I am using the below code in my site wide template...
{% for lang in languages %}
<li>
<form name="setLang{{ lang.1}}" action="/i18n/setlang/" method="POST">{% csrf_token %}
<input name="next" type="hidden" value="/" />
<input type="hidden" name="language" value="{{ lang.0 }}" />
<a class='{% if LANGUAGE_CODE == lang.0 %}selected{% endif %}' href="#" onclick="document.setLang{{ lang.1 }}.submit();return false;">{{ lang.0 }}</a>
</form>
</li>
{% endfor %}
and in urls.py i have
(r'^i18n/', include('django.conf.urls.i18n'))
But on internet explorer i am getting csrf verification failed error... Is the problem about there are two forms on the page?
Well I'm not sure if this will solve your problem, but you should definitely put a space after {{ lang.1 so that it looks like {{ lang.1 }}. It is worth trying that, at least, to see if the semantics is causing a break somewhere.
Related
(I'm new with Django)
I ran an automated scan (OWASP ZAP) to test my application security and it's returning a high risk flag for External Redirect:
Automated Scan Alert
Looks like it's something to do with the path "/i18n/setlang/" and the parameter "next", like "?next=(redirect)"
I set the i18n path like that
urlpatterns = [ path('i18n/', include('django.conf.urls.i18n')), ... ]
And this is my HTML
<div class="flex justify-items-end">
{% get_current_language as LANGUAGE_CODE %}
{% get_available_languages as LANGUAGES %}
{% get_language_info_list for LANGUAGES as languages %}
{% for language in languages %}
<form action="{% url 'set_language' %}" method="post" id="form_{{ language.code }}" style="display:inline!important;">
{% csrf_token %}
<input name="next" type="hidden" value="{{ redirect_to }}" />
<input name="language" type="hidden" value="{{ language.code }}" />
</form>
<button class="lang-button" type="submit" form="form_{{ language.code }}" value="Submit">
{% if language.code == "en" %}
<img src="{% static 'assets/webfonts/gb.svg' %}" width="30" alt="gb" class="rounded-lg h-5 w-5 mr-3 hover:opacity-75" />
{% endif %}
{% if language.code == "es" %}
<img src="{% static 'assets/webfonts/es.svg' %}" width="30" alt="gb" class="rounded-lg h-5 w-5 hover:opacity-75" />
{% endif %}
{% if language.code == "pt" %}
<img src="{% static 'assets/webfonts/br.svg' %}" width="30" alt="gb" class="rounded-lg h-5 w-5 mr-3 hover:opacity-75" />
{% endif %}
</button>
{% endfor %}
</div>
I don't know if it's really a security issue because it says at the end of the report description that "URL redirectors do not necessarily represent a direct security vulnerability but can be abused by attackers trying to social engineer victims into believing that they are navigating to a site other than the true destination"
What should I do? :(
Although you haven't provided enough specific to be 100% sure my educated guess would be that you aren't validating/restricting the value of next at all. So when ZAP set next=SomeRandomNumber.owasp.org your app accepted it and the user is subsequently redirected to https://SomeRandomNumber.owasp.org
I have the following menu to change languages in my site:
<div class="btn-group navbar-right language menu">
<button class="btn btn-secondary btn-sm dropdown-toggle language-btn" type="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false">
{% get_language_info for LANGUAGE_CODE as lang %}
{{ lang.name_local }} ({{ lang.code }})
</button>
<div class="dropdown-menu" aria-labelledby="dropdownMenu2">
{% get_current_language as LANGUAGE_CODE %}
{% get_available_languages as LANGUAGES %}
{% get_language_info_list for LANGUAGES as languages %}
{% for language in languages %}
<ul class="language-item">
<form action="{% url 'set_language' %}" method="post">
{% csrf_token %}
<input name="next" type="hidden" value="{{ request.get_full_path }}" />
<input name="language" type="hidden" value="{{ language.code }}" />
<input type="submit" value="{{ language.name_local }} ({{ language.code }})" /> <span>{% if language.code == LANGUAGE_CODE %}✓{% endif %}</span>
</form>
</ul>
{% endfor %}
</div>
</div>
Being shown like
This works the same than the form suggested by Django docs but avoiding the "Go" button to switch languages.
