Hi,

in my opinion current Tornado documentation should be changed regarding xfrs sample in "overview" page.
In fact, examples refer to

If xsrf_cookies is set, the Tornado web application will set the _xsrf cookie for all users and reject all POST, PUT, and DELETE requests that do not contain a correct _xsrf value. If you turn this setting on, you need to instrument all forms that submit via POST to contain this field. You can do this with the special function xsrf_form_html(), available in all templates:

<form action="/new_message" method="post">
  {{ xsrf_form_html() }}
  <input type="text" name="message"/>
  <input type="submit" value="Post"/>
</form>

but auto-escaping now it's true by default, so examples,  should be written using {% raw xsrf_form_html() %}, shouldn't it?

Thank you,

Antonio

--

Antonio Pintus

e-mail: pin...@gmail.com
Home Page: http://www.pintux.it
Blog: http://jaranto.blogspot.com
Photography: http://www.flickr.com/photos/pintux/
Twitter: apintux

http://www.paraimpu.com

Use {% raw xsrf_form_html() %} is right ~ when autoescape=True~

2012/8/7 Antonio Pintus <pin...@gmail.com>

--
--------------------------------------------------------------------
HengZhou
---------------------------------------------------------------------
--

yes, it should be modified, because auto escaping is by default ON.

Thanks, I've updated both places in the docs that still used the old form.

I used {% module %} instead of {% raw %} since xsrf_form_html is
registered as a module, and this way offers slightly less
encouragement to use {% raw %} frequently.

-Ben

On Tue, Aug 7, 2012 at 9:59 AM, aliane abdelouahab