You know those bugs that take hours to debug? And the fix is … moving a single line.

filming of the HTML music video

filming of the HTML music video (Photo credit: MadLabUK)

That kind of bug is tripped up when you use django’s csrf protection and someone comes to your site using IE9. It can easily happen that not only will form stylings not affect the elements, the form might even ignore any values entered!

But it works perfectly on older versions of IE.

The bug was insanely difficult to pinpoint because I don’t have IE9 anywhere – only linux and mac around here, any windows box is so old IE7 is about the extent of its capabilities … After installing some sort of windows 7 to a virtual machine and getting IE9 working, I set to work.


  1. Form works perfectly in IE7, Chrome, Firefox etc.
  2. Form works perfectly with compatibility mode turned on
  3. Form values aren’t submitted
  4. Form elements don’t respond to form styling

For some reason IE9 thinks the form is empty. Displays all elements, but they don’t behave like they’re part of the form … which is kind of odd. They aren’t even selectable through the javascript console or anything.


After many pointless wanderings and random code changes, I realized the HTMLdoesn’t look like something I’d usually write (legacy-ish code).

<form action="/somewhere" method="POST">
{% csrf_token %} 
<label>blah</label><input type="text" name="blah" /> 
<!-- etc -->

Usually I’d put the {% csrf_token %} at the end. Not sure why, just the way I’ve always done it … surely this can’t make a difference right?

It can!

Putting it at the bottom of the form fixed all bugs. Styling suddenly worked, form was submitted with all data and everything worked everywhere.

Le huh?

filming of the HTML music video

filming of the HTML music video (Photo credit: MadLabUK)

When the form is rendered that  {% csrf_token %} is replaced with an invisible div tag. For some reason this ticks off IE9’s strictness and the rest of the form isn’t considered to be a part of this element anymore.

Something like this:

<form method="POST" class="filter" style="display: none">
    <div style='display:none'><input type='hidden' name='csrfmiddlewaretoken' value='41aeb46067bf9e800f9ce6c718265121' /></div>
    <input type="hidden" name="selected" value="" />
    <label for="dateFrom">From date:</label>
    <input type="text" class="datepicker" name="dateFrom" readonly="readonly" value=""/>
    <!-- etc. -->

I can’t find official reference either way, but I think div’s inside forms are legal HTML, perhaps not the best looking HTML, but p tags are allowed, even happen in the form tag example on, so I have no idea why IE9 would trip up on this.

Perhaps someone a bit more knowledgeable of strict HTML can shed some light on this issue? For now, let’s all just be aware of this little quirk.

Enhanced by Zemanta

Learned something new? Want to improve your skills?

Join over 10,000 engineers just like you already improving their skills!

Here's how it works 👇

Leave your email and I'll send you an Interactive Modern JavaScript Cheatsheet 📖right away. After that you'll get thoughtfully written emails every week about React, JavaScript, and your career. Lessons learned over my 20 years in the industry working with companies ranging from tiny startups to Fortune5 behemoths.

Get thoughtful letters💌

 “Man, I love your way of writing these newsletters. Often very relatable and funny perspectives about the mundane struggles of a dev. Lightens up my day.  

~ Kostas”

    No spam. Unsubscribe at any time. ✌️

    Powered By ConvertKit

    PS: You should also follow me on twitter 👉 here.
    It's where I go to shoot the shit about programming.