[Answered ]-Django- CSRF and POSTing an Html form

2👍

I’m not sure why it isn’t possible. Surely the form stored in the database doesn’t need to include the <form> tags themselves, so you could easily use those yourself and add the CSRF token. That seems safer anyway, since you should really ensure the destination of the form POST yourself.

But I must say, this whole approach seems wrong. It’s never really going to be safe to allow users to add raw HTML to your database and output it directly, unescaped, to the template. And allowing them to specify form fields in HTML seems like a recipe for all sorts of injection attacks.

Instead consider allowing them to choose from a selection of fields, and build up the form yourself from those.

Leave a comment