From d2c5908c89bf8c41757cfda554db170f95144834 Mon Sep 17 00:00:00 2001
From: Bartuccio Antoine <klmp200@klmp200.net>
Date: Thu, 20 Dec 2018 18:19:50 +0100
Subject: [PATCH] core: workaround for crsf token in production for
 MarkdownInput

See https://docs.djangoproject.com/en/2.0/ref/csrf/#acquiring-the-token-if-csrf-use-sessions-is-true
---
 core/static/core/js/script.js               | 19 +++++--------------
 core/templates/core/base.jinja              |  3 +++
 core/templates/core/markdown_textarea.jinja |  2 +-
 3 files changed, 9 insertions(+), 15 deletions(-)

diff --git a/core/static/core/js/script.js b/core/static/core/js/script.js
index 0fc49293..f152525f 100644
--- a/core/static/core/js/script.js
+++ b/core/static/core/js/script.js
@@ -47,18 +47,9 @@ function display_notif() {
 // You can't get the csrf token from the template in a widget
 // We get it from a cookie as a workaround, see this link
 // https://docs.djangoproject.com/en/2.0/ref/csrf/#ajax
-function getCookie(cname) {
-    var name = cname + "=";
-    var decodedCookie = decodeURIComponent(document.cookie);
-    var ca = decodedCookie.split(';');
-    for(var i = 0; i <ca.length; i++) {
-        var c = ca[i];
-        while (c.charAt(0) == ' ') {
-            c = c.substring(1);
-        }
-        if (c.indexOf(name) == 0) {
-            return c.substring(name.length, c.length);
-        }
-    }
-    return "";
+// Sadly, getting the cookie is not possible with CSRF_COOKIE_HTTPONLY or CSRF_USE_SESSIONS is True
+// So, the true workaround is to get the token from the dom
+// https://docs.djangoproject.com/en/2.0/ref/csrf/#acquiring-the-token-if-csrf-use-sessions-is-true
+function getCSRFToken() {
+    return $("[name=csrfmiddlewaretoken]").val();
 }
\ No newline at end of file
diff --git a/core/templates/core/base.jinja b/core/templates/core/base.jinja
index 66d4d232..0eba7057 100644
--- a/core/templates/core/base.jinja
+++ b/core/templates/core/base.jinja
@@ -26,6 +26,9 @@
 
     <body>
 
+        <!-- The token is always passed here to be accessible from the dom -->
+        <!-- See this workaround https://docs.djangoproject.com/en/2.0/ref/csrf/#acquiring-the-token-if-csrf-use-sessions-is-true -->
+        {% csrf_token %}
         <!-- BEGIN HEADER -->
         {% block header %}
         {% if not popup %}
diff --git a/core/templates/core/markdown_textarea.jinja b/core/templates/core/markdown_textarea.jinja
index 650438a4..d4579ebb 100644
--- a/core/templates/core/markdown_textarea.jinja
+++ b/core/templates/core/markdown_textarea.jinja
@@ -18,7 +18,7 @@
 			$.ajax({
 				url: "{{ markdown_api_url }}",
 				method: "POST",
-				data: { text: plainText, csrfmiddlewaretoken: getCookie('csrftoken') },
+				data: { text: plainText, csrfmiddlewaretoken: getCSRFToken() },
 			}).done(function (msg) {
 				preview.innerHTML = msg;
 			});