Re: [Django] #18484: csrfmiddlewaretoken enclosed in redundant invisible div

[Django]

#18484: csrfmiddlewaretoken enclosed in redundant invisible div
-+
 Reporter:  hedleyroos@… |Owner:  nobody
 Type:  Uncategorized|   Status:  closed
Component:  Forms|  Version:  1.4
 Severity:  Release blocker  |   Resolution:  fixed
 Keywords:  csrf | Triage Stage:  Accepted
Has patch:  0|  Needs documentation:  0
  Needs tests:  0|  Patch needs improvement:  0
Easy pickings:  0|UI/UX:  0
-+

Comment (by Claude Paroz ):

 In [changeset:"e6f45aa623d9a67a2d6389665ca1bea0556dc832"]:
 {{{
 #!CommitTicketReference repository=""
 revision="e6f45aa623d9a67a2d6389665ca1bea0556dc832"
 Added release note about removed div around csrf token

 Refs #18484. Thanks Simon Charette for the suggestion.
 }}}

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To post to this group, send email to django-updates@googlegroups.com.
To unsubscribe from this group, send email to 
django-updates+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [Django] #18484: csrfmiddlewaretoken enclosed in redundant invisible div

[Django]

#18484: csrfmiddlewaretoken enclosed in redundant invisible div
-+
 Reporter:  hedleyroos@… |Owner:  nobody
 Type:  Uncategorized|   Status:  closed
Component:  Forms|  Version:  1.4
 Severity:  Release blocker  |   Resolution:  fixed
 Keywords:  csrf | Triage Stage:  Accepted
Has patch:  0|  Needs documentation:  0
  Needs tests:  0|  Patch needs improvement:  0
Easy pickings:  0|UI/UX:  0
-+
Changes (by Claude Paroz ):

 * status:  reopened => closed
 * resolution:   => fixed


Comment:

 In [changeset:"fa2e28ccc45d383ad9b1398565a9d106a80fd1db"]:
 {{{
 #!CommitTicketReference repository=""
 revision="fa2e28ccc45d383ad9b1398565a9d106a80fd1db"
 Fixed #18484 -- Removed the div around the csrf token input
 }}}

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To post to this group, send email to django-updates@googlegroups.com.
To unsubscribe from this group, send email to 
django-updates+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [Django] #18484: csrfmiddlewaretoken enclosed in redundant invisible div

[Django]

#18484: csrfmiddlewaretoken enclosed in redundant invisible div
-+
 Reporter:  hedleyroos@… |Owner:  nobody
 Type:  Uncategorized|   Status:  reopened
Component:  Forms|  Version:  1.4
 Severity:  Release blocker  |   Resolution:
 Keywords:  csrf | Triage Stage:  Accepted
Has patch:  0|  Needs documentation:  0
  Needs tests:  0|  Patch needs improvement:  0
Easy pickings:  0|UI/UX:  0
-+

Comment (by lukeplant):

 Composing the email brought me to a decision: we already ship HTML5
 templates with Django in 1.4. We promised functional backwards
 compatibility with major browsers, but not necessarily validity for
 HTML4/XHTML.  Our direction has been made clear.

 If people are really worried about HTML4/XHTML validity, which seems less
 likely these days, they can always implement their own {% csrf_token %}
 tag.

 So, let's remove the  altogether.

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To post to this group, send email to django-updates@googlegroups.com.
To unsubscribe from this group, send email to 
django-updates+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [Django] #18484: csrfmiddlewaretoken enclosed in redundant invisible div

[Django]

#18484: csrfmiddlewaretoken enclosed in redundant invisible div
-+
 Reporter:  hedleyroos@… |Owner:  nobody
 Type:  Uncategorized|   Status:  reopened
Component:  Forms|  Version:  1.4
 Severity:  Release blocker  |   Resolution:
 Keywords:  csrf | Triage Stage:  Accepted
Has patch:  0|  Needs documentation:  0
  Needs tests:  0|  Patch needs improvement:  0
Easy pickings:  0|UI/UX:  0
-+

Comment (by lukeplant):

 Replying to [comment:9 simonb]:

 > Inline forms

 Thanks. That seems like a pretty common/simple use case, and it does
 validate the original choice to make the div 'display:none;'. I don't know
 what we do with the broken browsers that decide not to submit those
 inputs.

