Commit 0f7f80e9 authored by Sli's avatar Sli

Merge branch 'makdown-editor' into 'master'

Workaround for crsf token in production for MarkdownInput

See merge request !189
parents 3898a13b d2c5908c
Pipeline #1678 passed with stage
in 9 minutes and 48 seconds
......@@ -47,18 +47,9 @@ function display_notif() {
// You can't get the csrf token from the template in a widget
// We get it from a cookie as a workaround, see this link
// https://docs.djangoproject.com/en/2.0/ref/csrf/#ajax
function getCookie(cname) {
var name = cname + "=";
var decodedCookie = decodeURIComponent(document.cookie);
var ca = decodedCookie.split(';');
for(var i = 0; i <ca.length; i++) {
var c = ca[i];
while (c.charAt(0) == ' ') {
c = c.substring(1);
}
if (c.indexOf(name) == 0) {
return c.substring(name.length, c.length);
}
}
return "";
// Sadly, getting the cookie is not possible with CSRF_COOKIE_HTTPONLY or CSRF_USE_SESSIONS is True
// So, the true workaround is to get the token from the dom
// https://docs.djangoproject.com/en/2.0/ref/csrf/#acquiring-the-token-if-csrf-use-sessions-is-true
function getCSRFToken() {
return $("[name=csrfmiddlewaretoken]").val();
}
\ No newline at end of file
......@@ -26,6 +26,9 @@
<body>
<!-- The token is always passed here to be accessible from the dom -->
<!-- See this workaround https://docs.djangoproject.com/en/2.0/ref/csrf/#acquiring-the-token-if-csrf-use-sessions-is-true -->
{% csrf_token %}
<!-- BEGIN HEADER -->
{% block header %}
{% if not popup %}
......
......@@ -18,7 +18,7 @@
$.ajax({
url: "{{ markdown_api_url }}",
method: "POST",
data: { text: plainText, csrfmiddlewaretoken: getCookie('csrftoken') },
data: { text: plainText, csrfmiddlewaretoken: getCSRFToken() },
}).done(function (msg) {
preview.innerHTML = msg;
});
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment