From 77974a684a2e874bccd8bd9e0939ddcb367a8ed2 Mon Sep 17 00:00:00 2001 From: Luke Plant Date: Thu, 21 Jan 2016 15:54:13 +0000 Subject: Changed `action="."` to `action=""` in tests and docs. `action="."` strips query parameters from the URL which is not usually what you want. Copy-paste coding of these examples could lead to difficult to track down bugs or even data loss if the query parameter was meant to alter the scope of a form's POST request. --- docs/ref/csrf.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'docs') diff --git a/docs/ref/csrf.txt b/docs/ref/csrf.txt index 6410b9eef0..cb49d28d29 100644 --- a/docs/ref/csrf.txt +++ b/docs/ref/csrf.txt @@ -40,7 +40,7 @@ To take advantage of CSRF protection in your views, follow these steps: 2. In any template that uses a POST form, use the :ttag:`csrf_token` tag inside the ``
`` element if the form is for an internal URL, e.g.:: - {% csrf_token %} + {% csrf_token %} This should not be done for POST forms that target external URLs, since that would cause the CSRF token to be leaked, leading to a vulnerability. -- cgit v1.3