summaryrefslogtreecommitdiff
path: root/django/contrib/csrf
AgeCommit message (Collapse)Author
2011-04-02Removed deprecated contrib.csrf app.Russell Keith-Magee
git-svn-id: http://code.djangoproject.com/svn/django/trunk@15971 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-10-11Fixed #14436 -- Escalated 1.2 PendingDeprecationWarnings to ↵Russell Keith-Magee
DeprecationWarnings, and removed 1.1 deprecated code. git-svn-id: http://code.djangoproject.com/svn/django/trunk@14138 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-10-27Moved contrib.csrf.* to core code.Luke Plant
There is stub code for backwards compatiblity with Django 1.1 imports. The documentation has been updated, but has been left in docs/contrib/csrf.txt for now, in order to avoid dead links to documentation on the website. git-svn-id: http://code.djangoproject.com/svn/django/trunk@11661 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-10-26Fixed #9977 - CsrfMiddleware gets template tag added, session dependency ↵Luke Plant
removed, and turned on by default. This is a large change to CSRF protection for Django. It includes: * removing the dependency on the session framework. * deprecating CsrfResponseMiddleware, and replacing with a core template tag. * turning on CSRF protection by default by adding CsrfViewMiddleware to the default value of MIDDLEWARE_CLASSES. * protecting all contrib apps (whatever is in settings.py) using a decorator. For existing users of the CSRF functionality, it should be a seamless update, but please note that it includes DEPRECATION of features in Django 1.1, and there are upgrade steps which are detailed in the docs. Many thanks to 'Glenn' and 'bthomas', who did a lot of the thinking and work on the patch, and to lots of other people including Simon Willison and Russell Keith-Magee who refined the ideas. Details of the rationale for these changes is found here: http://code.djangoproject.com/wiki/CsrfProtection As of this commit, the CSRF code is mainly in 'contrib'. The code will be moved to core in a separate commit, to make the changeset as readable as possible. git-svn-id: http://code.djangoproject.com/svn/django/trunk@11660 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-10-24Fixed #9163 - CsrfMiddleware needs to reset ETag headerLuke Plant
Thanks to carljm for report and patch. git-svn-id: http://code.djangoproject.com/svn/django/trunk@11650 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-05-17Fixed #11066 -- Corrected 15 duplicate "the"s found in docs and code ↵Karen Tracey
comments. Thanks kaikuehne. git-svn-id: http://code.djangoproject.com/svn/django/trunk@10801 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-04-21Fixed #10884 - more lenient regexp for matching forms in CSRF post-processingLuke Plant
Thanks to Ryszard Szopa for the report and fix git-svn-id: http://code.djangoproject.com/svn/django/trunk@10617 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-02-07Fixed tabs in source, stupid emacs.Luke Plant
git-svn-id: http://code.djangoproject.com/svn/django/trunk@9817 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-02-07Fixed some function name errors in code doc.Luke Plant
git-svn-id: http://code.djangoproject.com/svn/django/trunk@9816 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-02-07Made CSRF middleware skip post-processing for 'csrf_exempt' decorated views.Luke Plant
This commit also decomposes the decorator into two decorators which can be used separately, adds some tests, updates docs and fixes some code comments. git-svn-id: http://code.djangoproject.com/svn/django/trunk@9815 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2008-12-03Added some explanatory comments in CsrfMiddlewareLuke Plant
git-svn-id: http://code.djangoproject.com/svn/django/trunk@9561 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2008-12-03New CsrfMiddleware features: automatic exceptions for known AJAX and ↵Luke Plant
decorator for manual exceptions git-svn-id: http://code.djangoproject.com/svn/django/trunk@9554 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2008-12-03Split CsrfMiddleware into two to make it more reusable.Luke Plant
Also converted it to be a view middleware instead of request, as this allows more options. git-svn-id: http://code.djangoproject.com/svn/django/trunk@9553 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2008-12-02More tests for the other half of CsrfMiddlewareLuke Plant
git-svn-id: http://code.djangoproject.com/svn/django/trunk@9552 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2008-12-02Added tests for CsrfMiddleware.Luke Plant
git-svn-id: http://code.djangoproject.com/svn/django/trunk@9551 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2008-08-02Fixed #7919 -- md5 and sha modules are deprecated since Python 2.5, use ↵Gary Wilson Jr
hashlib module when available. Patch from Karen Tracey. git-svn-id: http://code.djangoproject.com/svn/django/trunk@8193 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2007-11-14Implemented auto-escaping of variable output in templates. Fully ↵Malcolm Tredinnick
controllable by template authors and it's possible to write filters and templates that simulataneously work in both auto-escaped and non-auto-escaped environments if you need to. Fixed #2359 See documentation in templates.txt and templates_python.txt for how everything works. Backwards incompatible if you're inserting raw HTML output via template variables. Based on an original design from Simon Willison and with debugging help from Michael Radziej. git-svn-id: http://code.djangoproject.com/svn/django/trunk@6671 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2007-09-03Fixed #5292 -- Changed CSRF middleware to check for request.method == 'POST' ↵Adrian Holovaty
instead of request.POST dictionary not being empty. Thanks, Jakub Wilk git-svn-id: http://code.djangoproject.com/svn/django/trunk@6038 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2006-12-18Fixed #3157 -- Made error message XHTML-friendly in CSRF middleware. Thanks, ↵Adrian Holovaty
mir@noris.de git-svn-id: http://code.djangoproject.com/svn/django/trunk@4225 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2006-05-11Fixed CsrfMiddleware post processing so that it in the presence of multipleLuke Plant
POST <form>s, only one <input> tag is added with an id, for HTML validity. git-svn-id: http://code.djangoproject.com/svn/django/trunk@2900 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2006-05-11Fixed #1827 - added 'id' attribute to generated CSRF hidden field. Good ↵Luke Plant
call, Ian Holsman. git-svn-id: http://code.djangoproject.com/svn/django/trunk@2899 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2006-05-08Added CsrfMiddleware to contrib, and documentation.Luke Plant
git-svn-id: http://code.djangoproject.com/svn/django/trunk@2868 bcc190cf-cafb-0310-a4f2-bffc1f526a37