From d162b0bcd8367cc2ddf1ccd613a80a2e82c3b262 Mon Sep 17 00:00:00 2001 From: Tim Graham Date: Tue, 22 Dec 2015 10:21:24 -0500 Subject: [1.9.x] Fixed #25969 -- Replaced render_to_response() with render() in docs examples. Backport of 4d83b0163e15f8352fd17fa121e929842ff2b686 from master --- docs/ref/csrf.txt | 30 +++++------------------------- 1 file changed, 5 insertions(+), 25 deletions(-) (limited to 'docs/ref/csrf.txt') diff --git a/docs/ref/csrf.txt b/docs/ref/csrf.txt index d920f15e23..a423b77f7a 100644 --- a/docs/ref/csrf.txt +++ b/docs/ref/csrf.txt @@ -45,31 +45,11 @@ To take advantage of CSRF protection in your views, follow these steps: This should not be done for POST forms that target external URLs, since that would cause the CSRF token to be leaked, leading to a vulnerability. -3. In the corresponding view functions, ensure that the - ``'django.template.context_processors.csrf'`` context processor is - being used. Usually, this can be done in one of two ways: - - 1. Use RequestContext, which always uses - ``'django.template.context_processors.csrf'`` (no matter what template - context processors are configured in the :setting:`TEMPLATES` setting). - If you are using generic views or contrib apps, you are covered already, - since these apps use RequestContext throughout. - - 2. Manually import and use the processor to generate the CSRF token and - add it to the template context. e.g.:: - - from django.shortcuts import render_to_response - from django.template.context_processors import csrf - - def my_view(request): - c = {} - c.update(csrf(request)) - # ... view code here - return render_to_response("a_template.html", c) - - You may want to write your own - :func:`~django.shortcuts.render_to_response()` wrapper that takes care - of this step for you. +3. In the corresponding view functions, ensure that + :class:`~django.template.RequestContext` is used to render the response so + that ``{% csrf_token %}`` will work properly. If you're using the + :func:`~django.shortcuts.render` function, generic views, or contrib apps, + you are covered already since these all use ``RequestContext``. .. _csrf-ajax: -- cgit v1.3