 I'll take this to django-devs.

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To post to this group, send email to django-updates@googlegroups.com.
To unsubscribe from this group, send email to 
django-updates+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [Django] #18484: csrfmiddlewaretoken enclosed in redundant invisible div

[Django]

#18484: csrfmiddlewaretoken enclosed in redundant invisible div
-+
 Reporter:  hedleyroos@… |Owner:  nobody
 Type:  Uncategorized|   Status:  reopened
Component:  Forms|  Version:  1.4
 Severity:  Release blocker  |   Resolution:
 Keywords:  csrf | Triage Stage:  Accepted
Has patch:  0|  Needs documentation:  0
  Needs tests:  0|  Patch needs improvement:  0
Easy pickings:  0|UI/UX:  0
-+

Comment (by simonb):

 Replying to [comment:8 lukeplant]:
 > Replying to [comment:3 simonb]:
 > > By removing style="display:none" the layout of every form that uses
 csrf_token has been changed. The div becomes significant to the
 layout/flow of the form and moves everything that follows below it - divs
 are blocks.
 >
 > Could you give an example of a layout where this happens? (You could use
 jsfiddle e.g. http://jsfiddle.net/abXgB/ ) That would help us assess
 whether this is badly designed or fairly unlikely CSS.

 Inline forms

 http://jsfiddle.net/simonb/r9nTK/

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To post to this group, send email to django-updates@googlegroups.com.
To unsubscribe from this group, send email to 
django-updates+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [Django] #18484: csrfmiddlewaretoken enclosed in redundant invisible div

[Django]

#18484: csrfmiddlewaretoken enclosed in redundant invisible div
-+
 Reporter:  hedleyroos@… |Owner:  nobody
 Type:  Uncategorized|   Status:  reopened
Component:  Forms|  Version:  1.4
 Severity:  Release blocker  |   Resolution:
 Keywords:  csrf | Triage Stage:  Accepted
Has patch:  0|  Needs documentation:  0
  Needs tests:  0|  Patch needs improvement:  0
Easy pickings:  0|UI/UX:  0
-+

Comment (by lukeplant):

 Replying to [comment:3 simonb]:
 > By removing style="display:none" the layout of every form that uses
 csrf_token has been changed. The div becomes significant to the
 layout/flow of the form and moves everything that follows below it - divs
 are blocks.

 Could you give an example of a layout where this happens? (You could use
 jsfiddle e.g. http://jsfiddle.net/abXgB/ ) That would help us assess
 whether this is badly designed or fairly unlikely CSS.

 > Could we, at least, give the surrounding div an id or class so we can
 address it in CSS to fix the layout of all of our forms?

 That sounds fine to me. It may be the easiest option for us given the
 other constraints.

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To post to this group, send email to django-updates@googlegroups.com.
To unsubscribe from this group, send email to 
django-updates+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [Django] #18484: csrfmiddlewaretoken enclosed in redundant invisible div

[Django]

#18484: csrfmiddlewaretoken enclosed in redundant invisible div
-+
 Reporter:  hedleyroos@… |Owner:  nobody
 Type:  Uncategorized|   Status:  reopened
Component:  Forms|  Version:  1.4
 Severity:  Release blocker  |   Resolution:
 Keywords:  csrf | Triage Stage:  Accepted
Has patch:  0|  Needs documentation:  0
  Needs tests:  0|  Patch needs improvement:  0
Easy pickings:  0|UI/UX:  0
-+
Changes (by simonb):

