How can I embed django csrf token straight into HTML?

Question

within my django app I am storing strings of html in the db that will then be displayed on the users' home pages as "messages". Some of these messages contain forms, but not being written in the template language, I am not able to insert the csrf token (thus breaking the app).

Is there a way to insert this token directly from within the python files i'm editing? i'm looking for something along the lines of:

csrf_token = django.csrf.generate()
message = "press the button please: <form><input type='hidden' name='csrf_token' value='%s'><input type='submit' value='press here'></form>" % (csrf_token)

any other solution that would work in a similar scenario would be great. Thanks

Edit: Actually that's not going to work because the token is different for each session, so storing it in the db is not very useful. is there a way to dynamically load the token within the view?

What do you mean by 'dynamically load the token within the view'? — Reto Aebersold, Jul 20 '10 at 15:25
the form is stored as a string in the database, so if i store the token there it will be invalid as soon as it is loaded in a new session. If it were possible to load a new token from inside the view, then I could intercept the html as it was being rendered, insert the appropriate token, and display the working form. The key thing here is that I'm not going through a template to insert the token. Does that make it clearer? — ergelo, Jul 21 '10 at 12:41

score 55 · Accepted Answer · edited Jul 25 '12 at 20:55

55

Call django.middleware.csrf.get_token(request) to get the CSRF token.

edited Jul 25 '12 at 20:55

Nicu Surdu

8,172
9
68
108

answered Jul 21 '10 at 12:49

viam0Zah

25,949
8
77
100

Does this work by putting the token into a hidden input? Because I keep getting the same error, what would be the best way to put this token into the form? – Francisco Peters Jan 03 '17 at 19:08
Okay solution for me was to use name "csrfmiddlewaretoken" instead of "csrf_token" – Francisco Peters Jan 03 '17 at 20:12

score 48 · Answer 2 · answered Jul 20 '10 at 15:22

48

The way to use it, is to use it directly in the templates.

From the documentation,:

<form action="" method="post">
{% csrf_token %}

is all you have to include.

answered Jul 20 '10 at 15:22

lprsd

84,407
47
135
168

thanks. the problem is that the 'message' is created in a view, and stored into the db without ever going through a view. I'll solve the problem by turning the form button into a link and going through a view to bypass the csrf. – ergelo Jul 20 '10 at 17:28
12

the question is for the case where you dont use django's templates – Jenia Ivanov May 19 '14 at 16:45
This solved it for me during the installation of Django-CMS! For some reason it would not login without this token in the only template I had. Weird. – MadPhysicist May 04 '17 at 21:16

score 11 · Answer 3 · answered Sep 13 '13 at 08:44

11

The accepted answer assumes that token is already set in the request object.

Maybe something like this is better:

from django.middleware import csrf
def get_or_create_csrf_token(request):
    token = request.META.get('CSRF_COOKIE', None)
    if token is None:
        token = csrf._get_new_csrf_key()
        request.META['CSRF_COOKIE'] = token
    request.META['CSRF_COOKIE_USED'] = True
    return token

answered Sep 13 '13 at 08:44

Evgeny

10,698
9
60
70

1

you should not use internal APIs and in fact _get_new_csrf_key() does not exist in Django anymore. you should use get_token(). – interDist Feb 26 '17 at 17:36
1

`csrf.get_token` already creates a new token if it doesn't exists yet – Francisco Jul 10 '19 at 17:09

How can I embed django csrf token straight into HTML?

3 Answers3

Linked