In django comment framework, the CommentSecurityForm contains a 'timestamp' and a 'security_hash' field for the purpose of 'anti-spoofing', besides the commonly used CSRF toekn. What safety value does it have? I need to make a form with generic foreign key(includes a content_type and an object_id hidden field), should I implement the same method to improve safety? If so, are there good reading materials concerning this issue? Thanks for the help! :)
Asked
Active
Viewed 113 times
2
-
At a guess, its an attempt (a nuisance for an attacker to generate a hash) to stop users giving any old content_type/object_pk pair and adding a comment to arbitrary model instances. Really, there should be a proper check to see if the user should be able to attach a comment to a particular model. But like I said, a complete guess. – jozxyqk Jul 22 '15 at 15:06