It usually switches languages properly, except in certain cases, as I found out after a user reported the problem.
If the user gets to my site via www.mydomain.com, it will be redirected to www.mydomain.com/en/ (or /es/ or /de/) and as far as I know, changing languages works as expected.
However, if the user gets to my site via www.mydomain.com/es/, then when trying to change the language through the menu, www.mydomain.com/es/ is loaded again. The same behavior occurs with www.mydomain.com/de/.
Strange enough, when entering my site via www.mydomain.com/en/, changing languages works properly. Maybe because it is the default language?
I am able to replicate the issue consistently if entering the site through an incognito window. If I do it through a normal window, it is a similar behavior, but not always consistent. For instance, sometimes entering via www.mydomain.com/en/ will not let me change the language either. This makes me think it might have something to do with cookies. But this is as far as I got.
I checked for similar problems during hours and the only similar thing I found is the Django ticket In some cases i18n set_language does not change url language. Its conclusion is:
...I recreated the issue: we set a language (once) then try to reverse
a URL from the old language when setting the language again.
This obviously fails.
Workarounds:
keeping track of the old language and falling back to try that if the lookup with the current language fails.
Signalling across browser tabs that we already changed the language and adjusting accordingly (???).
Both of these are out of scope for the in-built i18n. (The first would
be possible on a project level — reimplementing e.g. set_language — if
it was deemed cost effective.)
I'm going to close this on that basis.
I am not sure if it is the same case, as I don't understand why it "obviously fails". As I see it, the obvious behavior should be to change the language.
I am surprised that such a basic feature does not work, so probably I am missing something.
Why is it not working in the cases described?
Any help would be appreciated.
Edit 1:
Previously I was using translated URLs instead of the form, as suggested here. However, this was taking 1 second to render due to the translation of the slug. This is why I decided to change
I experienced the same problem. It is still an existing issue, where django seemingly does not translate the HTTP referer header.
See Django source code of set_language
A way to workaround this is to send a hidden input field named next that you set to the same url you are at (request.get_full_path), but replace the current language part with the language you intend to switch to.
Here is a snippet of a language switcher solving this issue:
<li {% if current_language|slice:":2" == 'en' %} class="active"{% endif %}>
<form method="POST" action="{% url 'set_language' %}" autocomplete="off">
{% csrf_token %}
<span class="language-code">en</span>
<input type="submit" name="language" value="en">
<input type="hidden" name="next" value="{{ request.get_full_path|replace_language:"en" }}">
</form>
</li>
<li{% if current_language|slice:":2" == 'da' %} class="active"{% endif %}>
<form method="POST" action="{% url 'set_language' %}" autocomplete="off">
{% csrf_token %}
<span class="language-code">dk</span>
<input type="submit" name="language" value="da">
<input type="hidden" name="next" value="{{ request.get_full_path|replace_language:"da" }}">
</form>
</li>
Then you can implement a custom template tag called replace_language that runs through your configured languages and replaces it with the argument.
Hope this helps :-)
For further reference, I just went back to using translated URLs as suggested here, instead of the form.
I found out that what was making it so slow.
It turned out it was something that could be optimized, so now the translated URLs load very fast as well.
Solved the issue by removing the language code from the "next" input (slice the current language code from the url)
Next input:
<input name="next" type="hidden" value="{{ request.get_full_path|slice:"3:" }}">
Whole dropdown:
<form action="{% url 'set_language' %}" method="post">
{% csrf_token %}
<div class="row g-2">
<div class="col col-sm-12 col-lg-3 col-md-4">
<div class="form-floating">
<input name="next" type="hidden" value="{{ request.get_full_path|slice:"3:" }}">
<select class="form-select" name="language" onchange="this.form.submit()" id="language">
{% get_current_language as LANGUAGE_CODE %}
{% get_available_languages as LANGUAGES %}
{% get_language_info_list for LANGUAGES as languages %}
{% for language in languages %}
<option value="{{ language.code }}"{% if language.code == LANGUAGE_CODE %} selected{% endif %}>
{{ language.name_local }} ({{ language.code }})
</option>
{% endfor %}
</select>
<label for="language">Language</label>
</div>
</div>
</div>
</form>
I'm developing website with 2 versions of german (Default and Austrian).
