django-ckeditor-5 unable to upload file on local and not showing preview of youtube link
I successfully display the ckeditor5 using django-ckeditor-5 package, but not able to upload images and not able to show youtube video on the result page.
Here is what I get errors on backend console and browser.
Forbidden (CSRF token from the 'X-Csrftoken' HTTP header has incorrect length.): /ckeditor5/image_upload/
WARNING 2024-04-08 09:40:09,120 log 10 135125224380160 Forbidden (CSRF token from the 'X-Csrftoken' HTTP header has incorrect length.): /ckeditor5/image_upload/
INFO: 172.19.0.1:54724 - "POST /ckeditor5/image_upload/ HTTP/1.1" 403 Forbidden
It is definitely about the csrf token, but it should be handled by the package. When I was watching youtube tutorials and blogs, no one is configuring about csrf token.
Here is some information of my project.
I started the project with cookiecutter-django running with docker. I configured settings using tailwindcss/flowbite. frontend pipeline using webpack.
While I was writing this, I found an answer for showing youtube link on detail page, and my friend helped me solve uploading images.
First, to show youtube link on detail page, you should add the below on settings for CKEDITOR_5_CONFIGS
"extends": {
....
"mediaEmbed": {"previewsInData": "true"},
},
I found this answer from the github issue
For the uploading issue, basically, cookiecutter-django has default setting like below for security part.
# SECURITY
# ------------------------------------------------------------------------------
# https://docs.djangoproject.com/en/dev/ref/settings/#session-cookie-httponly
SESSION_COOKIE_HTTPONLY = True
# https://docs.djangoproject.com/en/dev/ref/settings/#csrf-cookie-httponly
CSRF_COOKIE_HTTPONLY = True
# https://docs.djangoproject.com/en/dev/ref/settings/#x-frame-options
X_FRAME_OPTIONS = "DENY"
If I change CSRF_COOKIE_HTTPONLY to False, uploading images successfully.
Now this bring up another question. Is it ok to make it false? Will there be any serious security issues?
- Django column "name" of relation "django_content_type" does not exist
- Django CSRF check failing with an Ajax POST request
- how to pass csrf_token to javascript file in django?
- Django Celery Redis
- How to properly make a signup view with django
- Sphinx Readthedocs theme Font-awesome integration
- Where to place a sitemap.xml file in my django project?
- Django MultipleChoiceField not sending valid data in POST
- Add PRIMARY KEY constraint to existing table
- why do we need to restart apache after changing some file in django project
- rendering template with csrf token and template context
- Are consecutive django model save calls safe?
- How to use AssertRaisesMessage() in Django tests
- Using a settings file other than settings.py in Django
- Variable subtraction in django templates
- Django - Can a crispy form be split into 2 columns?
- How do I override my SvelteKit CSRF token to match my Django backend's CSRF token?
- Django does not reset module variables during multiple requests
- Why does django create a migration file when we change the storage attribute of FileField, when the storage type is not stored in the database?
- Single view for multiple paths via URL kwargs
- How to make group by in django ORM
- Custom Link on Column
- Django: related_name issue
- Django: create Index: non-unique, multiple column
- django InlineFormsets errors reporting with formset error list being empty
- Django url routing with flatpages
- Django: Get previous value in clean() method
- Django - dynamically update a count model field when related objects are added or removed
- Why does the getattr(ClassInstance, "http_method_names", []) function in django APIView return all http methods even though only GET is implemented?
- Django how to check whether a model is being created created or update