-
Notifications
You must be signed in to change notification settings - Fork 71
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
csrf exempt? #5
Comments
Fixed with the latest update. |
Thanks. I run pip install django-froala-editor --upgrade and it tells me it's already up to date. How do I install this latest update? |
pip install django-froala-editor --ignore-installed |
The only way I'm able to get an image to upload is if I add back the @csrf_exempt decorator. Any ideas what I'm doing wrong here? Gives me a 403 error in terminal if exempt decorator isn't in place. |
I noticed in the image upload view, there's a decorator for csrf_exempt. I admit I'm not anywhere near a django expert, but I was under the impression the csrf token was there as a way to block rogue form submissions? Or to ensure the form submission came from where you think it came from?
If the image upload is csrf exempt, I assume that means it doesn't need a csrf token to upload images? Assuming that's accurate, what's to stop someone from viewing the html source of my page, grabbing the froala image upload path setting and uploading some kind of harmful code to my image directory from their own form?
The text was updated successfully, but these errors were encountered: