Add form_tag name attribute?

Question

Add form_tag name attribute?

yawaramin opened this issue 2 years ago · comments

Dream.form_tag is great for creating secure forms but can we add a ~name:"some-name" parameter? it's pretty traditional for forms to have the name attribute set so they can be accessed from JavaScript like document.forms['some-name'].

I guess to ask it another way, is there a way to customize the output of form_tag with any attributes we need to put in there?

Anton Bachin · Answer 1 · Mon Feb 07 2022 13:54:53 GMT+0800 (China Standard Time)

There isn't a way right now, but there should be. Would you be willing to open a PR to add either ?name or ?attributes to Dream.form_tag? I would be happy to merge it :)

Yawar Amin · Answer 2 · Mon Feb 07 2022 23:14:15 GMT+0800 (China Standard Time)

Sure, I'd be happy to, looks pretty simple. If you don't mind, could I just add name, as attributes would be a bit more tricky i.e. we'd need to ensure it didn't clash with the other arguments.

Yawar Amin · Answer 3 · Mon Feb 07 2022 23:25:48 GMT+0800 (China Standard Time)

Actually, thinking about this a bit more–what do you think of using a Django-style csrf_token value: https://docs.djangoproject.com/en/4.0/ref/csrf/

So instead of using form_tag to render the beginning of the form, we could just write normal <form...> tag and inject the token like:

let render req =
  <form name="some-name" method="post" action="/"><%s! Dream.csrf_token req %>
    ...
  </form>

Anton Bachin · Answer 4 · Mon Feb 07 2022 23:52:49 GMT+0800 (China Standard Time)

Actually, thinking about this a bit more–what do you think of using a Django-style csrf_token value: https://docs.djangoproject.com/en/4.0/ref/csrf/

So instead of using form_tag to render the beginning of the form, we could just write normal <form...> tag and inject the token like:
let render req =
  <form name="some-name" method="post" action="/"><%s! Dream.csrf_token req %>
    ...
  </form>

That's a good idea! It would bypass having to maintain arguments of form_tag. The actual function would have to be Dream.csrf_tag, since the existing Dream.csrf_token generates a general CSRF token which might be used for CSRF schemes not involving form fields, and since we do probably want to generate the entire CSRF form field, as your snippet suggests.

Anton Bachin · Answer 5 · Mon Feb 07 2022 23:54:10 GMT+0800 (China Standard Time)

If you do that in a PR, I suggest not removing Dream.form_tag. I'll add an informative deprecation message to it later, to help people find out what to replace it with. I'll remove Dream.form_tag after one or a few more releases.

Yawar Amin · Answer 6 · Tue Feb 08 2022 00:24:21 GMT+0800 (China Standard Time)

Sounds like a plan! I'll draw up a PR soon.