Scripts with type="application/json" or "text/plain" are not executed, so we can
use them to inject dynamic CSRF data, without allowing inline-script execution
in Content-Security-Policy.
HTML responses generated by the Browsable API otherwise generate
inconsistent ETAGs -- due to the presence of CSRF tokens in the response
-- even when the API is read-only, (and as such when the response
contains no resource-modifying forms, i.e. neither POST nor PUT forms,
which might require the CSRF token).
While the template was appropriately including CSRF tokens only within
POST and PUT forms, its AJAX overlay included the CSRF token in *every*
response, regardless of whether it would be needed.
This change brings the logic of the `script` block into line with that
of the rest of the template -- and such that read-only APIs (and really
the Browsable API pages of *any* read-only resources) will not
needlessly include the CSRF token, and will now be safely cachable -- by
both back-end systems and by the user agent.
* Add test that verifies that HTML is correctly escaped in Browsable API views
* Fix `urlize_quoted_links` tag to avoid double escaping in autoescape mode
* Fix XSS in default DRF Browsable API template by re-enabling autoescape
* View suffix already set by initializer
* Add 'name' and 'description' attributes to ViewSet
ViewSets may now provide their `name` and `description` attributes
directly, instead of relying on view introspection to derive them.
These attributes may also be provided with the view's initkwargs.
The ViewSet `name` and `suffix` initkwargs are mutually exclusive.
The `action` decorator now provides the `name` and `description` to
the view's initkwargs. By default, these values are derived from the
method name and its docstring. The `name` may be overridden by providing
it as an argument to the decorator.
The `get_view_name` and `get_view_description` hooks now provide the
view instance to the handler, instead of the view class. The default
implementations of these handlers now respect the `name`/`description`.
* Add 'extra actions' to ViewSet & browsable APIs
* Update simple router tests
Removed old test logic around link/action decorators from `v2.3`. Also
simplified the test by making the results explicit instead of computed.
* Add method mapping to ViewSet actions
* Document extra action method mapping
In commit 5392be4ddb, there was a change
made when cleaning up the template for the API listing that caused 2
spaces to appear before every header item (except the first) and before
the first line of the body of the response. This meant that it often
looked like:
HTTP 200 OK
Allow: GET, OPTIONS
Content-Type: application/json
Vary: Accept
{
"key": "value",
"key2": "value2"
}
This change removes those leading spaces, so that it will now look like:
HTTP 200 OK
Allow: GET, OPTIONS
Content-Type: application/json
Vary: Accept
{
"key": "value",
"key2": "value2"
}
Instead of hardcoding the CSRF cookie name, the value is passed to the template as a context variable, rendered as a JavaScript variable, and read by csrf.js.
Fixes#4048