My problem is that template do not differ them, so in select django displays them both as Deutsch(de).
Languages in settings.py:
('en', _('English')),
('de', _('German')),
('de-at', _('Austrian'))
template code:
<form action="{% url 'set_language' %}" method="post">
{% csrf_token %}
<input name="next" type="hidden" value="{{ redirect_to }}" />
<select style="border:1px dotted black" name="language">
{% get_current_language as LANGUAGE_CODE %}
{% get_available_languages as LANGUAGES %}
{% get_language_info_list for LANGUAGES as languages %}
{% for language in languages %}
<option value="{{ language.code }}"{% if language.code == LANGUAGE_CODE %} selected="selected"{% endif %}>
{{ language.name_local }} ({{ language.code }})
</option>
{% endfor %}
</select>
<input class="btn-primary" type="submit" value="{% trans 'Change' %}" />
</form>
Code is from documentation.
Translation in Austrian language doesn't work, because django in select defines Austrian as default Deutsch select it and do not translate.
So, are there any ways to display sublanguage in template, like (Deutsch(de-at)) or just (Austrian instead of Deutsch), or are there any other ways to solve it?
Tried to change all languages in settings:
('en-us', _('English')),
('de-de', _('German')),
('de-at', _('Austrian'))
Then created .po and .mo files to them. But still template defines them as same languages. Also I thought about changing language name in template, but as far as I understand I can't do it.
I've sold my problem, still don't understand what's the reason...
Django front end form, that I copied from documentation doesn't work as it should.
Form, that I used on front side works correct only with base languages and crashes on sublanguages(all). Now I've rewrite this form:
<form action="/i18n/setlang/" method="post">
{% csrf_token %}
<select style="border:1px solid black" name="language">
{% for lang in LANGUAGES %}
<option value="{{ lang.0 }}"
{% ifequal lang.0 request.LANGUAGE_CODE %}
selected="yes"
{% endifequal %}
>{{ lang.1 }}</option>
{% endfor %}
</select>
<input type="submit" value="{% trans 'Change' %}" />
</form>
Per now it works fine...
so, i'm working on this Django website and i'm done with i18n translations and now i'm trying to set the language switcher form as flags but the code isn't working!
the select/option/submit works perfectly BUT the code with input type image doesen't work, it submits, reloads the page, but the language isn't changed!
any ideas?
<div id="lang">
<form action="/i18n/setlang/" method="post">
{% csrf_token %}
<input name="next" type="hidden" value="{{request.path}}" />
{%for lang in LANGUAGES %}
<input type="hidden" name="language" value="{{lang.0}}"/>
<input id="lang_{{lang.0}}" type="image"
src="static/img/flags/{{ lang.0 }}.png" alt="{{ lang.1 }}"/>
{% endfor %}
<select name="language">
{% for lang in LANGUAGES %}
<option value="{{ lang.0 }}">{{ lang.1 }}</option>
{% endfor %}
</select>
<input type="submit" value="Go" />
</form>
</div>
You form is messed up with two things.
Multiple element has same name attribute
<input type="hidden" name="language" value="{{lang.0}}"/>
<select name="language">
Form element with no name attribute.
<input id="lang_{{lang.0}}" type="image"
src="static/img/flags/{{ lang.0 }}.png" alt="{{ lang.1 }}"/>|
How you are trying to get the values in regarding view?
I'm currently adding i18n in my website but there is something wrong.
When I use code from djangoproject
<form action="{% url 'set_language' %}" method="post">
{% csrf_token %}
<input name="next" type="hidden" value="{{ redirect_to }}" />
<select name="language">
{% get_language_info_list for LANGUAGES as languages %}
{% for language in languages %}
<option value="{{ language.code }}">{{ language.name_local }} ({{ language.code }})</option>
{% endfor %}
</select>
<input type="submit" value="Go" />
</form>
I get this error
Invalid block tag: 'get_language_info_list'
I don't understand why get_language_info_list is unknown. Templates_context_processors is ok. HTML form is on my homepage.
Always make sure you load the tag library first before you requests any tags. To use get_language_info_list, you need to make sure {% load i18n %} is in your template.