在Django 1.2中仍然需要{%csrf_token%} CSRF保护标记? [英] Is the {% csrf_token %} CSRF protection tag still necessary in Django 1.2?
问题描述
我删除了 {%csrf_token%}
从我的表单,提交仍然有效。我不明白为什么然后我查看了源代码,并意识到令牌仍然位于< form>
元素旁边。我更改了表单的ID,以确保它更新源代码,但是隐藏的输入仍然存在。
我正在使用Django 1.2。 {%csrf_token%}
仍然有必要吗?
干杯
Rich
经过更多调查,出现 {%csrf_token%} $ c如果表单有方法
post
,则$ c>始终插入,否则不会。非常聪明的Django自动保护。
I am testing the CSRF protection on my site and I have noticed something unexpected.
I removed {% csrf_token %}
from my form and the submission still works. I couldn't work out why. I then looked at the source and realised the token was still there right next to the <form>
element. I changed the ID of the form to make sure it was definitely updating the source and it was but the hidden input is still there.
I am using Django 1.2. Is {% csrf_token %}
still necessary?
Cheers
Rich
After more investigation it appears the {% csrf_token %}
is always inserted if the form has method post
and not if it doesn't. Very clever auto protection from Django.
这篇关于在Django 1.2中仍然需要{%csrf_token%} CSRF保护标记?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!