Commit 0f7f80e9 authored by Sli's avatar Sli

Merge branch 'makdown-editor' into 'master'

Workaround for crsf token in production for MarkdownInput

See merge request !189
parents 3898a13b d2c5908c
Pipeline #1678 passed with stage
in 9 minutes and 48 seconds
...@@ -47,18 +47,9 @@ function display_notif() { ...@@ -47,18 +47,9 @@ function display_notif() {
// You can't get the csrf token from the template in a widget // You can't get the csrf token from the template in a widget
// We get it from a cookie as a workaround, see this link // We get it from a cookie as a workaround, see this link
// https://docs.djangoproject.com/en/2.0/ref/csrf/#ajax // https://docs.djangoproject.com/en/2.0/ref/csrf/#ajax
function getCookie(cname) { // Sadly, getting the cookie is not possible with CSRF_COOKIE_HTTPONLY or CSRF_USE_SESSIONS is True
var name = cname + "="; // So, the true workaround is to get the token from the dom
var decodedCookie = decodeURIComponent(document.cookie); // https://docs.djangoproject.com/en/2.0/ref/csrf/#acquiring-the-token-if-csrf-use-sessions-is-true
var ca = decodedCookie.split(';'); function getCSRFToken() {
for(var i = 0; i <ca.length; i++) { return $("[name=csrfmiddlewaretoken]").val();
var c = ca[i];
while (c.charAt(0) == ' ') {
c = c.substring(1);
}
if (c.indexOf(name) == 0) {
return c.substring(name.length, c.length);
}
}
return "";
} }
\ No newline at end of file
...@@ -26,6 +26,9 @@ ...@@ -26,6 +26,9 @@
<body> <body>
<!-- The token is always passed here to be accessible from the dom -->
<!-- See this workaround https://docs.djangoproject.com/en/2.0/ref/csrf/#acquiring-the-token-if-csrf-use-sessions-is-true -->
{% csrf_token %}
<!-- BEGIN HEADER --> <!-- BEGIN HEADER -->
{% block header %} {% block header %}
{% if not popup %} {% if not popup %}
......
...@@ -18,7 +18,7 @@ ...@@ -18,7 +18,7 @@
$.ajax({ $.ajax({
url: "{{ markdown_api_url }}", url: "{{ markdown_api_url }}",
method: "POST", method: "POST",
data: { text: plainText, csrfmiddlewaretoken: getCookie('csrftoken') }, data: { text: plainText, csrfmiddlewaretoken: getCSRFToken() },
}).done(function (msg) { }).done(function (msg) {
preview.innerHTML = msg; preview.innerHTML = msg;
}); });
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment