summaryrefslogtreecommitdiff
path: root/docs/ref
diff options
context:
space:
mode:
authorLuke Plant <L.Plant.98@cantab.net>2016-01-21 15:54:13 +0000
committerTim Graham <timograham@gmail.com>2016-01-21 14:00:23 -0500
commita034ced2efccafdf394b807487ee97665fe003c3 (patch)
tree043b34776630aaf2f3216fc7dd9b439bea9e5ccc /docs/ref
parent8502e9f04974660c80efc74f6e60ed566b3f52b3 (diff)
[1.8.x] Changed `action="."` to `action=""` in tests and docs.
`action="."` strips query parameters from the URL which is not usually what you want. Copy-paste coding of these examples could lead to difficult to track down bugs or even data loss if the query parameter was meant to alter the scope of a form's POST request. Backport of 77974a684a2e874bccd8bd9e0939ddcb367a8ed2 from master
Diffstat (limited to 'docs/ref')
-rw-r--r--docs/ref/csrf.txt2
1 files changed, 1 insertions, 1 deletions
diff --git a/docs/ref/csrf.txt b/docs/ref/csrf.txt
index 85810b9d8b..dbc05b6e50 100644
--- a/docs/ref/csrf.txt
+++ b/docs/ref/csrf.txt
@@ -40,7 +40,7 @@ To take advantage of CSRF protection in your views, follow these steps:
2. In any template that uses a POST form, use the :ttag:`csrf_token` tag inside
the ``<form>`` element if the form is for an internal URL, e.g.::
- <form action="." method="post">{% csrf_token %}
+ <form action="" method="post">{% csrf_token %}
This should not be done for POST forms that target external URLs, since
that would cause the CSRF token to be leaked, leading to a vulnerability.