From 3739044a4debb7cea4dd216fa1328e7a66d76fc6 Mon Sep 17 00:00:00 2001
From: Robin Sonnabend <robin@fsmpi.rwth-aachen.de>
Date: Thu, 19 Apr 2018 10:53:27 +0200
Subject: [PATCH] Hide CSRFTokenFields from GET-Forms

Search Forms do not need CSRF tokens, and this way the (secret) token
does not end up in URLs people copy somewhere.
---
 templates/macros.html | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/templates/macros.html b/templates/macros.html
index 230a100..a8b6f01 100644
--- a/templates/macros.html
+++ b/templates/macros.html
@@ -71,7 +71,7 @@ to not render a label for the CRSFTokenField -->
     {% endfor %}
 {%- endmacro %}
 
-{% macro render_form_inner(field, labels_visible) -%}
+{% macro render_form_inner(field, labels_visible, method) -%}
     {% if field.type == 'BooleanField' %}
         {{ render_checkbox_field(field) }}
     {% elif field.type == 'RadioField' %}
@@ -82,6 +82,10 @@ to not render a label for the CRSFTokenField -->
         {% for f in field %}
             {{render_form_inner(f, labels_visible=labels_visible)}}
         {% endfor %}
+    {% elif field.type == 'CSRFTokenField' %}
+        {% if method != "GET" %}
+          {{ render_field(field, label_visible=labels_visible) }}
+        {% endif %}
     {% else %}
         {{ render_field(field, label_visible=labels_visible) }}
     {% endif %}
@@ -111,7 +115,7 @@ to not render a label for the CRSFTokenField -->
             {{ caller() }}
         {% else %}
             {% for f in form %}
-                {{render_form_inner(f, labels_visible=labels_visible, textarea_rows=textarea_rows, **kwargs)}}
+                {{render_form_inner(f, labels_visible=labels_visible, textarea_rows=textarea_rows, method=method, **kwargs)}}
             {% endfor %}
         {% endif %}
         <button type="submit" class="{{btn_class}}">{{action_text}}</button>
-- 
GitLab