mirrors/django
1
0
Fork 0
mirror of https://github.com/django/django.git synced 2025-10-24 14:16:09 +00:00
Code Issues 32 Releases Wiki Activity

Changed action="." to action="" in tests and docs.

Browse Source 
`action="."` strips query parameters from the URL which is not usually what
you want. Copy-paste coding of these examples could lead to difficult to
track down bugs or even data loss if the query parameter was meant to alter
the scope of a form's POST request.
This commit is contained in:
Luke Plant
2016-01-21 15:54:13 +00:00
committed by Tim Graham
parent 9a33d3d764
commit 77974a684a
4 changed files with 4 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
docs/ref/csrf.txt
View File

@@ -40,7 +40,7 @@ To take advantage of CSRF protection in your views, follow these steps:
2. In any template that uses a POST form, use the :ttag:`csrf_token` tag inside
the ``<form>`` element if the form is for an internal URL, e.g.::
<form action="." method="post">{% csrf_token %}
<form action="" method="post">{% csrf_token %}
This should not be done for POST forms that target external URLs, since
that would cause the CSRF token to be leaked, leading to a vulnerability.