safe csrf tokens (bug 590351)

lib/csrf_context.py

@@ -0,0 +1,14 @@
+from django.core import context_processors
+from django.utils import functional, html
+
+
+def csrf(request):
+    # Use lazy() because getting the token triggers Set-Cookie: csrftoken.
+    def _get_val():
+        token = context_processors.csrf(request)['csrf_token']
+        # This should be an md5 string so any broken Unicode is an attacker.
+        try:
+            return html.escape(unicode(token))
+        except UnicodeDecodeError:
+            return u''
+    return {'csrf_token': functional.lazy(_get_val, unicode)()}

settings.py

@@ -153,7 +153,7 @@ TEMPLATE_CONTEXT_PROCESSORS = (
     'django.core.context_processors.debug',
     'django.core.context_processors.media',
     'django.core.context_processors.request',
-    'django.core.context_processors.csrf',
+    'csrf_context.csrf',
 
     'django.contrib.messages.context_processors.messages',