view to send the `csrf_token` to `index`; that made the token viewable in the rendered index.html source (which I gathered was a bad idea).</li> </ul> <p>I've seen several questions asking about things like this (and references in the Django book), but haven't seen a simple and clear answer. For instance-- even if I was going to tolerate publishing my <code>csrf_token</code> (which, still I know is a bad idea), it is still unclear whether I should render that in my index page (and then it will submitted form will have the token) or whether I am supposed to do something in my <code>submit_form</code> code. The Django code book (linked above) uses <code>my_view</code> as the view function where the token is rendered; this name is not very helpful!</p> <p>Does anyone have a small example with CSRF working (with javascript modifying the form)? I really think it would be useful (to me and to lots of other people on StackOverflow to see this. Ideally, it would be as simple as possible (two views: one delivers the form, the other prints its contents).</p> <p>Thanks a lot for your help.</p> <hr> <p><em>Update:</em> I still get this error, even when I <a href="https://stackoverflow.com/questions/7871388/javascript-to-remove-all-hidden-elements-but-one">prefent the <code>csrfmiddlewaretoken</code></a> from being removed. When I *do not do any JavaScript processing, my form is fine. And I've verified that only my </p> <p>Is there some way that CSRF can see that some form elements are removed? I can't find anything different in my <code>QueryDict</code> object (that sends the data from the form using POST).</p> <p>I'd really appreciate any help!</p>

Querying!

Guidance

An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload