1

In a Django view, I'm placing an Html form (actual string with some Html, from my DB) into an Html template, with a tag: {{ injected_form|safe }}. This succeeds in showing the form, but I've got an issue POSTing it:

Forbidden (...) CSRF token missing or incorrect.

(Which I know is appropriate Django behaviour, as I have no CSRF token tag/field inside the form itself. Btw the reason for the custom Html form strings in the DB is that they can be produced by the actual user)

A solution I could implement is TheBronx's answer to a question here. This seems to be a case where just doing

<form method="post">
    {% csrf_token %}
    ......
</form>

is not possible! Are there solutions for this issue?

I've figured out how to handle/receive POSTs without a related Django model, but I didn't foresee this CSRF problem submitting them :( Any help would be greatly appreciated

S_alj
  • 447
  • 1
  • 3
  • 15

1 Answers1

2

I'm not sure why it isn't possible. Surely the form stored in the database doesn't need to include the <form> tags themselves, so you could easily use those yourself and add the CSRF token. That seems safer anyway, since you should really ensure the destination of the form POST yourself.

But I must say, this whole approach seems wrong. It's never really going to be safe to allow users to add raw HTML to your database and output it directly, unescaped, to the template. And allowing them to specify form fields in HTML seems like a recipe for all sorts of injection attacks.

Instead consider allowing them to choose from a selection of fields, and build up the form yourself from those.

Daniel Roseman
  • 588,541
  • 66
  • 880
  • 895
  • I got it to work with my template, placing the token and injecting the Html fields, between
    . Btw those Html strings are produced by the user with a form building Django App I'm using (and an App of mine "extracts them" from it), sorry for not being clear. Thank you very much for the suggestion and the warning!     – S_alj Jul 04 '17 at 00:45