 * cc: bnomis@… (added)
 * component:  Uncategorized => Forms


-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To post to this group, send email to django-updates@googlegroups.com.
To unsubscribe from this group, send email to 
django-updates+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [Django] #18484: csrfmiddlewaretoken enclosed in redundant invisible div

[Django]

#18484: csrfmiddlewaretoken enclosed in redundant invisible div
-+
 Reporter:  hedleyroos@… |Owner:  nobody
 Type:  Uncategorized|   Status:  reopened
Component:  Uncategorized|  Version:  1.4
 Severity:  Release blocker  |   Resolution:
 Keywords:  csrf | Triage Stage:  Accepted
Has patch:  0|  Needs documentation:  0
  Needs tests:  0|  Patch needs improvement:  0
Easy pickings:  0|UI/UX:  0
-+

Comment (by claudep):

 Replying to [comment:1 lukeplant]:
 > You cannot put the input in without a div due to HTML validity
 constraints.

 Placing an input directly inside a form element is not valid in HTML
 4/XHTML Strict DTDs. It is accepted in the respective Transitional
 versions or in HTML5. Do we guarantee Strict conformance in Django?

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To post to this group, send email to django-updates@googlegroups.com.
To unsubscribe from this group, send email to 
django-updates+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [Django] #18484: csrfmiddlewaretoken enclosed in redundant invisible div

[Django]

#18484: csrfmiddlewaretoken enclosed in redundant invisible div
-+
 Reporter:  hedleyroos@… |Owner:  nobody
 Type:  Uncategorized|   Status:  reopened
Component:  Uncategorized|  Version:  1.4
 Severity:  Release blocker  |   Resolution:
 Keywords:  csrf | Triage Stage:  Accepted
Has patch:  0|  Needs documentation:  0
  Needs tests:  0|  Patch needs improvement:  0
Easy pickings:  0|UI/UX:  0
-+
Changes (by aaugustin):

 * severity:  Normal => Release blocker


Comment:

 Marking as a release blocker since the current code might trigger
 regressions.

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To post to this group, send email to django-updates@googlegroups.com.
To unsubscribe from this group, send email to 
django-updates+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [Django] #18484: csrfmiddlewaretoken enclosed in redundant invisible div

[Django]

#18484: csrfmiddlewaretoken enclosed in redundant invisible div
---+
 Reporter:  hedleyroos@…   |Owner:  nobody
 Type:  Uncategorized  |   Status:  reopened
Component:  Uncategorized  |  Version:  1.4
 Severity:  Normal |   Resolution:
 Keywords:  csrf   | Triage Stage:  Accepted
Has patch:  0  |  Needs documentation:  0
  Needs tests:  0  |  Patch needs improvement:  0
Easy pickings:  0  |UI/UX:  0
---+

Comment (by hedleyroos@…):

 I vote for removing the div completely.

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To post to this group, send email to django-updates@googlegroups.com.
To unsubscribe from this group, send email to 
django-updates+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [Django] #18484: csrfmiddlewaretoken enclosed in redundant invisible div

[Django]

#18484: csrfmiddlewaretoken enclosed in redundant invisible div
---+
 Reporter:  hedleyroos@…   |Owner:  nobody
 Type:  Uncategorized  |   Status:  reopened
Component:  Uncategorized  |  Version:  1.4
 Severity:  Normal |   Resolution:
 Keywords:  csrf   | Triage Stage:  Accepted
Has patch:  0  |  Needs documentation:  0
  Needs tests:  0  |  Patch needs improvement:  0
Easy pickings:  0  |UI/UX:  0
---+
Changes (by simonb):

 * status:  closed => reopened
 * resolution:  fixed =>


Comment:

 By removing style="display:none" the layout of every form that uses
 csrf_token has been changed. The div becomes significant to the
 layout/flow of the form and moves everything that follows below it - divs
 are blocks. This is a backwards incompatible change. Could we, at least,
 give the surrounding div an id or class so we can address it in CSS to fix
 the layout of all of our forms?

