Commit a034ced2 authored by Luke Plant's avatar Luke Plant Committed by Tim Graham
Browse files

[1.8.x] Changed `action="."` to `action=""` in tests and docs. 

`action="."` strips query parameters from the URL which is not usually what
you want. Copy-paste coding of these examples could lead to difficult to
track down bugs or even data loss if the query parameter was meant to alter
the scope of a form's POST request.

Backport of 77974a68 from master
parent 8502e9f0

docs/ref/csrf.txt

+1 −1
Original line number Diff line number Diff line
@@ -40,7 +40,7 @@ To take advantage of CSRF protection in your views, follow these steps: 
2. In any template that uses a POST form, use the :ttag:`csrf_token` tag inside

   the ``<form>`` element if the form is for an internal URL, e.g.::



       <form action="." method="post">{% csrf_token %}

       <form action="" method="post">{% csrf_token %}



   This should not be done for POST forms that target external URLs, since

   that would cause the CSRF token to be leaked, leading to a vulnerability.

tests/forms_tests/templates/forms_tests/article_form.html

+1 −1
Original line number Diff line number Diff line 
<html>

<body>

  <form method="post" action=".">{% csrf_token %}

  <form method="post" action="">{% csrf_token %}

    {{ form.as_p }}<br>

    <input id="submit" type="submit">

  </form>

tests/templates/form_view.html

+1 −1
Original line number Diff line number Diff line
@@ -2,7 +2,7 @@ 
{% block title %}Submit data{% endblock %}

{% block content %}

<h1>{{ message }}</h1>

<form method='post' action='.'>

<form method="post" action="">

{% if form.errors %}

<p class='warning'>Please correct the errors below:</p>

{% endif %}

tests/templates/login.html

+1 −1
Original line number Diff line number Diff line
@@ -5,7 +5,7 @@ 
<p>Your username and password didn't match. Please try again.</p>

{% endif %}



<form method="post" action=".">

<form method="post" action="">

<table>

<tr><td><label for="id_username">Username:</label></td><td>{{ form.username }}</td></tr>

<tr><td><label for="id_password">Password:</label></td><td>{{ form.password }}</td></tr>