Loading django/views/csrf.py +5 −5 Original line number Diff line number Diff line from django.conf import settings from django.http import HttpResponseForbidden from django.template import Context, Template from django.template import Context, Engine from django.utils.translation import ugettext as _ from django.utils.version import get_docs_version Loading Loading @@ -67,9 +67,9 @@ CSRF_FAILURE_TEMPLATE = """ <ul> <li>Your browser is accepting cookies.</li> <li>The view function uses <a href="https://docs.djangoproject.com/en/{{ docs_version }}/ref/templates/api/#subclassing-context-requestcontext"><code>RequestContext</code></a> for the template, instead of <code>Context</code>.</li> <li>The view function passes a <code>request</code> to the template's <a href="https://docs.djangoproject.com/en/dev/topics/templates/#django.template.backends.base.Template.render"><code>render</code></a> method.</li> <li>In the template, there is a <code>{% templatetag openblock %} csrf_token {% templatetag closeblock %}</code> template tag inside each POST form that Loading Loading @@ -102,7 +102,7 @@ def csrf_failure(request, reason=""): Default view used when request fails CSRF protection """ from django.middleware.csrf import REASON_NO_REFERER, REASON_NO_CSRF_COOKIE t = Template(CSRF_FAILURE_TEMPLATE) t = Engine().from_string(CSRF_FAILURE_TEMPLATE) c = Context({ 'title': _("Forbidden"), 'main': _("CSRF verification failed. Request aborted."), Loading tests/view_tests/tests/test_csrf.py +12 −1 Original line number Diff line number Diff line Loading @@ -21,7 +21,6 @@ class CsrfViewTests(TestCase): """ Test that an invalid request is rejected with a localized error message. """ response = self.client.post('/') self.assertContains(response, "Forbidden", status_code=403) self.assertContains(response, Loading Loading @@ -63,3 +62,15 @@ class CsrfViewTests(TestCase): "ensure that your browser is not being hijacked " "by third parties.", status_code=403) # In Django 2.0, this can be changed to TEMPLATES=[] because the code path # that reads the TEMPLATE_* settings in that case will have been removed. @override_settings(TEMPLATES=[{ 'BACKEND': 'django.template.backends.dummy.TemplateStrings', }]) def test_no_django_template_engine(self): """ The CSRF view doesn't depend on the TEMPLATES configuration (#24388). """ response = self.client.post('/') self.assertContains(response, "Forbidden", status_code=403) Loading
django/views/csrf.py +5 −5 Original line number Diff line number Diff line from django.conf import settings from django.http import HttpResponseForbidden from django.template import Context, Template from django.template import Context, Engine from django.utils.translation import ugettext as _ from django.utils.version import get_docs_version Loading Loading @@ -67,9 +67,9 @@ CSRF_FAILURE_TEMPLATE = """ <ul> <li>Your browser is accepting cookies.</li> <li>The view function uses <a href="https://docs.djangoproject.com/en/{{ docs_version }}/ref/templates/api/#subclassing-context-requestcontext"><code>RequestContext</code></a> for the template, instead of <code>Context</code>.</li> <li>The view function passes a <code>request</code> to the template's <a href="https://docs.djangoproject.com/en/dev/topics/templates/#django.template.backends.base.Template.render"><code>render</code></a> method.</li> <li>In the template, there is a <code>{% templatetag openblock %} csrf_token {% templatetag closeblock %}</code> template tag inside each POST form that Loading Loading @@ -102,7 +102,7 @@ def csrf_failure(request, reason=""): Default view used when request fails CSRF protection """ from django.middleware.csrf import REASON_NO_REFERER, REASON_NO_CSRF_COOKIE t = Template(CSRF_FAILURE_TEMPLATE) t = Engine().from_string(CSRF_FAILURE_TEMPLATE) c = Context({ 'title': _("Forbidden"), 'main': _("CSRF verification failed. Request aborted."), Loading
tests/view_tests/tests/test_csrf.py +12 −1 Original line number Diff line number Diff line Loading @@ -21,7 +21,6 @@ class CsrfViewTests(TestCase): """ Test that an invalid request is rejected with a localized error message. """ response = self.client.post('/') self.assertContains(response, "Forbidden", status_code=403) self.assertContains(response, Loading Loading @@ -63,3 +62,15 @@ class CsrfViewTests(TestCase): "ensure that your browser is not being hijacked " "by third parties.", status_code=403) # In Django 2.0, this can be changed to TEMPLATES=[] because the code path # that reads the TEMPLATE_* settings in that case will have been removed. @override_settings(TEMPLATES=[{ 'BACKEND': 'django.template.backends.dummy.TemplateStrings', }]) def test_no_django_template_engine(self): """ The CSRF view doesn't depend on the TEMPLATES configuration (#24388). """ response = self.client.post('/') self.assertContains(response, "Forbidden", status_code=403)
