On Saturday, May 9, 2020 at 1:41:41 PM UTC+2, Aymeric Augustin wrote: > > - Users who don't know that GET queries mustn't have side effects and who > don't want to bother will have an incentive to use a POST query to get the > data in form_data; this is the safe option with regards to CSRF; >
This is imo the best argument in this thread and convinces me a little bit :D But I still think we should accompany this with documentation that explains why GET-powered forms do not show up in form_data. What irks me a little bit is that request.GET/POST nicely stood out in code -- ie I could find user input handling on a first glance. As for disruption, can we just alias them for now and drop GET/POST from the docs and not immediately start with warnings? Cheers, Florian -- You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-developers+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/ce0ea3c0-0a73-401e-a2ca-8427b4551f7d%40googlegroups.com.
