2

I my recent Django-project I use mako templates.

About Cross Site Request Forgery CSRF.

In django templates there is the tag {% csrf_token %} to protect from hackers.

What about mako templates? Is there any analog of csrf_token or there is another protection mechanism???

Thanks!

Vitalii Ponomar
  • 10,686
  • 20
  • 60
  • 88

2 Answers2

3

I ran into the same problem just today (that's why I ended up here). I found a solution, at least, for what I wanted to do, which is pass some POST data to another view through an HTML form. Here it is:

  1. From your first view, get a CSRF Token and add it to your (Mako) context: 

    from djangomako.shortcuts import render_to_response as render  
from django.core.context_processors import csrf

def first_view(request):  
    """This view generates a form whose action is 'second_view'."""  
    context = { "csrftoken": csrf(request)["csrf_token"] }  
    return render("path/to/yourtemplate.html", context)

  2. yourtemplate.html's form must have a field named “csrfmiddlewaretoken” whose value is the CSRF Token, which we placed in the context as “csrftoken”. As in:

    <input type="hidden" name="csrfmiddlewaretoken" value="${ csrftoken }" />

Source: Cross Site Request Forgery protection (Django 1.5 Docs)

Samhain13
  • 71
  • 4
1

There's some sample code at Django Snippets that looks to do this, although judging by the comments, you may need to fiddle a bit. If you have trouble, you basically want to make sure that you're duplicating the Django stock CSRF tag (click the link, start on line 87).

Luke Sneeringer
  • 9,270
  • 2
  • 35
  • 32
  • Don't you know - maybe mako do not need such actions??? In fact, I couldn't find anything about security in mako documentation... – Vitalii Ponomar Nov 12 '11 at 18:16
  • 2
    Mako is a templating language, and the security issues that CSRF stops has nothing to do with Mako vs. the Django stock templating language vs. Jinja or any other templating language you might choose. – Luke Sneeringer Nov 12 '11 at 18:30