[Zope-dev] CSRF/XSS: zope.formlib

Sidnei da Silva sidnei at enfoldsystems.com
Sun Jan 25 21:23:33 EST 2009

Hello all,

I've been looking at the way CSRF protection is done in Plone
(plone.protect, using a @protect decorator), and also at the XSS
protection added to Zope (@postonly decorator) and was wondering if
something more generic could possibly be done for zope.formlib-based
forms, instead of requiring the use of a decorator.

A quick look though the code, makes seem like an Action could be added
to the Actions object such that the validator would do one (or both)
of those checks, and something similar to the render_submit_button()
which is registered as a @namedtemplate.implementation() would then be
used to render the hidden form field holding the CSRF token for that
specific action.

Does that sound like a reasonable implementation, or is it abusing the

Sidnei da Silva

More information about the Zope-Dev mailing list