 Thanks

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To post to this group, send email to django-updates@googlegroups.com.
To unsubscribe from this group, send email to 
django-updates+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [Django] #18484: csrfmiddlewaretoken enclosed in redundant invisible div

[Django]

#18484: csrfmiddlewaretoken enclosed in redundant invisible div
---+
 Reporter:  hedleyroos@…   |Owner:  nobody
 Type:  Uncategorized  |   Status:  closed
Component:  Uncategorized  |  Version:  1.4
 Severity:  Normal |   Resolution:  fixed
 Keywords:  csrf   | Triage Stage:  Accepted
Has patch:  0  |  Needs documentation:  0
  Needs tests:  0  |  Patch needs improvement:  0
Easy pickings:  0  |UI/UX:  0
---+
Changes (by Luke Plant ):

 * status:  new => closed
 * resolution:   => fixed


Comment:

 In [2ba4278cb38f1346d70cf427bbeac71a4d1dc5ad]:
 {{{
 #!CommitTicketReference repository=""
 revision="2ba4278cb38f1346d70cf427bbeac71a4d1dc5ad"
 Fixed #18484 - 'display:none' on CSRF token div is redundant and causes
 problems with some browsers

 Thanks to hedleyroos for the report
 }}}

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To post to this group, send email to django-updates@googlegroups.com.
To unsubscribe from this group, send email to 
django-updates+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/django-updates?hl=en.

Re: [Django] #18484: csrfmiddlewaretoken enclosed in redundant invisible div

[Django]

#18484: csrfmiddlewaretoken enclosed in redundant invisible div
---+
 Reporter:  hedleyroos@…   |Owner:  nobody
 Type:  Uncategorized  |   Status:  new
Component:  Uncategorized  |  Version:  1.4
 Severity:  Normal |   Resolution:
 Keywords:  csrf   | Triage Stage:  Accepted
Has patch:  0  |  Needs documentation:  0
  Needs tests:  0  |  Patch needs improvement:  0
Easy pickings:  0  |UI/UX:  0
---+
Changes (by lukeplant):

 * needs_docs:   => 0
 * needs_better_patch:   => 0
 * needs_tests:   => 0
 * stage:  Unreviewed => Accepted


Comment:

 Hmm, that is **really** broken behaviour.
 http://www.w3.org/TR/html401/interact/forms.html#h-17.13.2

 I believe the original reason was to ensure the inserted div had no effect
 on appearance. You cannot put the input in without a div due to HTML
 validity constraints. IIRC, having been tortured by IE for several years,
 I was worried that IE would do funny things with divs that are not
 completely empty, and give them some pixel space etc. (I've come across
 very similar bugs with almost empty divs in IE).

 That concern is probably passed now, and if this is causing a genuine
 problem, let's remove the 'style="display:none"'.

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To post to this group, send email to django-updates@googlegroups.com.
To unsubscribe from this group, send email to 
django-updates+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/django-updates?hl=en.

[Django] #18484: csrfmiddlewaretoken enclosed in redundant invisible div

[Django]

#18484: csrfmiddlewaretoken enclosed in redundant invisible div
---+
 Reporter:  hedleyroos@…   |  Owner:  nobody
 Type:  Uncategorized  | Status:  new
Component:  Uncategorized  |Version:  1.4
 Severity:  Normal |   Keywords:  csrf
 Triage Stage:  Unreviewed |  Has patch:  0
Easy pickings:  0  |  UI/UX:  0
---+
 Refer to
 
https://github.com/django/django/blob/master/django/template/defaulttags.py#L49.
 Why is the hidden input enclosed in a div with style display none? It
 causes problems on certain low-end handsets. These handsets do not include
 inputs in hidden containers as part of the post.

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To post to this group, send email to django-updates@googlegroups.com.
To unsubscribe from this group, send email to 
django-updates+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/django-updates?hl=en.