Browse files

[1.2.X] Fixed #15055 -- added information about (and an example of) t…

…he csrf_token template tag to the forms documentation. Thanks to sneakyness for the report and bpeschier for the draft patch.

Backport of [15445] from trunk.

git-svn-id: bcc190cf-cafb-0310-a4f2-bffc1f526a37
  • Loading branch information...
1 parent 1406265 commit 40a13657e3f8d526fcab02e2a963898e89854614 Gabriel Hurley committed Feb 7, 2011
Showing with 10 additions and 1 deletion.
  1. +10 −1 docs/topics/forms/index.txt
@@ -172,14 +172,23 @@ Forms are designed to work with the Django template language. In the above
example, we passed our ``ContactForm`` instance to the template using the
context variable ``form``. Here's a simple example template::
- <form action="/contact/" method="post">
+ <form action="/contact/" method="post">{% csrf_token %}
{{ form.as_p }}
<input type="submit" value="Submit" />
The form only outputs its own fields; it is up to you to provide the surrounding
``<form>`` tags and the submit button.
+.. admonition:: Forms and Cross Site Request Forgery protection
+ Django ships with an easy-to-use :doc:`protection against Cross Site Request
+ Forgeries </ref/contrib/csrf>`. When submitting a form via POST with
+ CSRF protection enabled you must use the :ttag:`csrf_token` template tag
+ as in the preceding example. However, since CSRF protection is not
+ directly tied to forms in templates, this tag is omitted from the
+ following examples in this document.
``form.as_p`` will output the form with each form field and accompanying label
wrapped in a paragraph. Here's the output for our example template::

0 comments on commit 40a1365

Please sign in to comment.