csrf exempt? #5
Assignees
Comments
|
Fixed with the latest update. |
|
Thanks. I run pip install django-froala-editor --upgrade and it tells me it's already up to date. How do I install this latest update? |
|
pip install django-froala-editor --ignore-installed |
|
The only way I'm able to get an image to upload is if I add back the @csrf_exempt decorator. Any ideas what I'm doing wrong here? Gives me a 403 error in terminal if exempt decorator isn't in place. |
Closed
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I noticed in the image upload view, there's a decorator for csrf_exempt. I admit I'm not anywhere near a django expert, but I was under the impression the csrf token was there as a way to block rogue form submissions? Or to ensure the form submission came from where you think it came from?
If the image upload is csrf exempt, I assume that means it doesn't need a csrf token to upload images? Assuming that's accurate, what's to stop someone from viewing the html source of my page, grabbing the froala image upload path setting and uploading some kind of harmful code to my image directory from their own form?
The text was updated successfully, but these errors were encountered: