CSRF(跨站请求伪造),django 1.2.1在projects的setting中默认配置了处理CSRF的中间件
'django.middleware.csrf.CsrfViewMiddleware',
因此,如果post提交表单的html代码如下,django会抛出一个异常.
CSRF token missing or incorrect.
<
form
action
="{%url listenCms:submitComment articleObj.id %}"
method
="post"
>
<
div
class
="commentTextArea"
>
<
textarea
name
="content"
cols
="" rows=""
>
</textarea>
<
input
name
="articleId"
type
="hidden"
value
="`articleObj`.`id`"
/>
</div>
<
input
name
="submit"
value
="提交评论"
type
="submit"
/>
</form>
同样在异常信息中,django给出了解决方案.
In the template, there is a
{% csrf_token %}
template tag inside each POST form that targets an internal URL.
所以html如下,在form区域内加上了{% csrf_token %}
这个标签会自动被django模板处理成一段html
<
div
style
='display:none'
>
<
input
type
='hidden'
name
='csrfmiddlewaretoken'
value
='a7ad524eaa3c6f536a6afb7b56a40421'
/>
</div>
这应该是用来让
CsrfViewMiddleware
中间件进行处理时一个标识吧,这个隐藏域的value看起来是一个32位加密的MD5值。
加上{% csrf_token %}的HTML。
<
form
action
="{%url listenCms:submitComment articleObj.id %}"
method
="post"
>{% csrf_token %}
<
div
class
="commentTextArea"
>
<
textarea
name
="content"
cols
="" rows=""
>
</textarea>
<
input
name
="articleId"
type
="hidden"
value
="`articleObj`.`id`"
/>
</div>
<
input
name
="submit"
value
="提交评论"
type
="submit"
/>
</form>
本文转自阿汐 51CTO博客,原文链接:http://blog.51cto.com/axiii/326306,如需转载请自行联系原作者
