Permalink
Browse files

Merge pull request #17 from Lapin-Blanc/patch-1

Update chapter07.rst
  • Loading branch information...
2 parents 138d953 + 524d7f9 commit b67215ac0bfa36c09556c493f18d5708ff3270a6 @jacobian jacobian committed Apr 14, 2013
Showing with 11 additions and 0 deletions.
  1. +11 −0 chapter07.rst
View
@@ -959,6 +959,8 @@ Here's how we can rewrite ``contact()`` to use the forms framework::
from django.shortcuts import render
from mysite.contact.forms import ContactForm
+ from django.http import HttpResponseRedirect
+ from django.core.mail import send_mail
def contact(request):
if request.method == 'POST':
@@ -995,6 +997,7 @@ Here's how we can rewrite ``contact()`` to use the forms framework::
<table>
{{ form.as_table }}
</table>
+ {% csrf_token %}
<input type="submit" value="Submit">
</form>
</body>
@@ -1006,6 +1009,14 @@ Look at how much cruft we've been able to remove! Django's forms framework
handles the HTML display, the validation, data cleanup and form
redisplay-with-errors.
+Since we're creating a POST form (which can have the effect of modifying data),
+we need to worry about Cross Site Request Forgeries. Thankfully, you don't have
+to worry too hard, because Django comes with a very easy-to-use system for
+protecting against it. In short, all POST forms that are targeted at internal
+URLs should use the ``{% csrf_token %}`` template tag. More details about
+``{% csrf_token %}`` can be found in :doc:`chapter16` and :doc:`chapter20`.
+
+
Try running this locally. Load the form, submit it with none of the fields
filled out, submit it with an invalid e-mail address, then finally submit it
with valid data. (Of course, depending on your mail-server configuration, you

0 comments on commit b67215a

Please sign in to comment.