Edgewall Software

Changes between Initial Version and Version 1 of Ticket #9659, comment 7


Ignore:
Timestamp:
Oct 6, 2010, 7:46:48 PM (14 years ago)
Author:
Christian Boos

Legend:

Unmodified
Added
Removed
Modified

  • Ticket #9659, comment 7

    initial v1  
    33If you are really convinced you could avoid CSRF attacks using a different scheme, then feel free to propose a patch (that we could shoot down ;-) ).
    44
    5 In my understanding, we //might// get away from the filtering if we would explicitly add the token each <form>, in the templates. But that would be error prone, at least until some kind of support for tag libraries (#G395, which you're probably aware of ;-) ). Note that even in that case, people could still use <form> by mistake instead of <trac:form>, so it's probably not worth it.
     5In my understanding, we //might// get away from the filtering if we would explicitly add the token each <form>, in the templates. But that would be error prone, at least until some kind of support for tag libraries (#G395, which you're probably aware of ;-) ). Note that even in that case, people could still use <form> by mistake instead of <!trac:form>, so it's probably not worth it.